Configure wireless clients for Cisco Meraki

Cisco Meraki supports multiple wireless clients, including Microsoft Windows and Apple macOS clients. This guide describes how to configure wireless clients by device:

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Configure an Apple macOS device

  1. Install Apple Configurator from the App Store on your Mac and then open it.
  2. Select FileNew Profile.
  3. Select the General tab.
  4. Enter a Name for the profile (for example, Settings for Meraki wireless router).
  5. Select the Certificates tab.
  6. Click Configure and open the folder that contains a valid root certificate.
  7. Add your root certificate.
  8. Select the Wi-Fi tab. Enter values appropriate for your environment.
  9. On the Trust tab in the Wi-Fi section, select the root certificate that you added as a Trusted Certificate.
  10. Select FileSave and save the file with a .mobileconfig extension. If an error message appears, ignore it and select Save Anyway.
  11. Select Profiles from System Preferences and then click the + sign to add the 802.1X Wi-Fi user profile to your system.

  12. Connect to your RADIUS-enabled SSID. Successful sign-in events appear in the Meraki events log.

When users update their Active Directory or Okta password, macOS doesn’t prompt the user to update their password for the Wi-Fi connection. Instead, macOS continues to try to connect using the previous password, which can result in an account lockout.

Configure an Apple iOS device

  1. Install Apple Configurator from the App Store on your iOS device and then open it.
  2. Select FileNew Profile.
  3. Select the General tab.
  4. Enter a Name for the profile (for example, Settings for Meraki wireless router).
  5. Select the Certificates tab.
  6. Click Configure and open the folder that contains a valid root certificate.
  7. Add your root certificate.
  8. Select the Wi-Fi tab. Enter values appropriate for your environment.
  9. On the Trust tab in the Wi-Fi section, select the root certificate that you added as a Trusted Certificate.
  10. Select FileSave and save the file with a .mobileconfig extension. If an error message appears, ignore it and select Save Anyway.
  11. Connect your iOS device to the Mac using a USB cable. The device appears in the All Devices view in Apple Configurator.
  12. From the All Devices view, right-click your device and choose the option to add a profile. Select the profile you created and follow the prompts on your Mac and mobile device.
  13. Connect to your RADIUS-enabled SSID. Successful sign-in events appear in the Meraki events log.

Configure an Android device

  1. Install the EAP-TTLS root certificate:
    1. Connect your Android device to your laptop using a USB cable.
    2. Copy the certificate from the laptop to your Android device.
    3. On the Android device, go to SettingsSecurity & locationAdvancedEncryption & credentials.
    4. In the Credential Storage section, tap the option to Install from device storage.
    5. Find the saved certificate and then tap the file.
    6. Enter a name for the certificate and select Wi-Fi.
    7. Tap OK.
  2. Open your Wi-Fi settings and select the SSID you want to connect to. If it's not visible, select Add network, enter your network SSID name, and then set the Security type to 802.1x EAP.
  3. Set EAP Methods to TTLS.
  4. Set CA certification to the certificate you installed.
  5. Enter your Okta username in Identity.
  6. Enter your Okta password in Password.
  7. In the Advanced section, select Phase 2 authentication: PAP.
  8. Enter any value in Anonymous identity. This is the user's unencrypted identity outside the TLS tunnel. The RADIUS agent doesn’t use this value, but Android requires input for this field.
  9. Connect to your RADIUS-enabled SSID. Successful sign-in events appear in the Meraki events log.

Configure a Microsoft Windows 10 or 11 device

  1. Open the Windows 10 or 11 Control Panel.
  2. Select Network and Internet.
  3. Select Network and Sharing Center.
  4. Select Set up a new connection or network.
  5. Select Manually connect to a wireless network, and then click Next.
  6. Enter the SSID of your wireless network in Network name.
  7. Select WPA2-Enterprise from the Security type dropdown.
  8. Click Next.
  9. Click Change connection settings.
  10. Select the Security tab.
  11. Change the network authentication method to Microsoft: EAP-TTLS.
  12. Click Settings. The TTLS Properties page appears.
  13. Select Enable identity privacy, and then enter anonymous in the field.
  14. In the Trusted Root Certification Authorities section, select the root certificate that signs the customer EAP-TTLS server certificate, such as USERTrust RSA Certification Authority.
  15. In the Client authentication section, select Unencrypted password (PAP) from the Select a non-EAP method for authentication dropdown.
  16. Click OK.
  17. Click Advanced settings on the Wireless Network Properties page.
  18. On the 802.1X settings tab, select Specify authentication mode and then select User authentication from the dropdown.
  19. Click OK to close Advanced settings, and then click OK to close Wireless Network Properties.
  20. Click Close.
  21. Connect to your RADIUS-enabled SSID. Successful sign-in events appear in the Meraki events log.

When users update their Active Directory or Okta password, Windows doesn’t prompt the user to update their password for the Wi-Fi connection. Instead, Windows continues to try to connect using the previous password, which can result in an account lockout.