How to Setup EAP-TLS With Meraki Access Points

How to Setup EAP-TLS With Meraki Access Points

Whether you’re a business, organization, or institution, if you have a wireless network, it is important that you set up encryption on all your wireless access points. By securing your wireless network using wireless encryption techniques, you can secure the data between your computers and your wireless access points. Credential theft is one of the biggest issues in cybersecurity, and using an encrypted Wi-Fi can prevent MITM and Evil Twin proxies from stealing credentials. Today’s access points support a range of encryption mechanisms, and we highly recommend using WPA2-Enterprise with EAP-TLS because it relies on client-side and server-side certificates to secure subsequent communications between the WLAN client and the access point.

If you’re wondering how to set up EAP-TLS with your wireless access points, we’ve created a step-by-step guide on how you can set up EAP-TLS with Meraki access points.


Setting up an Onboarding SSID in a Meraki Access Point

Setting up EAP-TLS authentication on your network is easier if you create an Onboarding SSID, especially for new devices that have previously never connected to a network. When users enroll for a certificate on the Onboarding SSID, they are redirected to the SecureW2 landing page. In lieu of using an Onboarding SSID, users can use mobile data to enroll for a certificate when using applicable devices. From here, the OS is detected and a client is deployed that is specific to the OS. The client then configures the device by installing the Wi-Fi certificate and appropriate network settings required to authenticate via EAP-TLS. Lastly, their device is migrated to the Secure SSID.

In the past, the process of loading certificates into users’ devices was incredibly difficult, but the SecureW2 onboarding process requires just a few steps. It takes the burden off the IT department to onboard every network user, but still allows them to monitor the Wi-Fi onboarding process. Once certificate authentication is complete, users can automatically connect to the network without the hassle of password-related disconnects caused by password change policies.

Configuring your SSIDs

Creating an Onboarding SSID in Meraki

  1. Login to the Meraki Dashboard
  2. After selecting your Organization and your Network, select Wireless to configure your SSIDs
    • To create a new SSID, select an unconfigured SSID and switch it from disabled to enabled
  3. Rename the SSID to configure it, and click Save Changes

Make a Click through Splash page so the Onboarding SSID redirects to the SecureW2 Landing Page

Configure Access Point to use Splash Page

  1. Select Wireless again, and choose Access Control
  2. Set the Network Access to Open (no encryption)
  3. Under the Splash Page section, select Click-through

This process will set the redirect to go to the SecureW2 landing page.


Configure the Walled Garden

When implementing a BYOD system, it’s vital to keep corporate data and personal data separate and protected. A proven method has been utilization of a walled garden. Additionally, instituting a walled garden keeps corporate data stored in a secure application that is separated from personal data. This creates insurance for the corporation that their sensitive data will not be breached.

For an Onboarding SSID, you need to allow onboarding related resources. For example, the MultiOS solution uses an Android application to configure Android devices for WPA2-Enterprise, so we need to allow access to the Play Store on our Onboarding SSID. Another example is the Apple CNA can get in the way of WPA2-Enterprise configuration. The CNA is prompted when an Apple device can’t contact certain Apple servers, so we need to allow contact in order to prevent the CNA from popping up. We control what resources can be accessed on the Onboarding SSID by using a Walled Garden.  A walled garden allows network administrators to control access to certain sites and applications, steering network users away from potentially harmful situations.

To configure the Walled Garden:

  1. Select Wireless again
  2. Go to the Firewall & traffic shaping settings, and make sure your SSID is selected
  3. Under the Layer 3 firewall rules section, you will need to:
    • Input the rules that allow the firewall through to SecureW2 resources (See Chapter 2: Firewall Rules in the JoinNow MultiOS Deployment Guide in the management portal)
    • The last policy you need to add is to deny 0.0.0 to clarify to the firewall that someone can’t be abusing this open SSID just to access the internet
  4. Save Changes


Setting up the redirect to the SecureW2 landing page

The last thing you’ll need to configure is the redirect. Under Wireless:

  1. Click on Splash Page
    1. Double check that the SSID is the same as the one you configured earlier
  2. In the Custom Splash URL section, input the Onboarding Landing Page URL from SecureW2, and click Save Changes

Now you have your Onboarding SSID all configured! In the next section, we’ll look at how to integrate SecureW2 RADIUS with Meraki APs.


Integrating the SecureW2 RADIUS with Meraki Access Points

Now that we’ve configured the onboarding SSID that will enroll users for a certificate, we need to setup the secure SSID. This SSID needs to be configured for EAP-TLS WPA2-Enterprise authentication. It also needs be integrated with a RADIUS server, which in this case will be the SecureW2 RADIUS server, that will authenticate the users’ certificate and authorize them for network access.

Configuring your SSIDs

  1. Create another SSID by selecting an un-configured SSID and then enabling it
  2. Rename the SSID (make sure it is the same name as the SSID in the Network Profile)
    1. In your Network Profile, when you click Edit, you should see the SSID section, and the name you entered should match
  3. Scroll down and click Save Changes

Configuring the SSID


Setting up the RADIUS Information

Now, you need to enter in the RADIUS information:

  1. Under Wireless, select Access control
  2. Under Network access change it from the default value of Open (no encryption) to WPA2 Enterprise with my RADIUS server”
    1. For the WPA encryption mode, select WPA2 only
  3. In the Splash page section, leave it set to None (direct access)

Configuring the RADIUS Authentication

You can find the details about Your RADIUS when you go to AAA Management and AAA Configuration. Here you will see a Primary IP Address, Secondary IP Address, Port Number and a Shared Secret.

Copy the SecureW2 RADIUS information and paste it back into the Meraki Access Point

  1. Under RADIUS Servers, click the green link to Add a server
  2. Enter in the Primary IP Address, Port Number, Shared Secret respectively
    1. You will need to perform the same steps for the Secondary IP Address by entering the Secondary IP Address, Port Number, Shared Secret
  3. Scroll down and click Save changes

Add a RADIUS server into Meraki for the SecureW2 Primary and Secondary IP address

And that’s it, you’re on your way to a more secure wireless network! If you need more help in setting up EAP-TLS with Meraki APs, please feel free to reach out to us at SecureW2. We’re here to help you.

Meraki is either registered trademarks or trademarks of Cisco Meraki in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

  • Email addresses from free providers (Gmail, Hotmail, etc.) will not be accepted.
  • This field is for validation purposes and should be left unchanged.