Configure Cisco Meraki supported clients

Cisco Meraki supports multiple wireless clients, including MS Windows and Apple OSX clients. This guide describes configuring wireless client by supported device.

Configure Apple macOS device
Configure Apple iOS device
Configure Android device
Windows 10 device

Before you begin

Ensure that you have the common UDP port and secret key values available.

Configure Apple macOS device

Install and open Apple Configurator from the App Store on your Mac.
Select File > New Profile.
Select the General tab.
Enter a Name for the profile (for example, Settings for Meraki wireless router).
Select the Certificates tab.
Click Configure and navigate to a directory that contains a valid root certificate.
Add your root certificate.
Select the Wi-Fi tab. Enter values appropriate for your environment.
In the Trust tab within the Wi-Fi section, select the root certificate you previously added as a Trusted Certificate.
Select File > Save and save the file with a .mobileconfig extension. If the Profile has an error message is displayed, ignore the message and select Save Anyway.
Add the 802.1X Wifi user profile to your system.
1. Select Profiles from System Preferences
2. Choose the + sign to add the Wifi Profile you selected previously.
Connect to your network using the Network panel in System Preferences. Successful logins appear in the Meraki events log.

When an AD or Okta password is updated, the user isn't prompted by macOS to update the password for the Wi-Fi connection. Instead, macOS continues to try to connect using the previous password, which can result in an account lockout.

Configure Apple iOS device

Install and open Apple Configurator from the App Store on your Mac.
Select File > New Profile.
Select the General tab.
Enter a Name for the profile (for example, Settings for Meraki wireless router).
Select the Certificates tab.
Click Configure and navigate to a directory that contains a valid root certificate.
Add your root certificate.
In the Wi-Fi tab, enter values appropriate for your environment.
In the Trust tab within the Wi-Fi section, choose to trust the root certificate you previously added.
Select File > Save and save the file with a .mobileconfig extension. If any error occurs, select Save Anyway.
Connect your iOS device to the Mac using a USB cable. The device appears in the All Devices view in Apple Configurator.
From the All Devices view, right-click your device and choose the option to add a profile. Select the profile you previously created and follow the prompts on your Mac and mobile device.
Connect to the Wi-fi network.

Configure Android device

Install EAP-TTLS root certificate
1. Copy the certificate onto your Android device using a USB connected to your laptop or other means.
2. On the device, navigate to Settings > Security & location > Advanced > Encryption & credentials.
3. Under Credential Storage, tap the option to Install from device storage.
4. Navigate to the location of the saved certificate.
5. Tap the file.
6. Enter a name for the certificate and choose Wi-Fi.
7. Tap OK.
Open your Wi-Fi settings and click on the SSID you want to connect to. If it's not visible, choose the option to Add network and enter your network SSID name and set the Security type to 802.1x EAP.

Set the following options:

Field	Value
EAP Methods	TTLS
CA certification	Choose the just installed certificate
Identity	Your Okta username
Password	Your Okta password/MFA
Advanced	Under advanced set the following: Phase 2 authentication: PAP Anonymous identity: This value is the user's unencrypted identity outside the TLS tunnel. Since the RADIUS agent does not use this currently, you can enter any random value.

The device should now be able to connect to the Wi-Fi network.

Windows 10 device

Navigate to the Network and Sharing Center and choose to Set up a new connection or network and then click Next.
Choose Manually connect to a wireless network, then click Next.
Enter the SSID of your wireless network as the Network name.
Choose WPA2-Enterprise for the security type.
Click Next.
Click Change connection settings.
Select the Security tab.
Change the network authentication method to Microsoft: EAP-TTLS.
Click Settings.

In the TTLS Properties page, use the following settings:

Setting	Value
Enable identity privacy	anonymous
Trusted Root Certification Authorities	Select the root certificate used to sign the customer EAP-TTLS server certificate. For example: USERTrust RSA Certification Authority root certificate
Within Client authentication	Choose Select a non-EAP method for authentication under Client authentication. Choose Unencrypted password (PAP) from the dropdown list of authentication methods.

Setting

Value

Enable identity privacy

anonymous

Trusted Root Certification Authorities

Select the root certificate used to sign the customer EAP-TTLS server certificate. For example:

USERTrust RSA Certification Authority root certificate

Within Client authentication

Choose Select a non-EAP method for authentication under Client authentication. Choose Unencrypted password (PAP) from the dropdown list of authentication methods.

Return to the Network Properties dialog and click Advanced settings.
Select Specify authentication mode. Choose User authentication from the dropdown list. Click OK.
Connect to your RADIUS enabled SSID.