Blog Home
Attend a Webinar

Thank you for subscribing.

Enterprise security without the username/password hassle

Use Systems Manager certificates for automatic wireless network association

There are many of methods for associating clients to a wireless network. Methods that require a password, methods that require a username AND password, and methods that require nothing at all. The level of security attained is generally proportional to the complexity of the method. But, the Cisco Meraki team has added a new association method, that uses WPA2-enterprise for authentication, yet doesn’t require setting up a standalone server or managing pages and pages of usernames and passwords. This super slick method takes advantage of Systems Manager to streamline the association process.

When users enroll in Systems Manager, a unique SCEP certificate is created for each device, and a record of that certificate is shared with the Meraki cloud hosted authentication server.

Certificate-auth-diagram

When users log into a wireless network the access point can use the same certificate to authenticate them using EAP/TLS. The cloud hosted authentication server verifies the certificate and allows the user to join the network. Users don’t have to enter a password for authentication and admins don’t have to create them. The certificate does it all.

Getting set up

1. In the Wireless network, choose an SSID and select WPA2 with Meraki Authentication as the association method.

CertificateAuthConfig1

2. Specify a list of Systems Manager tags for which you’d like to grant network access. These are automatically imported from your Systems Manager network.

CertificateAuthConfig2

3. In Systems Manager, link some devices to that tag.

TagSM

4. That’s it. Your devices should be able to get on the network, no username/password needed. You can see this iPhone now has a “Meraki Wifi” Profile

phonescreenshot

If you ever need to revoke access from a user, simply remove the tag, or quarantine the device in Systems Manager. This method will work with iOS, OS X. and Android devices that are enrolled in Systems Manager. For those scenarios where devices logging onto the network might not be enrolled in Systems Manager, check out Systems Manager Sentry for an easy way to get users set up.