Integrating Cloud RADIUS with Meraki Access Points for EAP-TLS WPA2-Enterprise

Cloud RADIUS provides everything an organization needs for certificate-based 802.1x using their Meraki APs. Click here to learn more!

“Remote Authentication Dial-In User Service” or RADIUS can provide you with essential tools that can maximize security for your network. When RADIUS is properly configured and combined with a WPA2-Enterprise network, you will be well-equipped with a suitable defense against any potential threats trying to steal credentials.

With Cloud RADIUS, you no longer need to rely on providing your own physical hardware as cloud-based servers allow for a simpler and cheaper alternative. Cloud RADIUS also eliminates the possibility of physical penetration from onsite threats, severely reduces the need for maintenance, and can be handled completely virtually.

Cloud RADIUS can be integrated with any access point with ease, in this guide we will show you how to set up Meraki Access Points with Cloud RADIUS.

Configuring your SSIDs

The process of distributing certificates to devices used to be incredibly frustrating, turning away many organizations from using certificates. Fortunately, that is not the case anymore with SecureW2’s onboarding software. The IT department isn’t burdened with manually configuring every device and once users are authenticated, they not longer need to worry about password-related disconnects.

Configure an Onboarding SSID

Since we’ll be authenticating with EAP-TLS, you will need to create an onboarding SSID to make the authentication process much easier. Once a user device is enrolled with a certificate, they will be redirected to the SecureW2 landing page.

  • Login to the Meraki Dashboard
  • After selecting your Organization and your Network, select Wireless to configure your SSIDs
    • To create a new SSID, select an unconfigured SSID and switch it from disabled to enabled
  • Rename the SSID to configure it, and click Save Changes

Configure a Secure SSID

Now that we’ve configured the onboarding SSID that will enroll users for a certificate, we need to set up the secure SSID. This SSID needs to be configured for EAP-TLS WPA2-Enterprise authentication. It also needs to be integrated with a RADIUS server, which in this case will be the SecureW2 Cloud RADIUS server, that will authenticate the users’ certificate and authorize them for network access.

  • Create another SSID by selecting an un-configured SSID and then enabling it
  • Rename the SSID (make sure it is the same name as the SSID in the Network Profile)
    • In your Network Profile, when you click Edit, you should see the SSID section, and the name you entered should match
  • Scroll down and click Save Changes

Setting up the RADIUS Information

Now, you need to enter in the RADIUS information:

  • Under Wireless, select Access control
  • Under Network access change it from the default value of Open (no encryption) to WPA2 Enterprise with “my RADIUS server”
    • For the WPA encryption mode, select WPA2 only
  • In the Splash page section, leave it set to None (direct access)

You can find the details about your Cloud RADIUS when you go to AAA Management and AAA Configuration. Here you will see a Primary IP Address, Secondary IP Address, Port Number and a Shared Secret.

  • Copy the Cloud RADIUS information and paste it back into the Meraki Access Point under RADIUS Servers, click the green link to add a server
  • Enter in the Primary IP Address, Port Number, Shared Secret respectively
    • You will need to perform the same steps for the Secondary IP Address by entering the Secondary IP Address, Port Number, Shared Secret
  • Scroll down and click Save changes

Configuring Devices for RADIUS Authentication

Cloud RADIUS comes with 802.1x onboarding software that allows end users to easily self-enroll themselves for certificates and configure their devices to be authenticated with EAP-TLS WPA2-Enterprise, one of the strongest forms of security when authenticating devices. Authenticating with EAP-TLS eliminates over-the-air credential theft and ensures that only approved users can access your network.

But it doesn’t stop at configuring devices for secure authentication, our software also allows you to configure both BYOD devices for automated certificate enrollment. You can configure a network profile to send to devices allowing them to automatically enroll themselves for certificates. Cloud RADIUS provides you the ability to set up powerful Gateway APIs for MDMs like GPOs, and G-Suite so all your managed devices can be authenticated and enrolled for a certificate.

Here’s a demo of how easy it can be for end users to configure their devices for network access. The end user only needs to click a few buttons and their device is now securely authenticated and enrolled for a certificate. Our onboarding software eliminates any risk of end user misconfiguration and doesn’t require the IT admin to step in and manually configure.

  • Add macOS onboarding demo

SecureW2’s Cloud RADIUS streamlines the onboarding process for both BYODs and managed devices, ensuring only approved users can access the network. Not only is it much safer to access your network, but the onboarding process is made easier for both end users and IT admins. Cloud RADIUS also comes at an affordable price, check out our pricing page.

Meraki is either registered trademarks or trademarks of Cisco Meraki in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

Eytan is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Related Post