Configure EAP-TLS using ISE and Meraki AP

 

 

This post describes how to set up a Meraki WLAN with 802.1x using EAP-TLS as an Authentication Method. 

If you want to get some background about the flow process of EAP-TLS, please take a look at my previous post, along with RFC 5216 page.

Components Used

  • Windows 10 Workstation (Wireless Supplicant) 
  • Meraki MR52 (Authenticator)
  • Cisco ISE (Authentication Server)
  • Windows Server 2016 (Certificate Authority)
  • Some L2/L3 Network devices helping with the end to end communication.  

Topology Implemented 

You can use other alternatives or combinations on the components above mentioned, but for this demo, I will play around with the above topology, we expected to have complete reachability between the Authenticator, Authentication Server, and the Certificate Authority Server to get the wireless authentication using EAP-TLS.

Configure

I will mainly focus on the Authenticator, and the Authentication Server side, however, I’m going to scope some supplicant and CA configurations as well. 

Let’s start with the Authenticator = Meraki Side

Step 1. The first step is to configure an SSID in the Meraki Dashboard, in the desired Meraki Network go to Wireless > SSIDs > and select any SSID at your convenience > Select enabled >  rename the SSID > Save the changes as shown in the image.

After saving, click on edit settings.

Step 2.

Under Access Control (select the SSID)

  • Association requirements: Enterprise with my RADIUS server as shown in the image. 

  • Splash page None (direct access)
  • RADIUS servers (Here, you need to enter the IP address and the shared secret that is used to validate the MR52 on the ISE side.
  • Optionally, you can enable RADIUS CoA, and you can set the RADIUS Accounting (I’m just leaving the default values) as shown in the image.

  • The client IP assignment (It’s up to you, you can use Bridge mode with or without VLAN tagging, or simply use NAT mode for simplicity as shown in the image.

  • I’m leaving the rest of the options per Meraki default as shown in the image.

Step 3.

It is a good idea to verify that you can reach the RADIUS server from the MR52 before you continue, go to Wireless > Access Points > Select the access point > Tools > Ping using the RADIUS IP address.  

Now, the Authenticator side is done!

RADIUS server (ISE configuration)

Step 1.

Go to Policy > Policy Elements > Results > Authentication > Allowed Protocols and click Add.

  • On this Allowed Protocol list, you can enter the name for the list. In this case, Allow EAP-TLS box is checked and other boxes are unchecked as shown in the image. 

Step 2. 

Go to Administration > Network Resources > Network Devices > Add as shown in the image.

Step 3. 

Create New User on ISE

Go to Administration > Identity Management > Identities > Users > Add as shown in the image.

Step 4.

Create Policy set

Go to Policy > Policy Set and then click on the plus (+) icon on the upper-left corner as shown in the image. 

Step 5. 

Set the policy name (it could be something generic), under the conditions menu, select “Network Acess Protocol > EQUALS RADIUS”, and lastly, select the name of the policy result set on step 1 as shown in the image. 

Step 6.

Create an Authentication Policy.

Go to the symbol on the body right side as shown in the image.

Step 7.

Go to Authentication Policy > click on the plus (+) icon, and set “the conditions & use” as shown in the image.

Step 8. 

Go to Authorization Policy > click on the plus (+) icon, and set “the conditions & results profiles” as shown in the image.

Step 9.

Verify

Step 10.

Certificate on ISE

Go to Administration > Certificates > Certificate Signing Requests > Generate Certificate Signing Requests (CSR) as shown in the image.

Step 11.

As shown in the image.

The result

Step 12.

Select the certificated generated > View > CSR Contents > Copy (from “Begin to End”) as shown in the image. 

Step 13.

From here is necessary to go into the Windows Server (Certificate Authority) > open a web browser and Request a Certificate to complete the ISE configurations as shown in the image. 

Step 14.

Click Advanced certificate request as shown in the image.

Step 15.

Click Submit a certificate request by using a base-64….  as shown in the image.

Step 16.

Paste the CSR generated on step 12 in the Base-64 encoded certificate request. From the Certificate Template: drop-down option, choose Web Server and click Submit as shown in the image.

Step 17.

Once you click Submit, you get the option to select the type of certificate, select Base-64 encoded, and click Download certificate chain as shown in the image.

Step 18.

Going back to the ISE server

Extract the certificates, the main file will contain two certificates, one root certificate, and another intermediate. The root certificate can be imported under Administration > Certificates > Trusted certificates > Import as shown in the images.

 

Once you click Submit, the certificate is added to the trusted certificate list.

Step 19.

Go to Administration > Certificates > Certificate Signing Requests > Bind Certificate and add the intermediate certificate as shown in the image.

Step 20.

To view the certificate, navigate to Administration > Certificates > System Certificates as shown in the image.

Windows Workstation (Supplicant)

To authenticate a wireless user through EAP-TLS, you have to generate a client certificate.

Step 1.

Go to the CA and create a user using the same credentials used in the RADIUS server (ISE configuration) step 3.

For this lab, I’m creating a matching user on both sides (ISE & CA) you can integrate an AD or LDAP to your ISE server and reference it under the policy set authentication as well.

Step 2.

Connect your Windows computer to the network so that you can access the server. Open a web browser and enter this: https://sever IP address/certsrv—

The credential belongs to the recent user-created on the CA & ISE.

Important. It should be noted that the CA must be the same with which the certificate was downloaded for ISE.

Step 3.

Click Request a certificate as previously done, however this time you need to select User as the Certificate Template as shown in the image.

Step 4. 

Click User Certificate as shown in the image.

Step 5.

Certificate Template > User > Create new key set > Key size 1024 > Automatic key container name > Mark key as exportable > CMC > sha1 > Submit as shown in the image. 

Step 6.

Click Install this certificate to install the certificate in the local machine.

Step 7

Go Control Panel Network and Internet Network and Sharing Center Setup a new connection or network > Select Manually connect to a wireless network Next as shown in the image.

Step 8.

Network name (This name must match with the SSID in The Authenticator = Meraki Side Step 1) > Security type: Select WPA2-Enterprise Next.

Step 9. 

Click Change connection settings.

Step 10.

Select Microsoft: Smart Card or other certificate and click Settings.

Step 11.

Select Trusted Root Certification Authorities (this is the certificate issued from the CA server) > Click OK as shown in the image

Step 12. 

Click Advanced Settings and select User or computer authentication from the 802.1x settings tab > Click OK as shown in the image.

Step 13.

Go to Wireless network, select the correct profile (ISE_TLS in this example) and Connect as shown in the image.

Verify

After the successful authentication to the WLAN, go to the ISE server dashboard > Operations RADIUS Live Logs as shown in the image.

 

An example of what a successful EAP-TLS log looks like:

I will post some troubleshooting steps in a different post!

Thanks for reading!

11 thoughts on “Configure EAP-TLS using ISE and Meraki AP

  1. Hello there!
    I know this is somewhat off topic but I was
    wondering which blog platform are you using for this
    website? I’m getting sick and tired
    of WordPress because I’ve had problems with hackers and
    I’m
    looking at alternatives for another platform. I would be
    fantastic if you could point me in the direction of a good platform.

    1. Hi Carol, thanks for your kind words, I’m using WordPress like you, I’m sorry to hear that you are having issues with hackers and bad things, I can’t complain until now.

  2. Excellent website. A lot of useful info here. I’m sending it to some pals ans also sharing
    in delicious. And of course, thank you for your sweat!

  3. I’ve been exploring for a bit for any high-quality articles or weblog posts on this kind of house
    . Exploring in Yahoo I finally stumbled upon this site.
    Reading this info So i am glad to convey that I have a very good uncanny feeling
    I discovered just what I needed. I most unquestionably will make certain to don?t forget this web site
    and provides it a look on a continuing basis.

  4. I think this is one of the most important information for me.

    And i’m glad reading your article. But want to remark on few general things, The site style is great,
    the articles is really great : D. Good job, cheers

Leave a Reply

Your email address will not be published.