Security

 View Only
  • 1.  ClearPass Wireless using Meraki

    Posted Aug 12, 2020 12:26 PM

    Currently when Android phones try to connect to our Meraki SSID, it asks to select a certificate, but there is no certificate to select.  How do I export my service certificate to install on our android phones?  I can only extract the full cert with private key.  I just need the public crt file.

    UIUYoungr_0-1597249543004.png

     



  • 2.  RE: ClearPass Wireless using Meraki

    Posted Aug 12, 2020 03:25 PM

    Using legacy EAP methods and credential types on unmanaged devices puts all user credentials at risk. This is not recommended.



  • 3.  RE: ClearPass Wireless using Meraki

    Posted Aug 12, 2020 03:38 PM

    How would we allow people to BYOD when we do not have an MDM solution for wireless?  Are there guides on how to set that up?  We do not have onboard licensing.



  • 4.  RE: ClearPass Wireless using Meraki

    Posted Aug 12, 2020 03:40 PM

    You need some form of device provisioning solution (ClearPass Onboard, Secure W2, Cloudpath, etc).

     

    If you don't, every user credential should be treated as compromised.



  • 5.  RE: ClearPass Wireless using Meraki

    Posted Aug 12, 2020 03:43 PM

    If those are not free, then we can't do it. 



  • 6.  RE: ClearPass Wireless using Meraki

    Posted Aug 12, 2020 03:53 PM
    Then you should really issue every user a separate credential to use for Wi-Fi.


  • 7.  RE: ClearPass Wireless using Meraki

    Posted Aug 13, 2020 05:42 AM

    As Tim mentioned: don't do it. Also Android has made it really hard to configure, but there is an option under the Advanced WiFi configuration where you can import root CAs for WiFi (which you can first export from the Trust list in ClearPass), and then it should be possible to sea in the dropdown for the CA Selection when you manually configure the authentication. It was for me already challenging to get the root downloaded to my phone as during download it will open the certificate store for web authentication which is not linked to the one for WiFi. I had to create a quick web-site with a link that I could 'download link' from to get it even in my Downloads folder.

     

    It's all clear that is is made as hard as possible to do this manually, which is another indication that you probably should not be doing this.

     

    I even just tested, but keep seeing the client reporting: unknown_ca, so I can't make it work quickly. Using Onboard or equivalents is probably better while moving to EAP-TLS at the same time.

     



  • 8.  RE: ClearPass Wireless using Meraki

    Posted Aug 13, 2020 04:16 PM

    Is there a walk through on how to setup OnBoard with Meraki?  I don't get how it works with Cisco gear vs Aruba gear, because the settings for aruba doesn't work  for Cisco.



  • 9.  RE: ClearPass Wireless using Meraki

    Posted Aug 13, 2020 05:43 PM
    Not that I'm aware of, but if you can find any docs on setting up guest with Meraki, it is the same.


  • 10.  RE: ClearPass Wireless using Meraki

    Posted Oct 09, 2020 03:13 PM
    Edited by UIUYoungr Oct 09, 2024 04:41 PM
      |   view attached

    Deleted



  • 11.  RE: ClearPass Wireless using Meraki
    Best Answer

    Posted Oct 09, 2024 04:40 PM
    Edited by UIUYoungr Oct 09, 2024 04:42 PM
      |   view attached

    I forgot to put in Cisco - Terminate Session and Cisco - Reauthenticate-Session in the Webauth Captive portal enforcement.  Without those, you won't automatically get re-directed and reconnect and have to manually reconnect to the SSID.