Re: Ise 2.4, Cisco WLC, iPhone Certificate based Authentication with Meraki MDM

NicholasSansone8139 · ‎09-23-2019

Hello,

We are using ISE in our network for RADIUS authentication for our wireless network currently. Machines connect through a wireless network that is pushed through GPO, this verifies the machine is in the correct OU and AD group for access, and allows the device on.

We are looking to add phones now through ISE instead of using a PSK. We would like to deploy a certificate to phones through Meraki MDM, have those phones connect to the internal wireless network, and then have a condition that checks the certificate and allows the machine to be placed into a particular VLAN.

I'm having a hard time finding information on this specific use case, is there anyone available to help with experience setting this up?

Thank you!

paul · ‎09-23-2019

Is the Meraki MDM actually issuing the cert from its own internal CA or is it a proxy through to your own Microsoft CA?

If the Meraki is issuing the certs you could look at the issuer common name in your authorization rules to pick off the Meraki MDM issued certs. If it is Microsoft CA that is the same CA uses by the corporate wireless clients you could use the cert template used to use the cert as criteria. Better yet, no matter the CA issuing the cert make sure the cert request contain a certain OU structure like OU=IP Phone and use that as the criteria to pick off IP phones vs. corporate wireless users.

hslai · ‎09-29-2019

Certificate-based WiFi authentication with Systems Manager and Meraki APs

might help. Please contact Meraki teams for additional support questions on Meraki MDM.