To give your users access to the Meraki AP using OneLogin RADIUS, create a Wi-Fi profile and install it on user devices. The method used to create the Wi-Fi profile, distribute it, and install depends on your organization's preferred tools and procedures. This article describes how to:
- Create the Wi-Fi profile for Mac OS X devices using Apple Configurator 2 (Admin task)
- Install the Wi-Fi profile on Mac OS X devices (Admin or end-user task)
- Update your Wi-Fi profile with Apple Configurator 2 (Admin or end-user task)
You can use alternative applications (like Apple Profile Manager) to create and distribute the Wi-Fi profile. All Wi-Fi profiles must include:
- The SSID of your Meraki AP
- A Security Type of WPA2-Enterprise
- An authentication scheme of EAP-TTLS/PAP
Chain of trust
Every SSL certificate is issued under a root certificate. Root certificates are self-signed certificates by a reputable CA like Sectigo and are included in the trusted root store used by a browser or on the OS. Between a root certificate and an SSL certificate, one or more intermediate certificates are present. Together, they provide a complete chain of trust to the root certificate. By using intermediate certificates, the root certificate itself doesn't need to sign a certificate. An SSL certificate is signed by an intermediate and the intermediate by the root certificate.
Install the RADIUS certificate and intermediate DigiCertCA certificate
Important: RADIUS Certificates are renewed on a yearly basis. You can find the most recent certificate file locations here.
Configure a Meraki Access Point (AP) to use OneLogin as a RADIUS server
Create your Wi-Fi profile using Apple Configurator 2
As an admin, you can create a Wi-Fi profile that you can install on end-user machines or distribute to your end users to install themselves.
Note: These instructions use Apple Configurator 2, which requires Mac OS X 10.11 (El Capitan) and above. You could also use Apple Profile Manager on Mac OS X Server 10.7 and above to create and push your WiFi profile. For more information, see your Apple Profile Manager documentation.
Download the OneLogin RADIUS certificate and intermediate CA certificate: see Certificates section above for download information.
In Apple Configurator 2, go to File > New Profile.
In the General section, set the Name and Identifier values.
Go to the Certificates section, and click Configure.
Select the OneLogin RADIUS certificate (
star_eu_onelogin_com.crt) that you downloaded in step 1.
Confirm that you successfully added the certificate. Since you're installing the certificate for the first time, the page will display a warning that the certificate was signed by an unknown authority.
Click the Add button to select and add the intermediate CA certificate (
DigiCertTLSRSASHA2562020CA1.crt) that you downloaded in step 1.
Confirm that you successfully added both certificates.
Go to the Wi-Fi section, and configure the following fields:
- SSID: your desired SSID
- Security Type: WPA2 Enterprise (iOS 8 or later except Apple TV)
- Accepted EAP Types: TTLS
- Inner Authentication: PAP
Note that Enterprise Settings options don't appear until after you have selected the Security Type.
Under Enterprise Settings, select the Trust tab and select the checkbox for both
DigiCert SHA2 Secure Server CA.
Save your Wi-Fi profile.
Go to File > Save. When the dialog appears, warning you that the profile requires user input when installed on a device, click Save Anyway.
Your Wi-Fi profile configuration is complete. Now you can transfer and install this profile on any Mac OS X machine that connects to your Wi-Fi network using OneLogin RADIUS server for authentication.
Install the Wi-Fi profile on client Mac OS X machines
These instructions detail how admins can install Wi-Fi profiles on end-user machines. These instructions can be used by end users who received the transferred Wi-Fi profile file from admins.
Note: These instructions use Apple Configurator 2. If you use Apple Profile Manager on OS X Server, you can push the Wi-Fi profile directly to Mac OS X client machines.
Admins transfer the Wi-Fi profile file
your_ssid.mobileconfig previously created to the client machines that need to connect to your Wi-Fi network.
On the client Mac OS X machine, open the WiFi profile file
Click Continue for the two dialog boxes.
In the Enterprise Network dialog, enter your OneLogin Username and Password, and click Install.
Enter your local machine admin credentials in the dialog and click OK.
The Wi-Fi profile is now installed on the client machine.
You can select the SSID from the list of available Wi-Fi networks and connect.
Update your Wi-Fi profile with Apple Configurator 2
As an admin, you can update the WiFi profile to install on end-user machines or distribute to end users to install.
Note: These instructions use Apple Configurator 2, which requires Mac OS X 10.11 (El Capitan) and above. You can use Apple Profile Manager on Mac OS X Server 10.7 and above to create and push your Wi-Fi profile. For more information, see your Apple Profile Manager documentation.
Download the OneLogin RADIUS certificate and Digicert intermediate certificate.
In Apple Configurator 2, go to File > Open and browse to select your extant Wi-Fi profile.
In the General section, verify the Name and Identifier values.
Select Certificates. Click the Add button in the upper right to add the certificate you downloaded in step 1.
Verify that the certificate was added.
In the General section, select Wi-Fi.
In Enterprise Settings, select Trust and the checkbox for the newly added certificate *.us.onelogin.com (or *.eu.onelogin.com ). Save your Wi-Fi profile.
Go to File > Save. When the dialog appears click Save Anyway.
Your Wi-Fi profile configuration update is complete. You can transfer and install this profile on any Mac OS X machine that connects to your Wi-Fi network using OneLogin RADIUS server for authentication.