To give your users access to the Meraki AP using OneLogin RADIUS, create a Wi-Fi profile and install it on user devices. The method used to create the Wi-Fi profile, distribute it, and install depends on your organization's preferred tools and procedures. This article describes how to:
- Create the Wi-Fi profile for Mac OS X devices using Apple Configurator 2 (Admin task)
- Install the Wi-Fi profile on Mac OS X devices (Admin or end-user task)
- Update your Wi-Fi profile with Apple Configurator 2 (Admin or end-user task)
You can use alternative applications (like Apple Profile Manager) to create and distribute the Wi-Fi profile. All Wi-Fi profiles must include:
- The SSID of your Meraki AP
- A Security Type of WPA2-Enterprise
- An authentication scheme of EAP-TTLS/PAP
Certificates
Chain of trust
Every SSL certificate is issued under a root certificate. Root certificates are self-signed certificates by a reputable CA like Sectigo and are included in the trusted root store used by a browser or on the OS. Between a root certificate and an SSL certificate, one or more intermediate certificates are present. Together, they provide a complete chain of trust to the root certificate. By using intermediate certificates, the root certificate itself doesn't need to sign a certificate. An SSL certificate is signed by an intermediate and the intermediate by the root certificate.
Install the RADIUS certificate and intermediate DigiCertCA certificate
Important: RADIUS Certificates are renewed on a yearly basis. You can find the most recent certificate file locations here.
Prerequisites
Configure a Meraki Access Point (AP) to use OneLogin as a RADIUS server
Create your Wi-Fi profile using Apple Configurator 2
As an admin, you can create a Wi-Fi profile that you can install on end-user machines or distribute to your end users to install themselves.
Note: These instructions use Apple Configurator 2, which requires Mac OS X 10.11 (El Capitan) and above. You could also use Apple Profile Manager on Mac OS X Server 10.7 and above to create and push your WiFi profile. For more information, see your Apple Profile Manager documentation.
-
Download the OneLogin RADIUS certificate and intermediate CA certificate: see Certificates section above for download information.
-
In Apple Configurator 2, go to File > New Profile.
-
In the General section, set the Name and Identifier values.
-
Go to the Certificates section, and click Configure.
-
Select the OneLogin RADIUS certificate (star_us_onelogin_com.crt or star_eu_onelogin_com.crt) that you downloaded in step 1.
-
Confirm that you successfully added the certificate. Since you're installing the certificate for the first time, the page will display a warning that the certificate was signed by an unknown authority.
-
Click the Add  button to select and add the intermediate CA certificate (DigiCertTLSRSASHA2562020CA1.crt) that you downloaded in step 1.
-
Confirm that you successfully added both certificates.
-
Go to the Wi-Fi section, and configure the following fields:
- SSID: your desired SSID
- Security Type: WPA2 Enterprise (iOS 8 or later except Apple TV)
- Accepted EAP Types: TTLS
- Inner Authentication: PAP
-
Note that Enterprise Settings options don't appear until after you have selected the Security Type.
-
Under Enterprise Settings, select the Trust tab and select the checkbox for both *.(us|eu).onelogin.com and DigiCert SHA2 Secure Server CA.
-
Save your Wi-Fi profile.
Go to File > Save. When the dialog appears, warning you that the profile requires user input when installed on a device, click Save Anyway.
Your Wi-Fi profile configuration is complete. Now you can transfer and install this profile on any Mac OS X machine that connects to your Wi-Fi network using OneLogin RADIUS server for authentication.
Install the Wi-Fi profile on client Mac OS X machines
These instructions detail how admins can install Wi-Fi profiles on end-user machines. These instructions can be used by end users who received the transferred Wi-Fi profile file from admins.
Note: These instructions use Apple Configurator 2. If you use Apple Profile Manager on OS X Server, you can push the Wi-Fi profile directly to Mac OS X client machines.
-
Admins transfer the Wi-Fi profile file your_ssid.mobileconfig previously created to the client machines that need to connect to your Wi-Fi network.
-
On the client Mac OS X machine, open the WiFi profile file your_ssid.mobileconfig.
Click Continue for the two dialog boxes.
-
In the Enterprise Network dialog, enter your OneLogin Username and Password, and click Install.
-
Enter your local machine admin credentials in the dialog and click OK.
-
The Wi-Fi profile is now installed on the client machine.
-
You can select the SSID from the list of available Wi-Fi networks and connect.
Update your Wi-Fi profile with Apple Configurator 2
As an admin, you can update the WiFi profile to install on end-user machines or distribute to end users to install.
Note: These instructions use Apple Configurator 2, which requires Mac OS X 10.11 (El Capitan) and above. You can use Apple Profile Manager on Mac OS X Server 10.7 and above to create and push your Wi-Fi profile. For more information, see your Apple Profile Manager documentation.
-
Download the OneLogin RADIUS certificate and Digicert intermediate certificate.
-
In Apple Configurator 2, go to File > Open and browse to select your extant Wi-Fi profile.
-
In the General section, verify the Name and Identifier values.
-
Select Certificates. Click the Add button in the upper right to add the certificate you downloaded in step 1.
-
Verify that the certificate was added.
-
In the General section, select Wi-Fi.
In Enterprise Settings, select Trust and the checkbox for the newly added certificate *.us.onelogin.com (or *.eu.onelogin.com ). Save your Wi-Fi profile.
-
Go to File > Save. When the dialog appears click Save Anyway.
Your Wi-Fi profile configuration update is complete. You can transfer and install this profile on any Mac OS X machine that connects to your Wi-Fi network using OneLogin RADIUS server for authentication.
|