The Challenge
A suburban New Jersey school district needed to manage network access for student and administrative devices, as well as guests. The school wanted to fully transition to certificate-based authentication, replacing the old, shared password system to prevent unauthorized student access.
The district also sought to manage access and permissions across its eight schools. Managing access to internal school resources was a key concern. So was ensuring that students and families had access to portals with key information even while they were off-site.
The district had already begun migrating its wireless infrastructure from Aruba to Meraki. It was critical for the authentication layer to remain intact during the migration. It was also important to implement these changes with a minimum of disturbance to the school body.
Administrators wanted to improve device lifecycle management so certificates of lost devices could be easily revoked. Looking ahead, the district wanted to enable BYOD so that staff and students could safely connect their personal devices to the school network.
Three MDM platforms added complexity: Chromebooks enrolled through Google SCEP, Windows devices through WSTEP with Active Directory, and Apple devices through Mosyle. The long-term vision was to collapse multiple SSIDs into a single network, with the cloud-based RADIUS handling identity-based policy branching for different device types and user roles.
The Solution
Cloud-based RADIUS and managed PKI built a vendor-agnostic authentication layer that could be configured to accept RADIUS requests from both Aruba and Meraki infrastructure, serving as a stable authentication backbone across both platforms during the transition.
Certificate enrollment was implemented to span three MDM platforms: Google SCEP for Chromebooks, WSTEP via Active Directory for Windows, and Mosyle for Apple devices. The cloud-based RADIUS serves as the single authentication point for all device types and was configured to accept requests from both Aruba and Meraki simultaneously, allowing the two wireless environments to coexist without duplicating policies.
Six implementation sessions covered the full process, including adding Meraki as a RADIUS client, building network policies, testing authentication flows, and designing the identity-based single-SSID architecture.
The Results
- Certificate-based authentication: the district eliminated pre-shared keys with certificate-based authentication. Both Aruba and Meraki are authenticated against the same RADIUS infrastructure with the same policies during migration.
- Vendor-agnostic authentication: Google SCEP configuration is now fully operational, and Chromebooks receive certificates automatically through Google Admin integration.
- Single-SSID architecture: as the Meraki migration completes school by school, the district moves closer to its target of a single-SSID architecture that will simplify network management. The authentication layer is already in place and tested; the remaining work is completing the hardware swap.