Home Knowledge Base SecureW2 Documentation How to Set Up EAP-TLS WPA2-Enterprise With Meraki

How to Set Up EAP-TLS WPA2-Enterprise With Meraki

How to Configure Cloud RADIUS With Meraki

In this guide we will explain how to integrate SecureW2 PKI, Cloud RADIUS, and Device Onboarding and Certificate Enrollment software with Meraki Access Points to deliver EAP-TLS, certificate-based 802.1x authentication.

With SecureW2, you can quickly configure any 802.1x Wi-Fi infrastructure for EAP-TLS. Transitioning from credential to certificate-based authentication has never been easier, with many of our customers getting it done in a few hours, or even faster.

If you are interested in setting up MAC-based RADIUS Authentication, you can find the relevant instructions and resources at the following link: How to integrate MAC based RADIUS Authentication with Cisco Meraki

Prerequisites and Best Practices

Before starting, ensure that:

  • You have an active SecureW2 JoinNow subscription and have access to the JoinNow Management Portal
  • Meraki APs are on the most recent firmware 
  • Your firewall allows outbound UDP 1812 (auth) and 1813 (accounting) to SecureW2 IPs.
  • You have primary/secondary RADIUS IPs from SecureW2 for redundancy.
  • You test connectivity early: 
    • In Meraki Dashboard > Wireless > Access control > RADIUS servers > Test button (periodic probes use username “meraki_8021x_test”; failures often stem from mismatched secrets, ports, or TLS versions).
  • For EAP-TLS: Devices must trust the SecureW2-issued certificates (use SecureW2 onboarding for auto-enrollment). Ensure client devices have accurate system time and date, as certificate validation in EAP-TLS will fail if device clocks are significantly out of sync.

Be sure to enable event logging in Meraki and monitor the SecureW2 dashboard for authentication requests during setup. 

Configuring the SecureW2 PKI and RADIUS Server for Meraki Network

To configure a Network Profile for wireless, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Device Onboarding > Getting Started.
  3. On the Quickstart Network Profile generator page, from the Profile Type drop-down list, select Wireless.
  4. In the SSID field, type the name of a profile.
  5. From the Security Type drop-down list, select WPA2-Enterprise.
  6. From the EAP Method drop-down list, select EAP-TLS.
  7. From the Policy drop-down field, retain DEFAULT.
  8. From the Wireless Vendor drop-down list, select Cisco Meraki.
  9. From the RADIUS Vendor drop-down list, select a RADIUS vendor.How to configure the SecureW2 PKI and RADIUS Server for Meraki Network
  10. Click Create.

To access the RADIUS details, follow the below steps.

  1. Navigate to RADIUS > RADIUS Configuration.
  2. Copy the Primary IP Address, Authentication Port and Shared Secret of your subscribed region to your console.

Configuring Secure SSID from the Meraki Dashboard

Follow these steps to configure the Secure SSID:

  1. Log in to the Meraki Dashboard.
  2. Navigate to Wireless > SSIDs.
    How to Configure Secure SSID From the Meraki Dashboard
  3. Select an unconfigured SSID and switch it from disabled to enabled.
  4. Click the rename link to change the SSID name (make sure it is the same name as the SSID in the Network Profile).
    How to rename the SSID
  5. Click Save Changes.

Setting Up SecureW2 as RADIUS Server in Meraki

Follow these steps to configure the RADIUS server in Cisco Meraki.

  1. Log in to the Meraki Dashboard.
  2. Navigate to Wireless > Access control.
    How to set up SecureW2 as a RADIUS server in Meraki
  3. Under Network access> Association requirements select my RADIUS server from the enterprise drop-down list.
  4. Select WPA2 only From the WPA encryption mode drop-down list,  (recommended for most deployments).
    How to select WPA2 encryption mode
  5. Under Splash page, select None (direct access).
  6. In the RADIUS servers section, click Add a server.
    How to add a RADIUS server to Meraki
  7. From the JoinNow Management Portal (navigate to RADIUS > RADIUS Configuration), copy the Primary IP Address, Authentication Port, and Shared Secret and paste them in the Host, Port, and Secret fields in the Meraki.
  8. In the RADIUS servers section, click Add a server again.
    How to add a RADIUS server to Meraki
  9. From the JoinNow Management Portal (navigate to RADIUS > RADIUS Configuration), copy the Secondary IP Address, Authentication Port and Shared Secret and paste them in the Host, Port, and Secret fields in the Meraki.
  10. Click Save Changes.

Configuring Access Point to use Splash Page

Follow these steps to configure the Access point:

  1. Log in to the Meraki Dashboard.
  2. Navigate to Wireless > Access Control.
    How to configure access control with Meraki
  3. Under Network access, in the Association requirements section, select Open (no encryption).
    How to configure access point in Meraki
  4. Under Splash page, select Click-through.
    How to configure page to redirect splash page to SecureW2

This process redirects to the SecureW2 landing page.

Configuring Redirect to SecureW2 Landing Page

  1. Navigate to Wireless > Splash page.
    How to configure redirect splash page in Meraki
  2. Verify that the SSID field matches the SSID that you configured earlier (refer to the Configuring Secure SSID section).
  3. Under Custom splash URL, enter your network profile URL where the user will be redirected.
    How to configure redirect splash page in Meraki
  4. Click Save changes.

Configuring Walled Garden

When implementing a BYOD system, it’s vital to keep corporate data and personal data separate and protected. Using a walled garden on the Onboarding SSID is one proven method to achieve this. Instituting a walled garden keeps corporate data stored in a secure application that is separated from personal data. This ensures that sensitive corporate data will not be breached.

For an Onboarding SSID, you need to allow onboarding-related resources. For example, SecureW2 JoinNow MultiOS uses an Android application to configure Android devices for WPA2-Enterprise, so we allow access to the Play Store on our Onboarding SSID.

Another common issue is the Apple Captive Network Assistant (CNA) which can get in the way of WPA2-Enterprise configuration. The CNA often pops up unexpectedly on iOS/macOS devices, blocking or delaying access to configuration profiles, apps, or the onboarding landing page. 

At SecureW2, we control what resources can be accessed on the Onboarding SSID by using a Walled Garden. This allows network administrators to control access to certain sites and applications, steering network users away from potentially harmful situations.

To configure the Walled Garden:

  1. Navigate to Wireless > Firewall & traffic shaping.
    How to configure walled garden with Meraki
  2. Verify that the SSID field matches the SSID that you configured earlier (refer to the Configuring Secure SSID section).
  3. Under Block IPs and ports, in the Layer 3 firewall rules section, click the Add a layer 3 firewall rule link and add a rule that Allow the firewall through to SecureW2 resources.
    How to add a layer 3 firewall rule with Meraki
    NOTE: To get the list of URLs, download the SecureW2 JoinNow Deployment Guide from the JoinNow Management Portal. To download the guide, navigate to General > Documentation. The SecureW2 JoinNow Deployment Guide is available under the JoinNow MultiOS tab. Scroll to the Firewall Rules section for the list of IPs that need to be added under the Layer 3 firewall rules. The SecureW2 JoinNow Deployment Guide also lists additional DNS and ALCs for Android Playstore, Apple CNAs, Microsoft SmartScreen, and so on.
  4. Under the Layer 3 firewall rules, enter an additional rule with Deny as the Policy on the 0.0.0.0 IP address. This allows you to prevent abuse of the open SSID to access the Internet.
    How to prevent abuse of open SSID with Meraki
  5. Click Save Changes.

Verifying Your Setup and Basic Troubleshooting

After configuration:

  1. Test a client device by enrolling via SecureW2 JoinNow and connecting to the SSID.
  2. Check the Meraki Dashboard > Wireless > Event log (filter for 802.1X events) and look for Access-Accept (success) or failures.
  3. In Access control > RADIUS servers, run the built-in test. Success confirms reachability and secret match. If it fails, here are some common issues and their fixes:
    1. RADIUS test fails or is unreachable: Verify IPs/ports/secrets exactly match SecureW2 configuration; check firewall rules; test from AP uplink via packet capture.
    2. Intermittent client failures: Often due to certificate chain issues or expired certificates. Review SecureW2 logs and ensure devices have the root CA trusted.
    3. “Recent 802.1X Failure” alert: Persistent alerts can indicate RADIUS latency, roaming interruptions, or client certificate issues. Review the Meraki event log and verify RADIUS response times.
    4. CNA/splash interference: Confirm walled garden allows required connectivity-check and certificate validation endpoints listed in the SecureW2 deployment guide.

If issues persist, check SecureW2 support or Meraki event logs for details.

And with that, you’re on your way to a more secure wireless network! If you’re ready to get started, SecureW2 has affordable solutions for organizations of all shapes and sizes. Click here for a demo.

Meraki is either registered trademarks or trademarks of Cisco Meraki in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.

More Meraki Explainers