Meraki EAP-TLS

The most common way to connect to a Wi-Fi network is through a Pre-Shared Key (PSK). You may know this as the password on the back of your router or scribbled somewhere on a posted note or even written on the whiteboard at work for everyone to see. A passwords strength is not only tied to length/complexity, but also to how well it is hidden, or kept secret.

Bad actors can capture these PSKs quite easily through various means and one of them involves using a pineapple. Now I do not mean the fruit, I am talking about the incognito certified hacker tool that costs less than the weekly grocery shop. The Hak5 Pineapple is a tool, that looks like a home router, and is used by pen testers to audit wireless networks. In short, these devices can intercept the encrypted passwords that are being transmitted and decrypt them for use later. Once they have your PSK, the same device can be used to conduct man in the middle (MM) attacks, where your data passes through the bad actor’s machine before getting to its destination, giving the attackers access to your personal information. Of course, if your Wi-Fi password is written down somewhere, where everyone can see it, none of this is required and hackers can skip to the MitM attack.

The other option is the gold standard on how to implement secure corporate Wi-Fi authentication. It is the certificate-based Wi-Fi authentication method, Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). EAP-TLS uses certificates on installed on user devices and servers to verify that the user attempting to connect to the wireless network, has the privileges to do so. These certs can be pushed to user machines through the device management tool of your choice, e.g. Intune. If configured correctly, this method will require no user involvement ensuring a seamless user journey.

7 Key Benefits of Implementing EAP-TLS In Your Corporate Wi-Fi Network

1. AP-TLS is an alternative to password-based authentication that uses digital certificates bound to individual users or devices. These certificates identify a user on the network, and they cannot be forged, they need to be verified by an authentication server. This allows admins fine grained control over user access.
2. EAP-TLS frees users from the stress of memorizing and storing complicated passwords thanks to certificates fundamentally attached to devices and the ability to authenticate automatically.
3. IT departments can save time by dealing with common authentication problems like forgotten passwords and needing to change them often.
4. Administrators control a certificate’s validity time, allowing them to manage re-verification cycles and guaranteeing safe network access.
5. Password reuse is a major security concern in password-based systems since it increases the likelihood of unauthorized access and data breaches. EAP-TLS, on the other hand, uses digital certificates to prevent certificate duplication and reuse, making it impossible to utilize stolen credentials in any way. EAP-TLS provides an enhanced security framework to protect sensitive data and resources by reducing the risks associated with password theft and reuse, strengthening the network against sophisticated cyber assaults.
6. EAP-TLS is one of the most reliable options when comparing authentication security protocols. When X.509 digital certificates are encrypted using state-of-the-art cryptographic methods like elliptic curve cryptography (ECC), the protocol provides the highest level of security possible.
7. Due to its elaborate security mechanism, EAP-TLS is very resistant to eavesdropping, man-in-the-middle attacks, and other forms of network intrusion. Businesses may set up a very safe communication channel using digital certificates for robust encryption, protecting the privacy and security of any information sent over the network.
   
   
   

There are numerous ways to incorporate EAP-TLS into your corporate Wi-Fi network. However, at its core, EAP-TLS involves the following three members:

1. Meraki Certificate-based Wi-Fi authentication with Systems Manager

This is a pure Meraki solution achieved by using features available on the Meraki Dashboard; the web portal used to manage all of your Meraki devices, organisation wide. We eliminate the need for any external AAA server or onsite PKI infrastructure.

To achieve this sole product solution, you will need to ensure that your access control settings within Meraki Dashboard are set to use Meraki Cloud Authentication. This setting is what allows for the authentication and privilege checks that would be done via traditional EAP-TLS configuration. Once this has been completed, the only thing left is to create your users on Meraki Dashboard.

Once the Meraki Dashboard configurations have been finalised, we now need to enrol user devices i.e., the user machines/laptops. The process of enrolment is used to make sure that only enrolled devices have access to the network, and by doing so, only allowed users can access the network. There are two options provided by Meraki for device enrolment, these are:

• Agent enrolment
• Profile enrolment

Given Meraki Dashboard configurations and device enrolment have been completed correctly, your environment will be utilising EAP-TLS for verification/authentication on the wireless network.

2. Meraki Certificate-based Wi-Fi Authentication with SCEPman,
Intune and RADIUSaaS

As mentioned previously; to incorporate EAP-TLS into your network, you will need to deploy some kind of authenticator along with an authentication server. In this solution, we utilise the following: 

Now let us look at the configuration steps. The first thing we need to do is to get SCEPman running in our Azure environment, follow all the required configurational steps and download our CA certificate. Once we have this cert we will need to distribute it to all endpoint devices, this is done easily through Intune or whatever MDM (Mobile Device Manager) you are using in your organisation.

Once SCEPman configuration has been completed, we can move onto configuring our cloud-based RADIUS server (RADIUSaaS), here you will add the CA cert we created earlier. You may also be required to make all relevant network configurations to ensure client devices can reach the RADIUS server.

Now that we have configured the authenticator and the authentication server, we need to ensure that all the relevant certs are installed on the end devices. Once again, we will utilise Intune for this task.

Once all required configurations have been made, you should see EAP-TLS traffic as shown in the image below:

We are a Meraki and SCEPman partner.
Reach out to us for more details and help to get these deployed.