This topic describes how to configure Meraki Access Points (APs) to use OneLogin as a RADIUS server. It also describes how to configure Mac OS X devices to connect to Meraki APs, authenticating using the OneLogin RADIUS server.
OneLogin has a RADIUS server interface that will accept RADIUS authentication requests from devices that support the RADIUS protocol, like Meraki AP devices. When OneLogin receives an Access-Request message, the user is authenticated against the directory linked to the user.
To configure a Meraki AP to use the OneLogin RADIUS server, you must:
- Configure OneLogin RADIUS server
- Configure your Meraki SSID RADIUS settings
- OneLogin RADIUS server supports the PAP and EAP-TTLS/PAP authentication schemes
- Your Meraki AP must use WPA-2 Enterprise with RADIUS.
You cannot use Meraki Splash pages hosted by Meraki.
OneLogin's RADIUS server will not recognize RADIUS requests that come from Meraki.
Configuring OneLogin RADIUS server
- Log in to OneLogin as an administrator.
Go to Settings -> RADIUS.
Click the New Configuration button.
The RADIUS configuration page appears.
- Enter a name that helps you identify this configuration; for example, "Meraki AP"
In the Secret field, enter the string that is defined as the shared secret for your Meraki AP device.
If you already have a shared secret defined for you Meraki AP, enter it here. If not, you can create one and enter it here. You will re-use it when you configure your Meraki AP device to talk to the OneLogin RADIUS server.
Your shared secret should be random, at least 22 characters long, and can use any standard alphanumeric and special characters.
Note. If you create a new shared secret, it can take up to an hour to be usable due to caching.
Enter the IP address of your Meraki AP device.
You can enter more than one, separated by spaces.
- Click Save.
Confirm your attribute mappings.
After you click Save, the Attributes section shows the mapping of RADIUS attributes (left) to OneLogin attributes (right).
By default, the OneLogin RADIUS service uses the OneLogin Email as the RADIUS User-Name and the OneLogin Password as the RADIUS User-Password.
For a typical Meraki AP device that uses username and password for authentication, accept these defaults. Your OneLogin configuration is done. Now you can configure your Meraki SSID RADIUS settings.
Configuring your Meraki SSID RADIUS settings
- Log into your Meraki AP as an administrator.
Go to Wireless > SSIDs.
On the Access control line, click edit settings.
On the Access control page, configure the following fields.
- WPA2-Enterprise with: my RADIUS server
- WPA encryption mode: WPA2 only
Host: Enter the IP address of the OneLogin RADIUS service endpoint you use:
Primary US (radius.us.onelogin.com):
Secondary US (radius2.us.onelogin.com):
Primary EU (radius.eu.onelogin.com):
Secondary EU (radius2.eu.onelogin.com):
Secret: Your RADIUS Secret (as configured in OneLogin)
Click Save Changes.
Your Meraki configuration is done. Now you can create your WiFi profile.
Creating and installing a WiFi profile
To give your users access to the Meraki AP using OneLogin RADIUS, you must create a WiFi profile and install it on your users' devices. The method you use to create the WiFi profile, distribute it, and install it, depends on your organization's preferred tools and procedures. This article describes how to:
- Create the WiFi profile for Mac OS X devices using Apple Configurator 2
- Install the WiFi profile on Mac OS X devices
You can use alternative applications (like Apple Profile Manager) to create and distribute the WiFi profile. No matter how you create the WiFi profile, it must include:
The SSID of your Meraki AP
The OneLogin RADIUS certificate and intermediate CA certificate (trusted in the profile):
- A Security Type of WPA2-Enterprise
- An authentication scheme of EAP-TTLS/PAP
Creating your WiFi profile using Apple Configurator 2
Note. These instructions use Apple Configurator 2, which requires Mac OS X 10.11 (El Capitan) and above. You could also use Apple Profile Manager on Mac OS X Server 10.7 and above to create and push your WiFi profile. For more information, see your Apple Profile Manager documentation.
Download the OneLogin RADIUS certificate and intermediate CA certificate:
RapidSSL SHA256 CA - G3
- In Apple Configurator 2, go to File > New Profile.
In the General section, set the Name and Identifier values.
Go to the Certificates section, and click Configure.
Select the OneLogin RADIUS certificate (
*.eu.onelogin.com.cer) that you downloaded in step 1.
Note. The file may display as
Confirm that the certificate was added.
Since you are installing the certificate for the first time, the page will display a warning that the certificate was signed by an unknown authority.
Click the Add button to select and add the intermediate CA certificate (
gv.crt) that you downloaded in step 1.
Confirm that both certificates were added.
Go to the Wi-Fi section, and configure the following fields:
- SSID: your desired SSID
- Security Type: WPA2 Enterprise (iOS 8 or later except Apple TV)
- Accepted EAP Types: TTLS
- Inner Authentication: PAP
Note that Enterprise Settings options do not appear until after you have selected the Security Type.
Under Enterprise Settings, select the Trust tab and select the checkbox for both *.us.onelogin.com (or *.eu.onelogin.com ) and RapidSSL SHA256 CA - G3.
Save your WiFi profile.
Go to File > Save. When the dialog appears, warning you that the profile requires user input when installed on a device, click Save Anyway.
Your WiFi profile configuration is done. Now you can transfer and install this profile on any Mac OS X machine that will need to connect to your WiFi network using OneLogin RADIUS server for authentication.
Installing the WiFi profile on client Mac OS X machines
Note. These instructions use Apple Configurator 2. If you use Apple Profile Manager on OS X Server, you can push the WiFi profile directly to Mac OS X client machines.
Transfer the WiFi profile file (
.mobileconfig) that you created above to the client machines that you want to enable to connect to your WiFi network.
- On the client Mac OS X machine, open the WiFi profile file (
Click Continue on each dialog that appears.
On the Enterprise Network dialog, enter your OneLogin Username (email) and Password, and click Install.
When OS X asks for your local machine admin credentials, enter them and click OK.
The WiFi profile is now installed on the client machine.
You can now select the SSID from the list of available WiFi networks and connect.