https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454922#M12749 <P>Take a look at this access manager + cloud pki guide</P><P><A href="https://www.hypershift.com/blog/meraki-intune-cloud-pki" target="_blank" rel="nofollow noopener noreferrer">https://www.hypershift.com/blog/meraki-intune-cloud-pki</A></P> Wed, 20 Aug 2025 23:22:06 GMT gary5555 2025-08-20T23:22:06Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454916#M12743 <P>Hi folks,</P><P>we want to use the Access Manager for a customer deployment for local 802.1X Authentication.</P><P>We have hybrid Win 11 notebooks with Microsoft Cloud PKI over intune. We deliver computer certificates to the clients. Now we want to authenticate with this certificate against the access Manager. </P><P>We build a policy that says if in the cert ist XXX than allow access. We do not want to lookup to Entra ID, we only want to get access for client with certificate present in the first step.</P><P>If we deploy the config to the switch, we see in the log that the field with the computername is extracted from the local cert. But than the Access Manager throws an error:</P><P>Session Id</P><P>bf302f75-ee18-4c48-9731-6aa6ea894261</P><P>Time</P><P>Mar 21 06:57:38</P><P>Status</P><P>Failed</P><P>Failure/ Rejection info</P><P>Reason</P><P>There was an internal server error occured in authentication flow.</P><P>Suggested action</P><P>Please verify configurations and retry. We are taking a look. Please report if this issue is not fixed.</P><P><STRONG>User</STRONG></P><P>Username</P><P>host/XXX-19291600753</P><P>Has anyone the same issue?</P><P>Notice:</P><P>If we use MAB Auth the Access Manager works as well.</P> Fri, 21 Mar 2025 07:04:52 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454916#M12743 tobias.hoffmann 2025-03-21T07:04:52Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454917#M12744 <P>Not on topic, but I think a new Techincal forum should be created just for Access Manager.</P> Fri, 21 Mar 2025 09:52:28 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454917#M12744 Thomas Obbekaer Thomsen 2025-03-21T09:52:28Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454918#M12745 <P>At the moment very few orgs have access to AM as it’s an early preview and not even rolled out fully to the Early Access page.<BR /><BR /></P><P>You may need to contact support to get an answer. If you do please share the resolution.</P> Fri, 21 Mar 2025 13:55:02 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454918#M12745 mloraditch 2025-03-21T13:55:02Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454919#M12746 <P>Hi Guys,</P><P>after i started the conversation here, the log from the access manager changed. Now it seems that the authetication works for me. ihave also opened a ticket but there was no answer yet. Since i got a answer, i will post ist here.</P><P>Thanks</P> Sun, 23 Mar 2025 08:31:03 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454919#M12746 tobias.hoffmann 2025-03-23T08:31:03Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454920#M12747 <P>I don't have access to Access Manager yet ...</P><P>Try configuring the Windows 802.1x policy to only do user authentication (then it won't present computer certificates), and delivering user certificates to the users.</P> Sun, 23 Mar 2025 22:55:24 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454920#M12747 Philip D'Ath 2025-03-23T22:55:24Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454921#M12748 <P>Not exactly the same but similar enough. I ran into the same error when using 802.1x EAP-TLS with an Intune Cloud PKI issued user (not device) certificate.<BR /><BR />My error below:</P><DIV class="">Failure/ Rejection info:</DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><STRONG>Reason</STRONG></DIV></DIV><P class="">There was an internal server error occurred in authentication flow.</P></DIV><DIV class=""><DIV class=""><DIV class=""><STRONG>Suggested action</STRONG></DIV></DIV><P class="">Please verify configurations and retry. We are taking a look. Please report if this issue is not fixed.<BR /><BR />In my case, the Subject Common Name of the certificate was using the email address of the Entra ID user and Access Manager was set to use Subject Common Name as the user identity attribute. </P><P class=""> </P><P class="">After verifying my Access Manager and endpoint configuration against the documentation:</P><P class=""><A href="https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/Access_Manager_Certificate_Based_Authentication_-_EAP-TLS_with_Entra_ID_Lookup" target="_blank" rel="noopener nofollow noreferrer">Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup - Cisco Meraki Documentation</A><BR /><A href="https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/Access_Manager_-_EAP-TLS_Client_Configuration_(Windows%2C_macOS_and_iOS)" target="_blank" rel="noopener nofollow noreferrer">Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation</A></P><P class=""> </P><P class="">I could not determine the cause of the error.</P><P class=""><BR />I raised a support case and the engineer suggested that because the Access Manager user identity is an email address which is also used by a Meraki Dashboard SAML administrator, that there is a potential issue/conflict here, wording from support below:</P><P class=""> </P><P class="">"<SPAN>I have analysed backend logs from this organization and could not see any issues or errors being reported about the Access Manager process.</SPAN></P><P class=""> </P><P class=""><SPAN>However, the account that is used to authenticate, is also a SAML administrator in Dashboard. Since SAML administrator account email cannot be used for a Client VPN or Meraki Cloud Authentication (RADIUS) user accounts, we might be running into the same issue here."</SPAN><BR /><BR />I was able to resolve this in my case by changing the Subject Common Name on my user certificate to OnPremisesSamAccountName, authentications with this configuration are working as expected. <BR /><BR />As this was only a PoC/testing for me, I have not tested my original configuration (Subject Common Name using Entra ID user's email address) with a user who is not a Meraki Dashboard SAML admin. <BR /><BR /></P></DIV></DIV> Tue, 08 Apr 2025 09:02:26 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454921#M12748 ShaunBirrell 2025-04-08T09:02:26Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454922#M12749 <P>Take a look at this access manager + cloud pki guide</P><P><A href="https://www.hypershift.com/blog/meraki-intune-cloud-pki" target="_blank" rel="nofollow noopener noreferrer">https://www.hypershift.com/blog/meraki-intune-cloud-pki</A></P> Wed, 20 Aug 2025 23:22:06 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454922#M12749 gary5555 2025-08-20T23:22:06Z https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454923#M12750 <P>Following the thread..</P> Thu, 30 Oct 2025 01:47:46 GMT https://community.cisco.com/t5/cloud-networking-platform/access-manager-configuration-eap-tls/m-p/5454923#M12750 Nits4stockland 2025-10-30T01:47:46Z