topic Re: Access Manager and EAP-TLS in Cloud Networking Platform

Access Manager and EAP-TLS

stu84773 — Fri, 11 Jul 2025 10:03:24 GMT

I'm currently evaluating Meraki Access Manager for EAP-TLS certificate-based authentication, and I'm a bit unclear on the CA requirements.

Some earlier articles I've come across suggest that third-party or external CAs may not be required, implying that Meraki might handle certificate issuance internally. However, in the Access Manager interface, I only see an option to upload CA certificates, which seems to indicate we’d need to bring our own PKI.

Can someone clarify:
Do we need to use our own Certificate Authority (e.g., Microsoft CA, SecureW2, etc.) for EAP-TLS authentication with Access Manager, or is there a built-in Meraki CA that can issue and manage certificates for clients?

Thanks in advance.

Re: Access Manager and EAP-TLS

aleabrahao — Fri, 11 Jul 2025 10:24:18 GMT

No, Meraki Access Manager does not currently include a built-in Certificate Authority (CA) to issue client certificates.

Meraki does provide its own RADIUS server certificate (used by Access Manager and local RADIUS on MR) that you can download and install on client devices to ensure trust during the TLS handshake.

Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

However, when you use Meraki MDM, you can use Meraki certificates.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_EAP-TLS_Wireless_Authentication_with_Systems_Manager_Sentry_Wifi#Configuring_EAP-TLS_using_Systems_Manager_Sentry_WiFi_Security

Re: Access Manager and EAP-TLS

Blue_Bird — Fri, 11 Jul 2025 13:34:55 GMT

Check this:

Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup - Cisco Meraki Docume...
Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

Thanks

Re: Access Manager and EAP-TLS

eduardo-nunez — Fri, 11 Jul 2025 21:29:52 GMT

I am using a root certificate from one of our Windows domain controllers and I am getting this error. Any thoughts?

Failure/ Rejection info

Reason

The provided certificate is untrusted. This might be due to its signer being disabled, extra or duplicate certificates in the chain, or another untrusted reason.

Suggested action

Verify that the certificate chain does not contain duplicate or unnecessary certificates. Additionally, refer to the certificates page to ensure the signer is enabled and the chain is valid.

Re: Access Manager and EAP-TLS

Philip D'Ath — Mon, 14 Jul 2025 01:21:14 GMT

Meraki Access Manager does not include a CA.

However, Meraki Systems Manager does - and Meraki Access Manager can use those certificates.

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_in_Meraki_Systems_Manager

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_Payload_(Pushing_Certificates)

I've also set it up using Microsoft Intune CloudPKI.

You could use a Microsoft CA server in an AD environment and configure group policy to deploy certificates to machines/users.

Re: Access Manager and EAP-TLS

rhinkamper1 — Tue, 12 Aug 2025 20:08:55 GMT

I am working through this myself as there is no documentation on how to do this with a Windows CA. But what I have come up with so far is.

You have to setup user certificate auto enrollment.
Take special note of how you manually configure the Wifi connection and configure your GPO accordingly. https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/Access_Manager_-_EAP-TLS_Client_Configuration_(Windows%2C_macOS_and_iOS)

I have gotten it to work with an endpoint certificate, and I am now working on the user part with Entra.

Re: Access Manager and EAP-TLS

gary5555 — Wed, 20 Aug 2025 23:24:36 GMT

Take a look at this access manager + cloud pki guide

https://www.hypershift.com/blog/meraki-intune-cloud-pki

Re: Access Manager and EAP-TLS

edondurguti — Thu, 11 Sep 2025 14:54:52 GMT

Make sure upload and *Enable* your CA, then have your client configured to use a cert issues by your CA, create a access rule to match the CA [like common name]

Re: Access Manager and EAP-TLS

rhinkamper1 — Thu, 29 Jan 2026 22:05:00 GMT

I got a quote for Access Manager, and the pricing is ridiculous. The fact that I have to pay the amount of money they quoted me so I can securely do NAC on their hardware is ridiculous.

Re: Access Manager and EAP-TLS

joey.debra — Fri, 30 Jan 2026 13:10:51 GMT

The prices are a bit lower than ISE session licenses. And I do believe an ISE like environment is running the radius services.

They could of course do a little extra effort and provide full blown profiling and perhaps an optional native cloud PKI so you don't need to rely on MS Cloud PKI or SCEPman.