topic Re: AuthN issues with EAP-TLS via Access Manager in Cloud Networking Platform

AuthN issues with EAP-TLS via Access Manager

ygurra1 — Wed, 22 Oct 2025 15:32:30 GMT

Hello Team,

We are trying to adapt the Access Manager to our organization and we successfully did so for EAP-TTLS ( authN via username and password ) however we're experiencing issues with authN via certificate ( EAP-TLS method ). We have followed the documentations below but still with no success as we're receiving the following errors:

This indicates something on suplicant side even though we have looked carefully many times to be aligned with the documentation. Could you please provide us any hint what we could miss here ?

These are the documentations we've been following:
https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/EAP-TLS_Certificate-Based_Authentication_with_Entra_ID_Lookup
https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/EAP-TLS_Client_Configuration

Thanks in advance

Re: AuthN issues with EAP-TLS via Access Manager

aleabrahao — Wed, 22 Oct 2025 16:34:43 GMT

Have you tried temporarily disabling server certificate validation to test if the chain of trust is the issue?

Re: AuthN issues with EAP-TLS via Access Manager

Philip D'Ath — Wed, 22 Oct 2025 19:21:13 GMT

Since the supplicant is not responding - you need to look at that end. For example, if it is a Windows machine, check the event viewer.

Make sure the machine has a valid user/machine certificate. What are you using to issue your certificates?

Re: AuthN issues with EAP-TLS via Access Manager

ygurra1 — Mon, 12 Jan 2026 15:16:18 GMT

Hi @alessandrodematos & @Philip D'Ath,

Thanks for your valuable answers. We discovered that we were trying to validate a user group match in Entra ID at the same time as the machine certificate. This didn't work, likely because the machine certificate has no relationship with user groups in Entra ID.

Is there a way to check both simultaneously? My goal is to use dynamic VLAN assignment based on the user's group membership.

Thanks in advance!

Re: AuthN issues with EAP-TLS via Access Manager

Philip D'Ath — Mon, 12 Jan 2026 18:32:48 GMT

Deploy user certificates and match on those instead of machine certificates.

I have not tested it, but you could see if TEAP is supported. TEAP supports doing both machine and user authentication.

However, if you deployed a user certificate to a trusted machine - the machine is already trusted.

Re: AuthN issues with EAP-TLS via Access Manager

thomas — Thu, 29 Jan 2026 00:57:36 GMT

The endpoint does not trust the Access Manager certificate which comes from IdenTrust.

Read the ReadMe file in the cert download for CN matching restrictions.