Access Manager and EAP-TLS

stu84773 · ‎07-11-2025

I'm currently evaluating Meraki Access Manager for EAP-TLS certificate-based authentication, and I'm a bit unclear on the CA requirements.

Some earlier articles I've come across suggest that third-party or external CAs may not be required, implying that Meraki might handle certificate issuance internally. However, in the Access Manager interface, I only see an option to upload CA certificates, which seems to indicate we’d need to bring our own PKI.

Can someone clarify:
Do we need to use our own Certificate Authority (e.g., Microsoft CA, SecureW2, etc.) for EAP-TLS authentication with Access Manager, or is there a built-in Meraki CA that can issue and manage certificates for clients?

Thanks in advance.

aleabrahao · ‎07-11-2025

No, Meraki Access Manager does not currently include a built-in Certificate Authority (CA) to issue client certificates.

Meraki does provide its own RADIUS server certificate (used by Access Manager and local RADIUS on MR) that you can download and install on client devices to ensure trust during the TLS handshake.

Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

However, when you use Meraki MDM, you can use Meraki certificates.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_EAP-TLS_Wireless_Authentication_with_Systems_Manager_Sentry_Wifi#Configuring_EAP-TLS_using_Systems_Manager_Sentry_WiFi_Security

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Blue_Bird · ‎07-11-2025

Check this:

Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup - Cisco Meraki Docume...
Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

Thanks

eduardo-nunez · ‎07-11-2025

I am using a root certificate from one of our Windows domain controllers and I am getting this error. Any thoughts?

Failure/ Rejection info

Reason

The provided certificate is untrusted. This might be due to its signer being disabled, extra or duplicate certificates in the chain, or another untrusted reason.

Suggested action

Verify that the certificate chain does not contain duplicate or unnecessary certificates. Additionally, refer to the certificates page to ensure the signer is enabled and the chain is valid.

rhinkamper1 · ‎08-12-2025

I am working through this myself as there is no documentation on how to do this with a Windows CA. But what I have come up with so far is.

You have to setup user certificate auto enrollment.
Take special note of how you manually configure the Wifi connection and configure your GPO accordingly. https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/Access_Manager_-_EAP-TLS_Client_Configuration_(Windows%2C_macOS_and_iOS)

I have gotten it to work with an endpoint certificate, and I am now working on the user part with Entra.

Philip D'Ath · ‎07-13-2025

Meraki Access Manager does not include a CA.

However, Meraki Systems Manager does - and Meraki Access Manager can use those certificates.

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_in_Meraki_Systems_Manager

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_Payload_(Pushing_Certificates)

I've also set it up using Microsoft Intune CloudPKI.

You could use a Microsoft CA server in an AD environment and configure group policy to deploy certificates to machines/users.

gary5555 · ‎08-20-2025

Take a look at this access manager + cloud pki guide

https://www.hypershift.com/blog/meraki-intune-cloud-pki

edondurguti · ‎09-11-2025

Make sure upload and *Enable* your CA, then have your client configured to use a cert issues by your CA, create a access rule to match the CA [like common name]

rhinkamper1 · ‎01-29-2026

I got a quote for Access Manager, and the pricing is ridiculous. The fact that I have to pay the amount of money they quoted me so I can securely do NAC on their hardware is ridiculous.

joey.debra · ‎01-30-2026

The prices are a bit lower than ISE session licenses. And I do believe an ISE like environment is running the radius services.

They could of course do a little extra effort and provide full blown profiling and perhaps an optional native cloud PKI so you don't need to rely on MS Cloud PKI or SCEPman.

ajc · ‎05-06-2026

I am trying the same thing but using MOSYLE/SCEP to deploy a wifi certificate profile into iMac/Macbooks and got the same error message described by another comment. The link to Hypershift gives me some clues but I would have to take a packet capture from Meraki Dashboard AP to see what it is going on with the failed connection.

We will also try Airwatch MDM for iPads, hoping that ones works. The wifi profile that we deployed with BOTH MDM's work fine with Cisco ISE EAP-TLS, but not with Access Manager.

We cannot configure 50K+ devices using the "manual" instructions from Meraki documentation.

Philip D'Ath · ‎05-06-2026

I have a vague recollection of issues when using SCEP to deploy certificates to Apple devices from a Microsoft CA server.

Sorry, this is vague, it was a while ago. I'm hoping this might get you "searching" in the correct direction.
But we ran into an issue where the root CA certificate itself was not using strong enough encryption. We have to upgrade the key size, hash, and cryptographic algorithms on the CA root certificate itself. Some part of the equation (and I don't remember exactly what at the moment) refused the connection because it failed this check.