Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1432
Views
3
Helpful
5
Replies

AuthN issues with EAP-TLS via Access Manager

ygurra1
Community Member

‎10-22-2025 08:32 AM

Hello Team,

We are trying to adapt the Access Manager to our organization and we successfully did so for EAP-TTLS ( authN via username and password ) however we're experiencing issues with authN via certificate ( EAP-TLS method ). We have followed the documentations below but still with no success as we're receiving the following errors:

image.png



This indicates something on suplicant side even though we have looked carefully many times to be aligned with the documentation. Could you please provide us any hint what we could miss here ?

These are the documentations we've been following:
https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/EAP-TLS_Certificate-Based_Authentication_with_Entra_ID_Lookup
https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/EAP-TLS_Client_Configuration

Thanks in advance

Labels:
0 Helpful
5 Replies 5

aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎10-22-2025 09:34 AM

Have you tried temporarily disabling server certificate validation to test if the chain of trust is the issue?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star

‎10-22-2025 12:21 PM

Since the supplicant is not responding - you need to look at that end. For example, if it is a Windows machine, check the event viewer.

Make sure the machine has a valid user/machine certificate. What are you using to issue your certificates?

ygurra1
Community Member

‎01-12-2026 07:16 AM

Hi @alessandrodematos & @Philip D'Ath,

Thanks for your valuable answers. We discovered that we were trying to validate a user group match in Entra ID at the same time as the machine certificate. This didn't work, likely because the machine certificate has no relationship with user groups in Entra ID.

Is there a way to check both simultaneously? My goal is to use dynamic VLAN assignment based on the user's group membership.

Thanks in advance!

0 Helpful

Philip D'Ath
Meraki Community All-Star
Meraki Community All-Star
In response to ygurra1

‎01-12-2026 10:32 AM

Deploy user certificates and match on those instead of machine certificates.

I have not tested it, but you could see if TEAP is supported. TEAP supports doing both machine and user authentication.

However, if you deployed a user certificate to a trusted machine - the machine is already trusted.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎01-28-2026 04:57 PM

The endpoint does not trust the Access Manager certificate which comes from IdenTrust.

Read the ReadMe file in the cert download for CN matching restrictions.

image.pngimage.png

Customers Also Viewed These Support Documents