Solved: Re: Trusted Access setup with SAML authentication?

jason-reed · ‎06-10-2025

We are looking to implement trusted access on our wireless network. One question I've not been able to find the answer to is will wireless access stop working if your user account in Microsoft Entra is disabled? Or, will you have access until your certificate expires.

aleabrahao · ‎06-10-2025

It is my understanding that when a user leaves the company and their Microsoft Sign-in account is deactivated, the device will still have Wi-Fi access until the certificate expires. This is because authentication is based on the certificate installed on the device, not the current status of the user's account.

I believe that one option to revoke access immediately is to manually revoke the certificate in the Meraki Dashboard. This will prevent the device from authenticating to the network, even if the certificate is still valid.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

aleabrahao · ‎06-10-2025

Maybe it will help you.

Re: Trusted Access - How do I onboard user? - The Meraki Community

Configure Meraki Dashboard for Single sign-on with Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

jason-reed · ‎06-10-2025

Thanks for the articles, but not really what I'm looking for. I've got MS intra integration done and it all works just fine. My question is what happens when a user is no long with the company and his or her Entra account is disabled? Does the device still have WIFI access until the certificate expires?

aleabrahao · ‎06-10-2025

It is my understanding that when a user leaves the company and their Microsoft Sign-in account is deactivated, the device will still have Wi-Fi access until the certificate expires. This is because authentication is based on the certificate installed on the device, not the current status of the user's account.

I believe that one option to revoke access immediately is to manually revoke the certificate in the Meraki Dashboard. This will prevent the device from authenticating to the network, even if the certificate is still valid.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Philip D'Ath · ‎06-11-2025

I wish I could test this for you, but I'm currently unable to get this part working due to bugs.

This is how it is meant to work:

User authenticates to WiFi using a certificate (note that only a certificate works, you can't use a username/password with SAML).
Access Manager extracts the username from the certificate.
Checks if the account is enabled and applies any per-user access controls

Access is not granted simply because you have a certificate.

There is an alternative authentication system, not using Meraki Access Manager, called "Local Auth," that works this way.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Meraki_Local_Authentication_-_MR_802.1X#Certificate_Caching_(Certificate_Auth)

jason-reed · ‎06-11-2025

Thanks for the information. We have thousands of employee's across the state and we are trying to find an easy way to keep access secure levering Meraki and our Microsoft Entra installation. I can't find a clear answer on the subject. If a user's account is disabled in Entra, will they still be granted WiFi access if they have a valid certificate? We currently have our certificates set to 90 days.