Access Manager
Cisco Access Manager is an access control product that enables organizations to effortlessly manage network access to their users and endpoints without the need for an external RADIUS integration. As part of the Cisco Meraki dashboard, Access Manager empowers IT teams to enforce, monitor and troubleshoot identity and context-based access seamlessly, eliminating complex configuration and troubleshooting workflows across different management interfaces. Organizations can now quickly and easily scale their network security as their needs evolve by cutting down on infrastructure costs while easing deployment and maintenance efforts.
cs.co/am#tag
Conveniently refer to this document with it's shortcut URL: cs.co/am.
Append a #tag to the URL and jump to any section of this document like cs.co/am#licensing.
#8021x | #access-permissions | #access-rules | #adp | #adaptive-policy | #apis | #attributes | #authentication | #authorization | #certificates | #certs | #clients | #community | #config | #configuration | #coterm | #dcloud | #default-rule | #device | #devices | #docs | #documentation | #dot1x | #eas | #eap | #eap-tls | #eap-ttls | #endpoints | #entra-id | #entra | #entraid | #features | #feedback | #ipsk | #license | #licenses | #licensing | #mab | #maximums | #mdm | #mdms | #meraki-organization-users | #mfa | #microsoft-entra-id | #mou | #operators | #orderability | #org-users | #permissions | #policy | #requests | #rule-groups | #rule-groups | #scale | #skus | #troubleshooting | #users | #trustsec | #uem | #videos
Licensing
Please see the Cisco Access Manager Licensing and Ordering Guide (cs.co/am-licensing) for all licensing information including trials, procurement of subscriptions or co-terminations or EAs, estimation, consumption, compliance, enforcement and FAQs. It may take up to 48 hours after claiming your Access Manager licenses before you see the Access Manager menu item in your organization dashboard.
Documentation
- Cisco Access Manager (this page) (cs.co/am)
- Cisco Access Manager Data Sheet (cs.co/am-ds)
- Cisco Access Manager - Architecture And Example Use Cases
- Cisco Access Manager / NAC Community | cs.co/am-community
- 2025 Cisco Live Melbourne On-Demand Sessions (requires free registration)
Demos
- ▷ Meraki Minute (cs.co/meraki-minute) > ▷ Cisco Access Manager Demo Playlist | YouTube
- ➚ Cisco Access Manager Self-Guided Demo | Navattic
- ➚ Cisco Access Manager Instant Demo (cs.co/am-demo) : register and view Dashboard with Access Manager
Configuration
Access Rules
The Access Manager > Access Rules page defines a list of rules, evaluated top to bottom, to authorize users and endpoints based on their available Attribute Sources in each RADIUS request. If a rule is not matched, the evaluation process continues to the next rule in the list until the Default Rule is reached. Only supports a single, Default Rule Group. Multiple rules may be added to this group.
The Default Rule is set to Deny Access to ensure security by default. You may change it to Allow Access to monitor access when beginning to deploy access manager or customize it with Allow Restricted Access based on your desired default behavior.
Multiple conditions within a single Access Rule may be compounded with an implicit AND operator to provide granular levels of matching for specific authentication scenarios. A rule will only match if ALL the conditions specified in the "What's Matched" section are evaluated as True. For simplicity, there are no OR operators or condition groupings
| Type | Status | Name | What’s Matched | Authorization |
|---|---|---|---|---|
| Rule Group | ✅ | Default Rule Group | Any | |
| └Rule | ✅ | TTLS_Entra_Employees | Network Access: EAP Protocol = EAP-TTLS Entra_Org:Account Enabled = true, Group = Employees |
Adaptive policy = Employees |
| └Rule | ✅ | TLS_Entra_Employees | Network Access: EAP Protocol = EAP-TLS Endpoint certificate: Issuer - Common Name = My_Org Entra_Org:Account Enabled = true,Group = Employees |
Adaptive policy = Employees |
| └Rule | ✅ | TLS_Workstations | Network Access: EAP Protocol = EAP-TLS Endpoint certificate: Issuer - Common Name = My_Org Endpoint certificate: Subject - Distinguished Name [Contains] workstation |
Adaptive policy = Workstations |
| └Rule | ✅ | Wireless_IOT_iPSK | Network Access: SSID = IOT Endpoints:Client group = IOT |
Adaptive policy = IOT Policy based iPSK |
| └Rule | ✅ | Guests | Network Access: SSID = AM-Guest, Authentication Method = MAB |
Adaptive policy = Guest |
| └Rule | ✅ | Phones | Endpoints: Client group = Phones | VLAN = VOICE Voice domain |
| └Rule | ✅ | Cameras | Endpoints:Client group = Cameras | VLAN=CAMERAS Adaptive policy = Cameras |
| └Rule | ✅ | Printers | Endpoints:Client group = Printers | Adaptive policy = Printers |
| └Rule | ✅ | APs | Endpoints: Client group = APs | Adaptive policy = Infrastructure |
| └Rule | ✅ | Exceptions | Endpoints: Client group = Exceptions | Adaptive policy = Guest |
| └Rule | ✅ | MAC_is_Private | Endpoints: Private MAC = true | Adaptive policy = Guest |
| └Rule | ✅ | MAC_OUI_Match | Radius: Calling-Station-Id [Starts with] 01:23:45 | Adaptive policy = IoT |
| └Rule | ✅ | MAC_Exact | Radius: Calling-Station-Id = 01:23:45:67:89:ab | Deny Access |
| ✅ | Default Rule | Any | Deny Access |
Attributes & Sources
Attribute Sources have many attributes allowing you to create Access Rules with multiple conditions for a granular policy match.
Operators
Most attributes are strings with the default string operators: [Starts with, Ends with, Contains].
Number type operators are: [Equals, Greater than, Greater than or Equal, Less than, Less than or Equal].
Some attributes offer specific, enumerated values to choose:
Endpoints
- Client Group : [
Match all,Match any] - Private MAC : [
True,False] - Source : [
Discovered,Provisioned]
Network Access
- Authentication Method : [
EAP,MAB] - Connection Method : [
Wired,Wireless] - EAP Protocol : [
EAP-TLS,EAP-TTLS] - Network : [choose one or more network names]
- SSID : [choose one or more SSID names]
RADIUS
- NAS-Port-Type : [
Ethernet,IEEE 802.11,Virtual] - Service-Type : [
Call Check,Framed,Login]
Authentication
There are several authentication options supported for wired or wireless users and endpoints:
- IEEE 802.1X : the standard network authentication protocol that uses Extensible Authentication Protocol (EAP):
- EAP-TLS : certificate validation a trusted certificate authority uploaded to the Organization > Certificates page
- EAP-TTLS : username+password validation against the list of available users in the Organization > Users page
- Identity Pre-Shared Key (iPSK): a unique, wireless, pre-shared key is defined in an Access Rule's Authorization and returned to the access point to enforce for association.
- MAB (MAC Authentication Bypass) : a Client MAC address or Client Group containing the MAC address is matched within an Access Rule
- MAC Authentication Bypass (MAB) and iPSK for IOT Endpoints
- ▷ Access Manager - Non 802.1x capable devices with MAC Authentication Bypass
- Wireless Guests with Splash Access
- Wildcards are supported using various operators on the MAC Address attributes. See Operators
Authorization
Each Access Rule allows you to customize the Access Permissions from the following choices:
| Permission | Value |
|---|---|
| Deny Access | Default: RADIUS Access-Reject. No session. |
| Allow Access | RADIUS Access-Accept: use the default access permissions on the device. |
| Allow Restricted Access | Allow Access and override the device session defaults with one or more of these:
|
For more details about these segmentation options, see these documents:
- Adaptive Policy (TrustSec) Overview
- iPSK with RADIUS Authentication
- Creating and Applying Group Policies
Clients (Endpoints)
Endpoint MAC addresses are the primary key for many Access Manager databases. Endpoint MAC addresses may be discovered dynamically upon first authentication or they may be provisioned into Access Manager. Provisioning endpoints is critical when using MAB because they typically must be assigned to Client Groups for simplified management in Access Rules. Provisioning endpoints and assigning them to Client Groups may be done individually, by CSV import, or REST API.
Client Groups
Endpoints may be added to one or more Client Groups for simplified management and matching in Access Rules. You may create individual Client Groups manually in the dashboard or use the APIs for large numbers of them. There is no CSV import or export option.
Digital Certificates
Cisco Access Manager may use digital certificates with network devices and endpoints in several ways:
- The RadSec protocol secures communications between network devices and Access Manager using certificates - this is handled automatically for you with the Dashboard management tunnel
- The secure Extensible Authentication Protocol (EAP) tunnel requires the authenticating endpoints to trust the certificate chain presented by Access Manager before they send their credentials
- Certificates used for authentication are validated by Access Manager against authorized CA certificate chains and chosen trusted anchors to authenticate the identity of their subject (endpoints and users).
- Attributes present in authenticated certificates may be used to match conditions in Access Rules and authorize them with specific network permissions.
Upload CA Certificates to Access Manager
Upload any public or private certificate authority (CA) digital certificates that Cisco Access Manager should use to authenticate your endpoint certificates.
▷ Access Manager - Certificate Configuration | YouTube
Endpoint EAP Configuration
Download the Cisco Access Manager certificate and provision to your endpoints' trusted certificates list for the 802.1X + RADIUS authentication process. Access Manager uses the same eap.meraki.com certificate for all RADIUS authentications for all organizations.
We provide these guides for the various authentication methods supported by Cisco Access Manager. It is highly recommended to use unified endpoint management (UEM) tools to provision and maintain your endpoints' authentication settings with the EAP (extensible authentication protocol) protocols at scale.
- EAP-TLS Client Configuration
- EAP-TLS Certificate Based Authentication with Entra ID Lookup
- EAP-TTLS Client Configuration
- EAP-TTLS/PAP Username+Password Authentication with Entra ID Lookup
- Linux workstations use wpa_supplicant to perform wired or wireless 802.1X with certificates or username+password. For large-scale management, consider a UEM or Ansible.
- Trusted Access for Secure Wireless Connectivity - Setup Guide : join endpoints to Meraki MR wireless networks using certificate-based 802.1X authentication without enrolling the device into a UEM platform
- For iPSK, the endpoint's PSK provisioning is highly dependent on the endpoint type, it's user interface, and/or any tools provided by the manufacturer.
Unified Endpoint Management (UEM)
Unified endpoint managers (UEMs) - also known as Mobile Device Managers (MDMs) - like Meraki System Manager (SM) are highly recommended for configuring 802.1X and certificates on endpoints. Endpoints provisioned across multiple UEMs are supported if their respective CA chains are added into Access Manager to validate their provisioned certificates.
For examples, see the Documentation section above or ▷ Meraki Minute (cs.co/meraki-minute) > ▷ Meraki SM - Endpoint management
Compliance checking against UEMs is not currently supported by Cisco Access Manager.
Viewing Certificate Attributes
Certificate inspection is typically required to confirm the existence of specific attributes and their expected values for matching Access Rule conditions with the Endpoint Certificate Attribute Source. Both Microsoft Windows and Apple macOS offer ways to view certificate attributes but openssl is the standard command line utility to create, sign, and view certificates :
Users
Cisco Access Manager only supports Microsoft Entra ID as an Identity Provider (IdP). For configuration details, see Organization Users > Microsoft Entra ID . Support for additional identity providers is planned.
Microsoft Entra ID
Cisco Access Manager supports Entra ID user group lookups using both EAP-TLS (certificates) and EAP-TTLS (username+password) authentication. Device (computer) group lookup is currently not supported in the Meraki Users Entra ID sync.
For EAP-TTLS, Entra ID integration synchronizes users, user groups, and user attributes, however password synchronization is not allowed. Therefore, all username and password authentication against Entra ID must be performed every time. This is also why EAP-TTLS authentications are not cached when using Extended Local Authentication.
See our videos and guides for endpoint configuration with Entra ID.
- ▷ Access Manager with Entra as an IDP
- ▷ Access Manager - EAP TLS with Entra ID Lookup
- ▷ Access Manager - EAP TTLS / PAP with Entra ID lookup
Permissions
The following Microsoft Graph API permissions (found under Manage > API Permissions) must be granted to the Access Manager application in Entra ID for the synchronization to complete successfully:
- Grant Admin Consent for your Entra ID Directory
- Microsoft Graph > Application > Group.Read.All
- Microsoft Graph > Application > User.Read.All
- Microsoft Graph > Delegated > User.Read (Required for Access Manager integration)
Multi-Factor Authentication (MFA)
The EAP-TTLS+PAP authentication method does not support multi-factor authentication (MFA). You must exclude the Access Manager App Registration in Entra ID from MFA authentication using Conditional Access Policies.
Meraki Organization Users
Organization local users are not yet supported for 802.1X username + password authentication.
Devices
Cisco Access Manager supports all Cisco Meraki Cloud Configuration wired and wireless devices. For the latest supported switching devices, refer to Cloud Configuration: Release Versions.
| Model | 802.1X | MAB | VLAN | GPACL | TrustSec (Adaptive Policy) |
|---|---|---|---|---|---|
| Wireless (MR 30.7+) | |||||
| MR20, MR70 | ✅ | ✅ | ✅ | ✅ | - |
| MR 20/30H/33/42/42E/52/53/53E/74/84 (802.11ac Wave 2) MR 28/36/36H/44/45/46/46E/55/56/57/76/78/86 (802.11ax) CW91XX (Wi-Fi 7 802.11be) |
✅ | ✅ | ✅ | ✅ | ✅ |
| Switching (MS17+) | |||||
| MS120, MS125 | ✅ | ✅ | ✅ | - | - |
| MS130 | ✅ | ✅ | ✅ | ✅ | - |
| MS130X/R, MS150 | ✅ | ✅ | ✅ | ✅ | ✅ |
| MS210, MS225, MS250, MS350, MS355 | ✅ | ✅ | ✅ | ✅ | - |
| MS390, C9200L, C9300-M : (CS17.1+, IOS XE 17.15+) | ✅ | ✅ | ✅ | ✅ | ✅ |
| C9200/CX, C9350, C9500H : (IOS XE 17.18.1+) See Cloud Configuration: Release Versions for the latest switches and capabilities supporting Configuration source: Cloud |
✅ | ✅ | ✅ | ✅ | ✅ |
| SDWAN | |||||
| MX and Z | - | - | - | - | Only SGT Transport |
This table attempts to summarize the many network device security capabilities and requirements in one place as a convenience to quickly assess general network access enforcement capabilities. Please consult the respective platform documentation for the latest, authoritative hardware and software capability information.
Wireless SSID Security
Access Manager is easy to configure for an SSID's security with only a few clicks.
- Go to Wireless > Configuration > Access Control
- Choose a new or existing SSID
- Give it a Name if it is new
- Select Enabled if disabled
- Choose one of the Security options below and be sure to select Access Manager as the RADIUS server
- Select any other options you would like with your SSID
- Select Save
Any new wireless endpoints that try to associate to your SSID will be authenticated using Access Manager! This makes doing trials and proofs of concept very easy since you do not need to change any behavior on your existing SSIDs to test it. You may even hide the SSID to avoid any users or existing endpoints from being confused by it.
Switch Port Access Policies
Access Policies are used to configure network access control options for switch ports. You may configure multiple access policies then apply them to ports on a single switch or across your organization. Our recommended, default access policy:
- Name: AM_Hybrid_MultiAuth
- Authentication Method: Access Manager - use Access Manager
- Policy Type:
- 802.1X : Use IEEE 802.1X protocol to authenticate the endpoint with the RADIUS server. Only after a successful authentication does the endpoint get an IP address.
- MAC authentication bypass : also known as MAB, this policy will send the endpoint's MAC address as a weak form of identity to the RADIUS server (Access Manager) for authentication. If the RADIUS server knows about it, it may assign it specific privileges.
- 🌟 Hybrid authentication : First try 802.1X authentication but fallback to MAB if the endpoint fails to respond (timeout). This is the most dynamic, flexible - and therefore recommended - policy type.
- Host mode:
- Single-Host: allow only one MAC address in the data VLAN ⚠ Port is disabled if switch detects more than one MAC requiring an administrative port reset!
- Multi-Domain: allow one MAC each in the data VLAN and voice VLAN.
- Multi-Host: allow multiple MACs in the data VLAN; no voice VLAN.
- 🌟 Multi-Auth: allow multiple MACs in the data VLAN and one MAC in the voice VLAN.
- 802.1X control direction:
- 🌟 Both
- Inbound-Only
- Re-authentication interval: 🌟 28800 - a number, in seconds, defining the session timeout and to re-authenticate the endpoint. It is recommended to re-authenicate every 8 - 24 hours (28800 - 86400 seconds)
- Concurrent Authentication: send 802.1X and MAB requests to the RADIUS server (Access Manager) in parallel (concurrently).
- Available only with Hybrid Authentication
- Faster MAB authentication for endpoints without waiting for the 802.1X timeout
- ⚠ Final authentication behavior may vary for 802.1X-capable endpoints
- ⚠ Concurrent requests with 802.1X endpoints effectively doubles the RADIUS request load on the server
- ⚠ Not generally recommended except for MAB endpoints with short DHCP timeouts
- ✅ Voice Auth: allow phones into the voice domain
- 🛑 Unsupported Access Policies features with Access Manager
- Disable Port Bounce: Disable Port Bounce when RADIUS servers are unreachable.
- Critical Auth VLAN: When all the RADIUS servers for this access policy are unavailable, clients that attempt to authenticate will be placed into this VLAN (1-4094).
- Guest VLAN: Allow access to devices that don't attempt to authenticate on this VLAN.
- Failed Auth VLAN: Allow devices that failed authentication limited access to the network on this VLAN.
After defining your Access Policy(s), you simply edit your access switch ports and assign your desired Access Policy.
Endpoints connecting to those switch ports will then be authenticated by Access Manager based on your configured policy.
When testing 802.1X and MAB in access policies with Access Manager, you only need to apply an Access Policy to a single switch port - not an entire switch. This makes it easy to perform a limited proof-of-concept on your production network without needing additional, dedicated lab equipment.
When deploying zero trust network access control across your wired network, this makes it easy to secure specific switches or ports in stages or phases for a controlled rollout.
Sessions
The Session Log page is where you may see all the details of each authentication request received and processed by Access Manager.
There are several states that will be encountered for each log entry:
- ✅ Success: the authentication was successfully matched against an Access Rule and authorized with an Allow Access or Allow Restricted Access (RADIUS Access-Accept).
- ⚠ Rejected: the authentication was successfully matched against an Access Rule with a Deny Access authorization (RADIUS Access-Reject).
- 🛑 Failed: something erroneous happened in processing of the authentication either on the client side, server side, or the communication between them.
Selecting the Status value of an individual row will open a Network Access Details slideout where you may review all of the authentication and authorization attributes sent and returned between the network device and Access Manager. This is extremely helpful when troubleshooting or trying to customize an Access Rule for a particular scenario with a user or endpoint.
Scale
Cisco Access Manager is available globally except in Canada, mainland China, India, and the Meraki FedRAMP cloud.
| Feature | Scale |
|---|---|
| Users | |
| Maximum Microsoft Entra ID Identity Providers (IdPs) | 10 / org |
| Maximum Users synced from Microsoft Entra ID | 150,000 / org |
| Maximum Microsoft Entra ID Groups | 100,000 / org |
| Maximum Microsoft Entra ID User Attributes | 15 |
| Clients | |
| Maximum Clients (MACs) | 500,000 |
| Max client sessions per user | Not configurable |
| Access Rules | |
| Maximum Rule Groups | 1 |
| Maximum Rules | 50 |
| Certificates | |
| Maximum Trusted Certificates | 10 |
| Maximum CRLs | 10 |
There are no limits to the number of endpoints a single set of username+password credentials may be used for.
APIs
Cisco Access Manager has many application programming interfaces (APIs) available for use in the Cisco Meraki Dashboard APIs under Early API Access and Products > nac.
You may test API GET requests directly from your browser:
- Login to your Cisco Meraki Dashboard account normally for your browser to be authenticated and authorized
- Enable Early API Access under Organization > Configure > Early Access if you haven't already
- Open a Meraki Dashboard API GET request within your browser, replacing {orgId} with your organization ID:
https://api.meraki.com/api/v1/organizations/{orgId}/nac/license/usage?startDate=2025-10-01 - You should see the respective JSON (JavaScript Object Notation) output returned for either type of request
Alternatively, use curl or another tool to GET / POST / PUT / DELETE requests using environment variables for your MERAKI_ORG_ID and MERAKI_DASHBOARD_API_KEY :
export MERAKI_DASHBOARD_API_KEY=1234567890123456789012345678901234567890
export MERAKI_ORG_ID=1234567
curl --header "Accept: application/json" \
--header "Authorization: Bearer $MERAKI_DASHBOARD_API_KEY" \
--request GET "https://api.meraki.com/api/v1/organizations/$MERAKI_ORG_ID/nac/license/usage?startDate=2025-10-01"
Features & Feedback
Cisco Access Manager is a new product with many features planned! Please submit your new feature requests using the Give your feedback button in the footer of any Access Manager page of the Meraki Dashboard.
Troubleshooting
While Access Manager is the policy engine, network access control is a solution involving 4 separate components:
When troubleshooting, we are looking for reproducibility of a problem to find the source and address the root cause. Please provide the necessary details to help us help you:
- Expected Behavior : Describe the desired scenario or use case you are trying to achieve in one sentence
- Problem Behavior : Clearly state the exact error of the unexpected result. Include a picture or code output of the problem result. "It doesn't work" is not helpful.
- Environment : Share the relevant information about the components for the problem scenario :
- Endpoint(s): what is the OS, 802.1X supplicant configuration, credential type, certificate details, etc.
- Device(s): what hardware model(s), software version, SSID config(s), access policy(s), etc.
- Access Manager:
- Monitor > Session Log: what is the exact Status, Details, and Network Access Details (click on the row)
- Configure > Access Rules: what is the Rule, Conditions, and Authorization you expected it to match
- Configure > Certificates: what is the expected CA and it's Details
- Configure > Users: IdP Sources: configured + synced and the User is listed with the expected Group(s)
- Configure > Clients: for MAB or iPSK the expected Clients are listed and members of the expected Group(s)
- Identity Provider(s): Microsoft Entra ID is configured + synced, verify permissions, check the MFA configuration (unsupported), conditional access configuration, etc.
The more detail you provide, the easier it is for other to help you.
Unexpected Authorizations
If an endpoint matches an unexpected authorization rule in the Access Manager > Access Rules page, there are several things to check:
- The first match always wins! It is generally recommended to put more specific rules at the top and more general rules at the bottom (default rule)
- Inspect an endpoints' authentication request attributes in the Access Manager > Session Log page to verify they match your expectation for the scenario
- You may need to include a different attribute or multiple attributes to match the conditions of your desired scenario
You will need to balance the ordering of rules by specificity and authentication frequency to avoid increased latency when checking for scenarios that rarely happen.
Missing Authentications
It is possible that an authentication attempt does not reach the Access Manager RADIUS services. If this occurs, there will be no data populated in the Access Manager > Session Log table. This could happen for many reasons
- the endpoint (Windows, macOS, iOS, Android, Linux, etc.) may not be configured correctly
- the devices (switching, wireless) may not be configured correctly including licensing, network security choice, Access Policies configuration
- local and WAN network routing, firewalls, and general internet connectivity into the Cisco Meraki regions hosting Access Manager
Troubleshooting should begin on the authenticator device to ensure that the configuration is correct and the authentication is occurring as expected.
- Product Information
- Access Manager product information.
- Design and Configure
- This guide provides an overview of product features and related technologies. In addition, it contains recommendations on best practices, tutorials for getting started, and troubleshooting information for common situations.