Access Manager
Cisco Access Manager is an access control product that enables organizations to effortlessly manage network access to their users and endpoints without the need for an external RADIUS integration. As part of the Cisco Meraki dashboard, Access Manager empowers IT teams to enforce, monitor and troubleshoot identity and context-based access seamlessly, eliminating complex configuration and troubleshooting workflows across different management interfaces. Organizations can now quickly and easily scale their network security as their needs evolve by cutting down on infrastructure costs while easing deployment and maintenance efforts.
cs.co/am#tag
Conveniently refer to this document with it's shortcut URL: cs.co/am.
Append a #tag to the URL and jump to any section of this document like cs.co/am#licensing.
#8021x | #access-permissions | #access-rules | #adp | #adaptive-policy | #apis | #attributes | #authentication | #authorization | #certificates | #certs | #clients | #community | #config | #configuration | #coterm | #dcloud | #default-rule | #device | #devices | #docs | #documentation | #dot1x | #eas | #eap | #eap-tls | #eap-ttls | #endpoints | #entra-id | #entra | #entraid | #features | #feedback | #ipsk | #license | #licenses | #licensing | #mab | #maximums | #mdm | #mdms | #meraki-organization-users | #mfa | #microsoft-entra-id | #mou | #operators | #orderability | #org-users | #permissions | #policy | #requests | #rule-groups | #rule-groups | #scale | #skus | #troubleshooting | #users | #trustsec | #uem | #videos
Licensing
Please see the Cisco Access Manager Licensing and Ordering Guide (cs.co/am-licensing) for all licensing information including trials, procurement of subscriptions or co-terminations or EAs, estimation, consumption, compliance, enforcement and FAQs. It may take up to 48 hours after claiming your Access Manager licenses before you see the Access Manager menu item in your organization dashboard.
Documentation
- Cisco Access Manager (this page) (cs.co/am)
- Cisco Access Manager Data Sheet (cs.co/am-ds)
- Cisco Access Manager - Architecture And Example Use Cases
- EAP-TLS Client Configuration
- EAP-TLS Certificate Based Authentication with Entra ID Lookup
- EAP-TTLS Client Configuration
- EAP-TTLS/PAP Username/Password Authentication with Entra ID Lookup
- MAC Authentication Bypass (MAB) and iPSK for I/OT Endpoints
- Cisco Access Manager / NAC Community | cs.co/am-community
- 2025 Cisco Live Melbourne On-Demand Sessions (requires free registration)
Demos
- ▷ Meraki Minute (cs.co/meraki-minute) > ▷ Cisco Access Manager Demo Playlist | YouTube
- ➚ Cisco Access Manager Self-Guided Demo | Navattic
- ➚ Cisco Access Manager Instant Demo (cs.co/am-demo) : register and view Dashboard with Access Manager
Configuration
Certificates
Download the Cisco Access Manager certificate and provision to your endpoints' trusted certificates list for the 802.1X + RADIUS authentication process. Access Manager uses the same eap.meraki.com certificate for all RADIUS authentications for all organizations.
Upload any public or private certificate authority (CA) digital certificates that Cisco Access Manager should use to authenticate your endpoint certificates.
▷ Access Manager - Certificate Configuration | YouTube
Endpoints
Cisco Access Manager can authenticate any endpoints (clients) using IEEE 802.1X, iPSK, or MAC Authentication Bypass (MAB). There is no limits to the number of endpoints a single set of username+password credentials may be used for.
Endpoint (Client) Configuration
We provide these guides for the various authentication methods supported by Cisco Access Manager. It is highly recommended to use unified endpoint management (UEM) tools to provision and maintain your endpoints' authentication settings with the EAP (extensible authentication protocol) protocols at scale.
- EAP-TLS Client Configuration
- EAP-TLS Certificate Based Authentication with Entra ID Lookup
- EAP-TTLS Client Configuration
- EAP-TTLS/PAP Username+Password Authentication with Entra ID Lookup
- Linux workstations use wpa_supplicant to perform wired or wireless 802.1X with certificates or username+password. For large-scale management, consider a UEM or Ansible.
- Trusted Access for Secure Wireless Connectivity - Setup Guide : join endpoints to Meraki MR wireless networks using certificate-based 802.1X authentication without enrolling the device into a UEM platform
- For iPSK, the endpoint's PSK provisioning is highly dependent on the endpoint type, it's user interface, and/or any tools provided by the manufacturer.
Unified Endpoint Management (UEM)
Unified endpoint managers (UEMs) like Meraki System Manager (SM) are highly recommended for configuring 802.1X and certificates on endpoints. Multiple UEMs are supported if you add their respective CA chain into Access Manager to authenticate their provisioned certificates.
Compliance checking against UEMs is not supported by Cisco Access Manager.
For examples, see ▷ Meraki Minute (cs.co/meraki-minute) > ▷ Meraki SM - Endpoint management
Endpoint (Client) Groups
You may add endpoint MAC addresses to one or more endpoint Client Groups for simplified management and matching in Access Rules. To provision large numbers of endpoint MAC addresses to one or more Client Groups, the use of APIs is highly recommended, at least for export.
Users
Cisco Access Manager only supports Microsoft Entra ID as an Identity Provider (IdP). For configuration details, see Organization Users > Microsoft Entra ID . Support for additional identity providers is planned.
Microsoft Entra ID
Cisco Access Manager supports Entra ID group lookups for both EAP-TTLS username+password authentication and EAP-TLS certificate-based user and endpoint authentication.
For EAP-TTLS, Entra ID integration synchronizes users, user groups, and user attributes, however password synchronization is not allowed. Therefore, all username and password authentication against Entra ID must be performed every time. This is also why EAP-TTLS authentications are not cached when using Extended Local Authentication.
See our videos and guides for endpoint configuration with Entra ID.
- ▷ Access Manager with Entra as an IDP
- ▷ Access Manager - EAP TLS with Entra ID Lookup
- ▷ Access Manager - EAP TTLS / PAP with Entra ID lookup
Permissions
The following Microsoft Graph API permissions (found under Manage > API Permissions) must be granted to the Access Manager application in Entra ID for the synchronization to complete successfully:
- Grant Admin Consent for your Entra ID Directory
- Microsoft Graph > Application > Group.Read.All
- Microsoft Graph > Application > User.Read.All
- Microsoft Graph > Delegated > User.Read (Required for Access Manager integration)
Multi-Factor Authentication (MFA)
The EAP-TTLS+PAP authentication method does not support multi-factor authentication (MFA). You must exclude the Access Manager App Registration in Entra ID from MFA authentication using Conditional Access Policies.
Meraki Organization Users
Organization local users are not yet supported for 802.1X username + password authentication.
Devices
Cisco Access Manager supports all Cisco Meraki Cloud Configuration wired and wireless devices. For the latest supported switching devices, refer to Cloud Configuration: Release Versions.
| Model | 802.1X | MAB | VLAN | GPACL | TrustSec (Adaptive Policy) |
|---|---|---|---|---|---|
| Wireless (MR 30.7+) | |||||
| MR20, MR70 | ✅ | ✅ | ✅ | ✅ | - |
| MR 20/30H/33/42/42E/52/53/53E/74/84 (802.11ac Wave 2) MR 28/36/36H/44/45/46/46E/55/56/57/76/78/86 (802.11ax) CW91XX (Wi-Fi 7 802.11be) |
✅ | ✅ | ✅ | ✅ | ✅ |
| Switching (MS17+) | |||||
| MS120, MS125 | ✅ | ✅ | ✅ | - | - |
| MS130 | ✅ | ✅ | ✅ | ✅ | - |
| MS130X/R, MS150 | ✅ | ✅ | ✅ | ✅ | ✅ |
| MS210, MS225, MS250, MS350, MS355 | ✅ | ✅ | ✅ | ✅ | - |
| MS390, C9200L, C9300-M : (CS17.1+, IOS XE 17.15+) | ✅ | ✅ | ✅ | ✅ | ✅ |
| C9200/CX, C9350, C9500H : (IOS XE 17.18.1+) See Cloud Configuration: Release Versions for the latest switches and capabilities supporting Configuration source: Cloud |
✅ | ✅ | ✅ | ✅ | ✅ |
| SDWAN | |||||
| MX and Z | - | - | - | - | Only SGT Transport |
This table attempts to summarize the many network device security capabilities and requirements in one place as a convenience to quickly assess general network access enforcement capabilities. Please consult the respective platform documentation for the latest, authoritative hardware and software capability information.
Switch Port Access Policies
Access Policies are used to configure network access control options for switch ports.
You may configure multiple access policies then apply different ones to different ports on a single switch or across your organization. Access Policies have these options:
- Name: give it a name
- Authentication Method: Access Manager - use Access Manager
- Policy Type:
- 802.1X : Use IEEE 802.1X protocol to authenticate the endpoint with the RADIUS server. Only after a successful authentication does the endpoint get an IP address.
- MAC authentication bypass : also known as MAB, this policy will send the endpoint's MAC address as a weak form of identity to the RADIUS server (Access Manager) for authentication. If the RADIUS server knows about it, it may assign it specific privileges.
- ๐Hybrid authentication : First try 802.1X authentication but fallback to MAB if the endpoint fails to respond (timeout). This is the most dynamic, flexible - and therefore recommended - policy type.
- Host mode
- Single-Host: allow only one MAC address in the data VLAN
⚠ Port is disabled if switch detects more than one MAC requiring an administrative port reset! - Multi-Domain: allow one MAC each in the data VLAN and voice VLAN.
- Multi-Host: allow multiple MACs in the data VLAN; no voice VLAN.
- ๐Multi-Auth: allow multiple MACs in the data VLAN and one MAC in the voice VLAN.
- Single-Host: allow only one MAC address in the data VLAN
- 802.1X control direction
- ๐Both
- Inbound-Only
- Re-authentication interval: a number, in seconds, defining the session timeout and for another authentication to occur
- ๐at least once every 8 hours (28800 seconds) to 24 hours (86400 seconds)
- Concurrent Authentication: send 802.1X and MAB requests to the RADIUS server (Access Manager) in parallel (concurrently).
- Available only with Hybrid Authentication
- Faster MAB authentication for endpoints without waiting for the 802.1X timeout
- Final authentication behavior may vary for 802.1X
- Concurrent requests with 802.1X endpoints effectively doubles the RADIUS request load on the server
- Not generally recommended except for MAB endpoints with short DHCP timeouts
- Voice Auth: allow phones into the voice domain
- Unsupported Access Policy Features with Access Manager
- ๐ Disable Port Bounce: Disable Port Bounce when RADIUS servers are unreachable.
- ๐ Critical Auth VLAN: When all the RADIUS servers for this access policy are unavailable, clients that attempt to authenticate will be placed into this VLAN (1-4094).
- ๐ Guest VLAN: Allow access to devices that don't attempt to authenticate on this VLAN.
- ๐ Failed Auth VLAN: Allow devices that failed authentication limited access to the network on this VLAN.
Access Rules
The Access Manager > Access Rules page defines a list of rules, evaluated top to bottom, to authorize users and endpoints based on their available Attribute Sources in each RADIUS request. If a rule is not matched, the evaluation process continues to the next rule in the list until the Default Rule is reached. Only supports a single, Default Rule Group. Multiple rules may be added to this group.
The Default Rule is set to Deny Access to ensure security by default. You may change it to Allow Access to monitor access when beginning to deploy access manager or customize it with Allow Restricted Access based on your desired default behavior.
Multiple conditions within a single Access Rule may be compounded with an implicit AND operator to provide granular levels of matching for specific authentication scenarios. A rule will only match if ALL the conditions specified in the "What's Matched" section are evaluated as True. For simplicity, there are no OR operators or condition groupings
| Type | Status | Name | What’s Matched | Authorization |
|---|---|---|---|---|
| Rule Group | ✅ | Default Rule Group | Any | |
| └Rule | ✅ | TTLS_Entra_Employees | Network Access: EAP Protocol = EAP-TTLS Entra_Org:Account Enabled = true, Group = Employees |
Adaptive policy = Employees |
| └Rule | ✅ | TLS_Entra_Employees | Network Access: EAP Protocol = EAP-TLS Endpoint certificate: Issuer - Common Name = My_Org Entra_Org:Account Enabled = true,Group = Employees |
Adaptive policy = Employees |
| └Rule | ✅ | TLS_Workstations | Network Access: EAP Protocol = EAP-TLS Endpoint certificate: Issuer - Common Name = My_Org Endpoint certificate: Subject - Distinguished Name [Contains] workstation |
Adaptive policy = Workstations |
| └Rule | ✅ | Wireless_IOT_iPSK | Network Access: SSID = IOT Endpoints:Client group = IOT |
Adaptive policy = IOT Policy based iPSK |
| └Rule | ✅ | Guests | Network Access: SSID = AM-Guest, Authentication Method = MAB |
Adaptive policy = Guest |
| └Rule | ✅ | Phones | Endpoints: Client group = Phones | VLAN = VOICE Voice domain |
| └Rule | ✅ | Cameras | Endpoints:Client group = Cameras | VLAN=CAMERAS Adaptive policy = Cameras |
| └Rule | ✅ | Printers | Endpoints:Client group = Printers | Adaptive policy = Printers |
| └Rule | ✅ | APs | Endpoints: Client group = APs | Adaptive policy = Infrastructure |
| └Rule | ✅ | Exceptions | Endpoints: Client group = Exceptions | Adaptive policy = Guest |
| └Rule | ✅ | MAC_is_Private | Endpoints: Private MAC = true | Adaptive policy = Guest |
| └Rule | ✅ | MAC_OUI_Match | Radius: Calling-Station-Id [Starts with] 01:23:45 | Adaptive policy = IoT |
| └Rule | ✅ | MAC_Exact | Radius: Calling-Station-Id = 01:23:45:67:89:ab | Deny Access |
| ✅ | Default Rule | Any | Deny Access |
Attributes & Sources
Attribute Sources have many attributes allowing you to create Access Rules with multiple conditions for a granular policy match.
Operators
Most attributes are strings with the default string operators: [Starts with, Ends with, Contains].
Number type operators are: [Equals, Greater than, Greater than or Equal, Less than, Less than or Equal].
Some attributes offer specific, enumerated values to choose:
Endpoints
- Client Group : [
Match all,Match any] - Private MAC : [
True,False] - Source : [
Discovered,Provisioned]
Network Access
- Authentication Method : [
EAP,MAB] - Connection Method : [
Wired,Wireless] - EAP Protocol : [
EAP-TLS,EAP-TTLS] - Network : [choose one or more network names]
- SSID : [choose one or more SSID names]
RADIUS
- NAS-Port-Type : [
Ethernet,IEEE 802.11,Virtual] - Service-Type : [
Call Check,Framed,Login]
Authentication
There are several authentication options supported for users and endpoints:
- IEEE 802.1X : the industry standard network authentication protocol that uses Extensible Authentication Protocol (EAP):
- EAP-TLS : certificate validation a trusted certificate authority uploaded to the Organization > Certificates page
- EAP-TTLS : username+password validation against the list of available users in the Organization > Users page
- Identity Pre-Shared Key (iPSK): a unique, wireless, pre-shared key is defined in an Access Rule's Authorization and returned to the access point to enforce for association.
- MAB (MAC Authentication Bypass) : a Client MAC address or Client Group containing the MAC address is matched within an Access Rule
- MAC Authentication Bypass (MAB) and iPSK for IOT Endpoints
- ▷ Access Manager - Non 802.1x capable devices with MAC Authentication Bypass
- Wildcards are supported using various operators on the MAC Address attributes. See Operators
Authorization
Each Access Rule allows you to customize the Access Permissions from the following choices:
| Permission | Value |
|---|---|
| Deny Access | Default: RADIUS Access-Reject. No session. |
| Allow Access | RADIUS Access-Accept: use the default access permissions on the device. |
| Allow Restricted Access | Allow Access and override the device session defaults with one or more of these:
|
For more details about these segmentation options, see these documents:
- Adaptive Policy (TrustSec) Overview
- iPSK with RADIUS Authentication
- Creating and Applying Group Policies
Scale
Cisco Access Manager is available globally except in Canada, mainland China, India, and the Meraki FedRAMP cloud.
| Feature | Scale |
|---|---|
| Users | |
| Maximum Microsoft Entra ID Identity Providers (IdPs) | 10 / org |
| Maximum Users synced from Microsoft Entra ID | 150,000 / org |
| Maximum Microsoft Entra ID Groups | 100,000 / org |
| Maximum Microsoft Entra ID User Attributes | 15 |
| Clients | |
| Maximum Clients (MACs) | 500,000 |
| Max client sessions per user | Not configurable |
| Access Rules | |
| Maximum Rule Groups | 1 |
| Maximum Rules | 50 |
| Certificates | |
| Maximum Trusted Certificates | 10 |
| Maximum CRLs | 10 |
APIs
Cisco Access Manager has many application programming interfaces (APIs) available for use in the Cisco Meraki Dashboard APIs under Early API Access and Products > nac.
You may test API GET requests directly from your browser:
- Login to your Cisco Meraki Dashboard account normally for your browser to be authenticated and authorized
- Enable Early API Access under Organization > Configure > Early Access if you haven't already
- Open a Meraki Dashboard API GET request within your browser, replacing {orgId} with your organization ID:
https://api.meraki.com/api/v1/organizations/{orgId}/nac/license/usage?startDate=2025-10-01 - You should see the respective JSON (JavaScript Object Notation) output returned for either type of request
Alternatively, use curl or another tool to GET / POST / PUT / DELETE requests using environment variables for your MERAKI_ORG_ID and MERAKI_DASHBOARD_API_KEY :
export MERAKI_DASHBOARD_API_KEY=1234567890123456789012345678901234567890
export MERAKI_ORG_ID=1234567
curl --header "Accept: application/json" \
--header "Authorization: Bearer $MERAKI_DASHBOARD_API_KEY" \
--request GET "https://api.meraki.com/api/v1/organizations/$MERAKI_ORG_ID/nac/license/usage?startDate=2025-10-01"
Features & Feedback
Cisco Access Manager is a new product with many features planned! Please submit your new feature requests using the Give your feedback button in the footer of any Access Manager page of the Meraki Dashboard.
Troubleshooting
While Access Manager is the policy engine, network access control is a solution involving 4 separate components:
When troubleshooting, we are looking for reproducibility of a problem to find the source and address the root cause. Please provide the necessary details to help us help you:
- Expected Behavior : Describe the desired scenario or use case you are trying to achieve in one sentence
- Problem Behavior : Clearly state the exact error of the unexpected result. Include a picture or code output of the problem result. "It doesn't work" is not helpful.
- Environment : Share the relevant information about the components for the problem scenario :
- Endpoint(s): what is the OS, 802.1X supplicant configuration, credential type, certificate details, etc.
- Device(s): what hardware model(s), software version, SSID config(s), access policy(s), etc.
- Access Manager:
- Monitor > Session Log: what is the exact Status, Details, and Network Access Details (click on the row)
- Configure > Access Rules: what is the Rule, Conditions, and Authorization you expected it to match
- Configure > Certificates: what is the expected CA and it's Details
- Configure > Users: IdP Sources: configured + synced and the User is listed with the expected Group(s)
- Configure > Clients: for MAB or iPSK the expected Clients are listed and members of the expected Group(s)
- Identity Provider(s): Microsoft Entra ID is configured + synced, verify permissions, check the MFA configuration (unsupported), conditional access configuration, etc.
The more detail you provide, the easier it is for other to help you.
Unexpected Authorizations
If an endpoint matches an unexpected authorization rule in the Access Manager > Access Rules page, there are several things to check:
- The first match always wins! It is generally recommended to put more specific rules at the top and more general rules at the bottom (default rule)
- Inspect an endpoints' authentication request attributes in the Access Manager > Session Log page to verify they match your expectation for the scenario
- You may need to include a different attribute or multiple attributes to match the conditions of your desired scenario
You will need to balance the ordering of rules by specificity and authentication frequency to avoid increased latency when checking for scenarios that rarely happen.
Missing Authentications
It is possible that an authentication attempt does not reach the Access Manager RADIUS services. If this occurs, there will be no data populated in the Access Manager > Session Log table. This could happen for many reasons
- the endpoint (Windows, macOS, iOS, Android, Linux, etc.) may not be configured correctly
- the devices (switching, wireless) may not be configured correctly including licensing, network security choice, Access Policies configuration
- local and WAN network routing, firewalls, and general internet connectivity into the Cisco Meraki regions hosting Access Manager
Troubleshooting should begin on the authenticator device to ensure that the configuration is correct and the authentication is occurring as expected.
- Product Information
- Access Manager product information.
- Design and Configure
- This guide provides an overview of product features and related technologies. In addition, it contains recommendations on best practices, tutorials for getting started, and troubleshooting information for common situations.