Access Manager
Cisco Access Manager is an access control product that enables organizations to effortlessly manage network access to their users and endpoints without the need for an external RADIUS integration. As part of the Cisco Meraki dashboard, Access Manager empowers IT teams to enforce, monitor and troubleshoot identity and context-based access seamlessly, eliminating complex configuration and troubleshooting workflows eliminating complex configuration and troubleshooting workflows across different management interfaces. Organizations can now quickly and easily scale their network security as their needs evolve by cutting down on infrastructure costs while easing deployment and maintenance efforts.
cs.co/am#tag
Conveniently refer to this document with it's shortcut URL: cs.co/am. Append a #tag to the URL and jump to any section of this document like cs.co/am#licensing.
#8021x | #access-permissions | #access-rules | #adp | #adaptive-policy | #apis | #attributes | #authentication | #authorization | #certificates | #certs | #clients | #community | #config | #configuration | #dcloud | #default-rule | #device | #devices | #docs | #documentation | #dot1x | #ea | #eap | #eap-tls | #eap-ttls | #early-access | #endpoints | #entra-id | #entra | #entraid | #ipsk | #license | #licenses | #licensing | #mab | #maximums | #mdm | #mdms | #meraki-organization-users | #mfa | #microsoft-entra-id | #mou | #operators | #org-users | #permissions | #policy | #rule-groups | #rule-groups | #scale | #users | #troubleshooting | #trustsec | #uem | #videos
Early Access
Cisco Access Manager is available in Early Access and General Availability (GA) is planned for November 2025.
Enable Early Access for your Meraki organizations by opting in under the Organizations > Early Access menu.
Early Access will end at GA then the Access Manager menu will be removed and not restored until you claim Access Manager licenses (subscription or trial). Contact your Sales Representative, reach out to the Sales Team, or complete a trial form to register for a free evaluation. Any existing configurations and data from Early Access will remain and endpoint authentications will continue based on those configurations and policies. No changes will be possible until an Access Manager license is claimed.
Licensing
Cisco Access Manager is not yet orderable in Cisco Commerce Workspace (CCW). It will be orderable upon General Availability (GA) in November 2025.
Early Access will end at GA then the Access Manager menu will be removed and not restored until you claim Access Manager licenses (subscription or trial). Contact your Sales Representative, reach out to the Sales Team, or complete a trial form to register for a free evaluation. Any existing configurations and data from Early Access will remain and endpoint authentications will continue based on those configurations and policies. No changes will be possible until an Access Manager license is claimed.
Cisco Access Manager will have a separate license from all other Meraki products. While Access Manager licensing provides TrustSec (Adaptive Policy) SGT assignment to sessions, the policy enforcement is dependent on the devices' feature licensing (Advantage) and hardware capabilities.
Cisco Access Manager license consumption is counted by the number of concurrent, active, endpoint sessions. A session is active from the time when Access Manager receives a RADIUS Accounting Start until it receives an Accounting Stop for the session.
Documentation
- Cisco Access Manager (this page) (cs.co/am)
- Cisco Access Manager Data Sheet (cs.co/am-ds)
- Cisco Access Manager - Architecture And Example Use Cases
- EAP-TLS Client Configuration
- EAP-TLS Certificate Based Authentication with Entra ID Lookup
- EAP-TTLS Client Configuration
- EAP-TTLS/PAP Username/Password Authentication with Entra ID Lookup
- MAC Authentication Bypass (MAB) and iPSK for I/OT Endpoints
- Cisco Access Manager / NAC Community | cs.co/am-community
Demos
- ▷ Meraki Minute (cs.co/meraki-minute) > ▷ Cisco Access Manager Demo Playlist | YouTube
- ➚ Cisco Access Manager Self-Guided Demo | Navattic
- ➚ Cisco Access Manager Instant Demo (cs.co/am-demo) : register and view Dashboard with Access Manager
Configuration
Certificates
Download the Cisco Access Manager certificate and provision to your endpoints' trusted certificates list for the 802.1X + RADIUS authentication process. Access Manager uses the same eap.meraki.com certificate for all RADIUS authentications for all organizations.
Upload any public or private certificate authority (CA) digital certificates that Cisco Access Manager should use to authenticate your endpoint certificates.
▷ Access Manager - Certificate Configuration | YouTube
Endpoints
Cisco Access Manager can authenticate any endpoints (clients) using IEEE 802.1X, iPSK, or MAC Authentication Bypass (MAB). There is no limits to the number of endpoints a single set of username+password credentials may be used for.
Endpoint (Client) Configuration Guides
We provide these guides for the various authentication methods supported by Cisco Access Manager. It is highly recommended to use unified endpoint management ( ) tools to provision and maintain your endpoints' authentication settings with the EAP (extensible authentication protocol) protocols at scale.
- EAP-TLS Client Configuration
- EAP-TLS Certificate Based Authentication with Entra ID Lookup
- EAP-TTLS Client Configuration
- EAP-TTLS/PAP Username+Password Authentication with Entra ID Lookup
- Linux workstations use wpa_supplicant to perform wired or wireless 802.1X with certificates or username+password. For large-scale management, consider a UEM or Ansible.
- Trusted Access for Secure Wireless Connectivity - Setup Guide : join endpoints to Meraki MR wireless networks using certificate-based 802.1X authentication without enrolling the device into a UEM platform
- For iPSK, the endpoint's PSK provisioning is highly dependent on the endpoint type, it's user interface, and/or any tools provided by the manufacturer.
Unified Endpoint Management (UEM)
Unified endpoint managers (UEMs) like Meraki System Manager (SM) are highly recommended for configuring 802.1X and certificates on endpoints. Compliance checking against UEMs is not supported by Cisco Access Manager.
For examples, see ▷ Meraki Minute (cs.co/meraki-minute) > ▷ Meraki SM - Endpoint management
Endpoint (Client) Groups
You may add endpoint MAC addresses to one or more endpoint Client Groups for simplified management and matching in Access Rules. To provision large numbers of endpoint MAC addresses to one or more Client Groups, the use of APIs is highly recommended, at least for export.
Users
Cisco Access Manager only supports Microsoft Entra ID as an Identity Provider (IdP). For configuration details, see Organization Users > Microsoft Entra ID . Support for additional identity providers is planned.
Meraki Organization Users
Organization local users are not supported for 802.1X username + password authentication.
Microsoft Entra ID
Cisco Access Manager supports Entra ID group lookups for both EAP-TTLS username+password authentication and EAP-TLS certificate-based endpoint authentication.
The following Microsoft Graph API permissions (found under Manage > API Permissions) must be granted to the Access Manager application in Entra ID for the synchronization to complete successfully:
- Grant Admin Consent for your Entra ID Directory
- Microsoft Graph > Application > Group.Read.All
- Microsoft Graph > Application > User.Read.All
- Microsoft Graph > Delegated > User.Read (Required for Access Manager integration)
The EAP-TTLS+PAP authentication method does not support multi-factor authentication (MFA). You must exclude the Access Manager App Registration in Entra ID from MFA authentication using Conditional Access Policies.
See our videos and guides for Entra ID configuration with endpoints:
Devices
Cisco Access Manager currently requires all network access devices to communicate with the Cisco Meraki Dashboard's secure management tunnel. Any devices (Cisco or non-Cisco) that do not support the Meraki management tunnel are not supported.
| Model | 802.1X | MAB | VLAN | GPACL* | TrustSec (Adaptive Policy) | URL Redir |
|---|---|---|---|---|---|---|
| Wireless (MR 30.7+) | ||||||
| MR20, MR70 | ✅ | ✅ | ✅ | ✅ | - | ✅ |
| MR 20/30H/33/42/42E/52/53/53E/74/84 (802.11ac Wave 2) MR 28/36/36H/44/45/46/46E/55/56/57/76/78/86 (802.11ax) CW91XX (Wi-Fi 7 802.11be) |
✅ | ✅ | ✅ | ✅ | ✅ 802.11ac Wave2+ |
✅ |
| Switching (MS17+) | ||||||
| MS120, MS125, MS130 | ✅ | ✅ | ✅ | - | - | - |
| MS130X/R, MS150 | ✅ | ✅ | ✅ | MS18 | ✅ | - |
| MS210, MS225, MS250, MS350, MS355 | ✅ | ✅ | ✅ | ✅ | - | ✅ |
| MS390, C9K-M : (CS17.1+) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| SDWAN | ||||||
| MX and Z | - | - | - | - | Only SGT Transport | - |
*GPACL = Meraki Network Group Policy Access Control Lists
Unsupported Switch Access Policy Features
Access Rules
The Access Manager > Access Rules page defines a list of rules, evaluated top to bottom, to authorize users and endpoints based on their available Attribute Sources in each RADIUS request. If a rule is not matched, the evaluation process continues to the next rule in the list until the Default Rule is reached. Only supports a single, Default Rule Group. Multiple rules may be added to this group.
The Default Rule is set to Deny Access to ensure security by default. You may change it to Allow Access to monitor access when beginning to deploy access manager or customize it with Allow Restricted Access based on your desired default behavior.
Multiple conditions within a single Access Rule may be compounded with an implicit AND operator to provide granular levels of matching for specific authentication scenarios. A rule will only match if ALL the conditions specified in the "What's Matched" section are evaluated as True. For simplicity, there are no OR operators or condition groupings
| Type | Status | Name | What’s Matched | Authorization |
|---|---|---|---|---|
| Rule Group | ✅ | Default Rule Group | Any | |
| └Rule | ✅ | EntraID_Employees | Entra_Org:Account Enabled = True [And] EntraID:Group = Employees |
Adaptive policy = Employees |
| └Rule | ✅ | EntraID_Workstations | Endpoint certificate: Subject - Organization [Contains] My_Org [And] Entra_Org:Account Enabled = True [And] EntraID:Group = Workstations |
Adaptive policy = Workstations |
| └Rule | ✅ | Guests | Network Access: SSID = Guest | Adaptive policy = Guests |
| └Rule | ✅ | Phones | Endpoints: Client group [And] Phones | VLAN = VOICE Voice domain |
| └Rule | ✅ | Cameras | Endpoints:Client group [And] Cameras | VLAN=CAMERAS Adaptive policy = Cameras |
| └Rule | ✅ | Printers | Endpoints:Client group [And] Printers | Adaptive policy = Printers |
| └Rule | ✅ | IOT_Wireless | Network Access: SSID = IOT Endpoints:Client group [And] IOT |
Adaptive policy = IOT Policy based iPSK |
| └Rule | ✅ | APs | Endpoints: Client group [And] APs | Adaptive policy = Infrastructure |
| └Rule | ✅ | Scanners | Endpoints: Client group [And] Scanners | Adaptive policy = Scanners Policy based IPSK |
| └Rule | ✅ | MAC_is_Private | Endpoints: Private MAC = true | Adaptive policy = Guest |
| └Rule | ✅ | MAC_OUI_Match | Radius: Calling-Station-Id [Starts with] 01:23:45 | Adaptive policy = IoT |
| └Rule | ✅ | MAC_Exact | Radius: Calling-Station-Id = 01:23:45:67:89:ab | Adaptive policy = IoT |
| └Rule | ✅ | Exceptions | Endpoints: Client group [And] Exceptions | Adaptive policy = Guest |
| ✅ | Default Rule | Any | (Deny Access) |
Attribute Sources
| Certificate Attributes | Endpoints | Network Access | Meraki (Device) | Radius | EntraID |
|---|---|---|---|---|---|
| Issuer - Common Name Issuer - Country Name Issuer - Distinguished Name Issuer - Domain Component Issuer - Email Address Issuer - Locality Issuer - Organization Issuer - Organizational Unit Issuer - Serial Number Issuer - State Or Province Name Issuer - Street Name Issuer - User Id Serial Number Subject - Common Name Subject - Country Name Subject - Distinguished Name Subject - Domain Component Subject - Email Address Subject - Locality Subject - Organization Subject - Organizational Unit Subject - SAN Subject - SAN - DNS Subject - SAN - RFC822 Subject - Serial Number Subject - State Or Province Name Subject - Street Name Subject - User Id Template Name Valid To |
Client group Description MAC address Private MAC Source |
Authentication Method Connection Method EAP Protocol Network SSID |
Meraki-Ap-Name Meraki-Ap-Tags Meraki-Device-Name Meraki-Network-Name |
Called-Station-Id Calling-Station-Id NAS-IP-Address NAS-IPv6-Address NAS-Identifier NAS-Port NAS-Port-Type Service-Type User-Name |
Account Enabled City Department Display Name Given Name Job Title Postal Code Preferred Language State Surname |
Operators
Most attributes are strings with the default string operators: [Starts with, Ends with, Contains].
Number type operators are: [Equals, Greater than, Greater than or Equal, Less than, Less than or Equal].
Some attributes offer specific, enumerated values to choose:
Endpoints
- Client Group : [
Match all,Match any] - Private MAC : [
True,False] - Source : [
Discovered,Provisioned]
Network Access
- Authentication Method : [
EAP,MAB] - Connection Method : [
Wired,Wireless] - EAP Protocol : [
EAP-TLS,EAP-TTLS] - Network : [choose one or more network names]
- SSID : [choose one or more SSID names]
RADIUS
- NAS-Port-Type : [
Ethernet,IEEE 802.11,Virtual] - Service-Type : [
Call Check,Framed,Login]
Authentication
There are several authentication options supported for users and endpoints:
- IEEE 802.1X : the industry standard network authentication protocol that uses Extensible Authentication Protocol (EAP):
- EAP-TLS : certificate validation a trusted certificate authority uploaded to the Organization > Certificates page
- EAP-TTLS : username+password validation against the list of available users in the Organization > Users page
- Identity Pre-Shared Key (iPSK): a unique, wireless, pre-shared key is defined in an Access Rule's Authorization and returned to the access point to enforce for association.
- MAB (MAC Authentication Bypass) : a Client MAC address or Client Group containing the MAC address is matched within an Access Rule
- MAC Authentication Bypass (MAB) and iPSK for IOT Endpoints
- ▷ Access Manager - Non 802.1x capable devices with MAC Authentication Bypass
- Wildcards are supported using various operators on the MAC Address attributes. See Operators
Authorization
Each Access Rule allows you to customize the Access Permissions from the following choices:
| Permission | Value |
|---|---|
| Deny Access | Default: RADIUS Access-Reject. No session. |
| Allow Access | RADIUS Access-Accept: use the default access permissions on the device. |
| Allow Restricted Access | Allow Access and override the device session defaults with one or more of these:
|
For more details about these segmentation options, see these documents:
- Adaptive Policy (TrustSec) Overview
- iPSK with RADIUS Authentication
- Creating and Applying Group Policies
Scale
Cisco Access Manager is available in all Regions: North and South America, Europe, Asia, China, Canada, and India.
| Feature | Scale |
|---|---|
| Users | |
| Maximum Identity Providers (IdPs) | 10 / org |
| Maximum Users synced from Entra ID | 150,000 / org |
| Maximum Groups | 100,000 / org |
| Maximum Entra ID User Attributes | 15 |
| Clients | |
| Maximum Clients (MACs) | 500,000 |
| Max client sessions per user | Not configurable |
| Access Rules | |
| Maximum Rule Groups | 1 |
| Maximum Rules | 50 |
| Certificates | |
| Maximum Trusted Certificates | 10 |
| Maximum CRLs | 10 |
APIs
Cisco Access Manager has many application programming interfaces (APIs) available for use in the Cisco Meraki Dashboard APIs under Early API Access and Products > nac.
You may test API GET requests directly from your browser:
- Login to your Cisco Meraki Dashboard account normally for your browser to be authenticated and authorized
- Enable Early API Access under Organization > Configure > Early Access if you haven't already
- Open a Meraki Dashboard API GET request within your browser, replacing {orgId} with your organization ID:
https://api.meraki.com/api/v1/organizations/{orgId}/nac/license/usage?startDate=2025-10-01 - You should see the respective JSON (JavaScript Object Notation) output returned for either type of request
Alternatively, use curl or another tool to GET / POST / PUT / DELETE requests using environment variables for your MERAKI_ORG_ID and MERAKI_DASHBOARD_API_KEY :
export MERAKI_DASHBOARD_API_KEY=1234567890123456789012345678901234567890
export MERAKI_ORG_ID=1234567
curl --header "Accept: application/json" \
--header "Authorization: Bearer $MERAKI_DASHBOARD_API_KEY" \
--request GET "https://api.meraki.com/api/v1/organizations/$MERAKI_ORG_ID/nac/license/usage?startDate=2025-10-01"
Troubleshooting
The Access Manager > Session Log page shows all attempts to authenticate against Access Manager and their outcome. The Status and Details columns provide insight into What the authorization result of an authentication attempt was and Why.
Unexpected Authorizations
If an endpoint matches an unexpected authorization rule in the Access Manager > Access Rules page, there are several things to check:
- The first match always wins! It is generally recommended to put more specific rules at the top and more general rules at the bottom (default rule)
- Inspect an endpoints' authentication request attributes in the Access Manager > Session Log page to verify they match your expectation for the scenario
- You may need to include a different attribute or multiple attributes to match the conditions of your desired scenario
You will need to balance the ordering of rules by specificity and authentication frequency to avoid increased latency when checking for scenarios that rarely happen.
Missing Authentications
It is possible that an authentication attempt does not reach the Access Manager RADIUS services. If this occurs, there will be no data populated in the Access Manager > Session Log table. This could happen for many reasons
- the endpoint (Windows, macOS, iOS, Android, Linux, etc.) may not be configured correctly
- the devices (switching, wireless) may not be configured correctly including licensing, network security choice, Access Policies configuration
- local and WAN network routing, firewalls, and general internet connectivity into the Cisco Meraki regions hosting Access Manager
Troubleshooting should begin on the authenticator device to ensure that the configuration is correct and the authentication is occurring as expected.