Access Manager
Cisco Access Manager is an access control product that enables organizations to effortlessly manage network access to their users and endpoints without the need for an external RADIUS integration. As part of the Cisco Meraki dashboard, Access Manager empowers IT teams to enforce, monitor and troubleshoot identity and context-based access seamlessly, eliminating complex configuration and troubleshooting workflows eliminating complex configuration and troubleshooting workflows across different management interfaces. Organizations can now quickly and easily scale their network security as their needs evolve by cutting down on infrastructure costs while easing deployment and maintenance efforts.
Early Access
Cisco Access Manager is available in Early Access and General Availability (GA) is planned for November 2025.
Enable Early Access for your Meraki organizations by opting in under the Organizations > Early Access menu.
Early Access will end at GA then the Access Manager menu and your configurations will be removed unless you purchase Access Manager licenses. To continue using Access Manager as trial, please contact your Sales Representative, reach out to the Sales Team, or complete a trial form to register for a free evaluation.
Documentation
- Access Manager Data Sheet (cs.co/am-ds)
- Access Manager - Architecture And Example Use Cases
- Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS)
- Access Manager - EAP-TTLS Client Configuration (Windows, macOS and iOS)
- Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup
- Access Manager non-802.1X Supported IoT or Other Endpoints - MAC Authentication Bypass (MAB) and iPSK
- Access Manager Username/Password Authentication - EAP-TTLS/PAP with Entra ID Lookup
Demos
- ▷ Meraki Minute > ▷ Access Manager Demo Playlist | YouTube
- ➚ Access Manager Self-Guided Demo | Navattic
Configuration
Certificates
Download the Cisco Access Manager certificate and provision to your clients' trusted certificates list for the 802.1X authentication process.
Upload any public or private certificate authority (CA) digital certificates that Cisco Access Manager should use for client authentication.
Devices
Cisco Access Manager (CAM) currently requires all network access devices to communicate with the Cisco Meraki Dashboard's secure management tunnel. Any devices (Cisco or non-Cisco) that do not support the Meraki management tunnel are not supported.
| Model | 802.1X | MAB | VLAN | GPACL* | Adaptive Policy | URL Redir |
|---|---|---|---|---|---|---|
| MR20, MR70 (MR 30.7+) | ✅ | ✅ | ✅ | ✅ | - | ✅ |
| MR28/30H/33/42/42E/52/53/53E/74/84 MR36/36H/44/45/46/46E/55/56/57/76/78/86 CW91xx (MR 30.7+) | ✅ | ✅ | ✅ | ✅ | ✅ 802.11ac Wave2+ |
✅ |
| MS120, MS125, MS130 (MS17+) | ✅ | ✅ | ✅ | - | - | - |
| MS130X/R, MS150 (MS17+) | ✅ | ✅ | ✅ | MS18 | ✅ | - |
| MS210, MS225, MS250,
MS350, MS355 (MS17+) |
✅ | ✅ | ✅ | ✅ | - | ✅ |
| MS390, C9K-M (CS17.1+) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
*GPACL = Meraki Network Group Policy Access Control Lists
Clients
Cisco Access Manager (CAM) can authenticate any clients (endpoints) using IEEE 802.1X, iPSK, or MAC Authentication Bypass (MAB). There is no limits to the number of clients a single set of username+password credentials may be used for.
- Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS)
- Access Manager - EAP-TTLS Client Configuration (Windows, macOS and iOS)
- Access Manager Username/Password Authentication - EAP-TTLS/PAP with Entra ID Lookup
- Linux : For I/OT, use MAB or if they are user workstations, use wpa_supplicant to perform wired or wireless 802.1X with certificates or username+password. For large-scale management, consider an MDM or Ansible.
- Trusted Access for Secure Wireless Connectivity - Setup Guide : join clients to Meraki MR wireless networks using certificate-based 802.1x authentication without enrolling the device into an MDM platform
Mobile Device Managers (MDMs)
MDMs like Meraki System Manager (SM) are highly recommended for configuring 802.1X and certificates on client computers. Compliance checking against MDMs is not supported by Cisco Access Manager.
▷ Meraki Minute > Meraki SM - Endpoint management
Users
Cisco Access Manager (CAM) only supports Microsoft Entra ID as an Identity Provider (IdP).
Support for additional identity providers is planned.
Meraki Organization Users
Organization local users are not supported for 802.1X username + password authentication.
Microsoft Entra ID
Cisco Access Manager (CAM) supports user authentication and group lookup.
Endpoint authentication with EAP-TLS (certificate authentication) is supported but not Entra ID group lookup.
- ▷ Meraki Access Manager with Entra as an IDP
- ▷ Access Manager - EAP TLS with Entra ID Lookup
- ▷ Access Manager with EAP TTLS / PAP with Entra ID lookup
- Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup
Policy
802.1X
MAC Authentication Bypass (MAB)
- Access Manager non-802.1X Supported IoT or Other Endpoints - MAC Authentication Bypass (MAB) and iPSK
- ▷ Access Manager - Non 802.1x capable devices with MAC Authentication Bypass
- Wildcards are supported using various operators on the MAC Address attributes. See Operators
iPSK (Identity Pre-Shared Key)
Identity Pre-Shared Key allows you to create a unique wireless pre-shared key per MAC address. You may specify an iPSK when provisioning clients.
⚠ iPSK import via CSV is not supported.
Rule Groups
Cisco Access Manager (CAM) has a single, Default Rule Group. You cannot create any additional Rule Groups.
Attribute Sources
| Certificate Attributes | Endpoints | Network Access | Meraki (Device) | Radius |
|---|---|---|---|---|
| Issuer - Common Name Issuer - Country Name Issuer - Distinguished Name Issuer - Domain Component Issuer - Email Address Issuer - Locality Issuer - Organization Issuer - Organizational Unit Issuer - Serial Number Issuer - State Or Province Name Issuer - Street Name Issuer - User Id Serial Number Subject - Common Name Subject - Country Name Subject - Distinguished Name Subject - Domain Component Subject - Email Address Subject - Locality Subject - Organization Subject - Organizational Unit Subject - SAN Subject - SAN - DNS Subject - SAN - RFC822 Subject - Serial Number Subject - State Or Province Name Subject - Street Name Subject - User Id Template Name Valid To |
Client group Description MAC address Private MAC Source |
Authentication Method Connection Method EAP Protocol Network SSID |
Meraki-Ap-Name Meraki-Ap-Tags Meraki-Device-Name Meraki-Network-Name |
Called-Station-Id Calling-Station-Id NAS-IP-Address NAS-IPv6-Address NAS-Identifier NAS-Port NAS-Port-Type Service-Type User-Name |
Operators
Most attributes are strings with the default string operators: [Starts with, Ends with, Contains ]
Number type operators are: [Equals, Greater than, Greater than or Equal, Less than, Less than or Equal]
Some attributes offer specific, enumerated values to choose:
| Attribute Source | Attribute | Values |
|---|---|---|
| Endpoints | ||
| Client Group | [Match all, Match any] |
|
| Private MAC | [True, False] |
|
| Source | [Discovered, Provisioned] |
|
| Network Access | ||
| Authentication Method | [EAP, MAB] |
|
| Connection Method | [Wired, Wireless] |
|
| EAP Protocol | [EAP-TLS, EAP-TTLS] |
|
| Network | [choose one or more network names] | |
| SSID | [choose one or more SSID names] | |
| RADIUS | ||
| NAS-Port-Type | [Ethernet, IEEE 802.11, Virtual] |
|
| Service-Type | [Call Check, Framed, Login] |
|
| NAS-Port-Type | [Ethernet, IEEE 802.11, Virtual] |
Authorization
Each Access Rule allows you to customize the Access Permissions from the following choices:
| Permission | Value |
|---|---|
| Deny Access | Default: RADIUS Access-Reject. No session. |
| Allow Access | RADIUS Access-Accept: use the default access permissions on the device. |
| Allow Restricted Access | Allow Access and override the device defaults with one or more of these: |
| - VLAN ID/Name | VLAN number or name (dynamic VLAN assignment) |
| - Voice Domain | Cisco Vendor-Specific Attribute to use the Voice VLAN Domain |
| - Adaptive Policy | Apply this Adaptive Policy (TrustSec Security Group Tag) to this session |
| - Identity PSK | Require this iPSK value for this endpoint session |
| - Group Policy | Apply this Meraki Network Group Policy to this session |
Scale
| Feature | Scale |
|---|---|
| Users | |
| Maximum Identity Providers (IdPs) | 10 |
| Maximum Users synced from Entra ID | 150,000 |
| Maximum Groups | 100,000 |
| Maximum Entra ID User Attributes | 15 |
| Clients | |
| Maximum Clients (MACs) | 500,000 |
| Max client sessions per user | Not configurable |
| Policy | |
| Maximum Rule Groups | 1 |
| Maximum Rules | 50 |
| Certificates | |
| Maximum Trusted Certificates | 10 |
| Maximum CRLs | 10 |
Licensing
Cisco Access Manager (CAM) is not yet orderable in Cisco Commerce Workspace (CCW). It will be orderable upon General Availability (GA) in November 2025.
Cisco Access Manager (CAM) will have a separate license from all other Meraki products.
Cisco Access Manager license consumption is counted by the number of concurrent, active, client sessions. A session is active from the time when Access Manager receives a RADIUS Accounting Start until it receives an Accounting Stop for the session.