Access Manager Datasheet

Overview

Access Manager is a cloud-delivered access control service that offers a powerful, scalable, and flexible way to ensure only authorized users and endpoints can access your resources—without the need for an external RADIUS server. It enables IT teams to effortlessly enforce and monitor network access for users and endpoints based on user identity, endpoint identity, network context, and identity and security context from external integrations like Microsoft Entra ID (Azure AD) and others.

Note: Access Manager is currently in early access preview and will be rolled out to customer organizations in phases. During this period, there will be no licensing enforcement (free trial for all organizations). Licensing details for general availability will be shared soon.

Once it is available in your organization, you can participate in a free trial by opting in to Access Manager on the early access page (Organization > Early Access).

Benefits

Access Manager provides several key advantages:

Simplified management from one dashboard, reducing fragmented management and troubleshooting efforts.
Reduced overhead by eliminating the need for external RADIUS servers, VPN tunnels, load balancers, and other infrastructure.
Built-in scalability and high availability to support a growing number of users and endpoints.
Automatic updates that ensure the latest features and patches are applied without user intervention.
Zero trust adoption made easier and faster with seamless integration of micro-segmentation policies to restrict ransomware propagation.
Immediate ability to apply conventional access controls, such as VLANs and ACLs, without configuring additional integrations.
Seamless third-party cloud integrations to apply additional context-based authorization (e.g., Entra ID).

Architecture and key use cases

Architecture

New - Architecture Full.png

The three major components in Access Manager's flow are network devices, external identity and security integrations, and cloud-delivered Access Manager services. Here’s how they work together:

Network devices, such as switches and access points, are configured to use Access Manager as their authentication server.
- Authentication requests from endpoints are forwarded to Access Manager services in the cloud.
- These requests travel through an existing lightweight AES256 tunnel.
After successful authentication, the session is evaluated against administrator-configured rules in Access Manager.
- Authentication methods include:
  - Certificate-based (EAP-TLS)
  - Username and password (EAP-TTLS)
  - MAC address (MAB)
- Rules determine the session’s outcome.
If a session matches any rule, the system applies the corresponding authorization.
- Conditions are based on:
  - User identity
  - Endpoint details
  - External integration context
  - Network context, such as SSIDs or networks
- Authorization options include:
  - Security Group Tag (SGT)
  - VLAN
  - Group Policy
  - Voice Domain
- The authorization is sent back to the network devices.
Endpoints connect to the network based on the assigned authorization.

Use cases

Some of the key use cases for Access Manager are:

Use Case	Authentication and authorization
Securing managed endpoints with certificate based authentication	Certificate-based authentication (EAP-TLS) with Entra ID user lookup. Apply authorization (e.g., Security Group Tag [SGT], VLAN, Group Policy) based on Entra ID user group membership and other user attributes like City, State, Job title and more
Securing managed endpoints with username/password authentication	Username and password-based authentication (EAP-TTLS/PAP) with Entra ID user lookup. Apply authorization (e.g., Security Group Tag [SGT], VLAN, Group Policy) based on Entra ID user group membership and other user attributes like City, State, Job title and more.
Securing non 802.1X supported IoT, OT etc. or other endpoints	MAC Authentication Bypass (MAB) and/or iPSK. Apply authorization based on specific or part of the MAC address or endpoint groups with many MAC addresses. For added layer of security, use iPSK along with MAB, to apply authorization (e.g., Security Group Tag [SGT], VLAN, Group Policy) based on unique pre-shared keys (iPSKs) used by endpoints connecting to the network.

Use Case

Authentication and authorization

Securing managed endpoints with certificate based authentication

Certificate-based authentication (EAP-TLS) with Entra ID user lookup.

Apply authorization (e.g., Security Group Tag [SGT], VLAN, Group Policy) based on Entra ID user group membership and other user attributes like City, State, Job title and more

Securing managed endpoints with username/password authentication

Username and password-based authentication (EAP-TTLS/PAP) with Entra ID user lookup.

Apply authorization (e.g., Security Group Tag [SGT], VLAN, Group Policy) based on Entra ID user group membership and other user attributes like City, State, Job title and more.

Securing non 802.1X supported IoT, OT etc. or other endpoints

MAC Authentication Bypass (MAB) and/or iPSK.

Apply authorization based on specific or part of the MAC address or endpoint groups with many MAC addresses.
For added layer of security, use iPSK along with MAB, to apply authorization (e.g., Security Group Tag [SGT], VLAN, Group Policy) based on unique pre-shared keys (iPSKs) used by endpoints connecting to the network.

Feature breakdown

Feature	Details
Authentication methods	Following authentication methods are the currently supported: Certificate-based authentication (EAP-TLS) with Entra ID user lookup. Username and password-based authentication (EAP-TTLS/PAP) with Entra ID user lookup. MAC Authentication Bypass (MAB). Unique pre-shared key-based authentication - iPSK (identity PSK).
Authorization options	Following authorizations can be applied to sessions that are successfully authenticated: Security Group Tag (SGT). VLAN ID/name. Group Policy. Voice Domain permission. Identity PSK (iPSK).
Authentication fallback	In the event of Network Devices losing connectivity to Access Manager services in the cloud, existing sessions will not be affected. For new connections, the following authentication fallback options are available: Wireless: Certificate authentication via RADIUS server on MR, RADIUS caching (future). Wired: Critical VLAN/Fail open, RADIUS caching. Please note that, in this scenario, the new connections will not be evaluated against the configured rules.
Certificate Authority (CA) integration	External Certificate Authority (PKI) support with Certificate Revocation List (CRL) check.
Attributes available for condition matching	Access Manager rules use matching criteria and corresponding authorization applied as a result of the matching session. Following are the available attributes that can be included as part of matching criteria: Certificate-based attributes (e.g., Issuer CN, SAN - RFC822). Identity Provider (IdP) attributes (e.g., user groups and user attributes like City, State). RADIUS attributes (e.g., Calling-Station-Id, Subscriber ID). Authentication methods (e.g., Wired and Wireless). Connection methods. Networks. SSIDs. Endpoint attributes (e.g., MAC address, Group).

Hardware Compatibility

Following are the switches and access point that can leverage Access Manager as the authentication server:

Switches

Switch Models	Minimum Required Firmware
Cloud Managed Catalyst 9300	CS17.1
MS390	CS17.1
MS1XX, MS2XX and MS3XX	MS16

Access Points

Access Points Family	Access Points Models	Minimum Required Firmware
Meraki MR Wi-Fi 5 Wave 2 (802.11ac Wave 2)	MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84	MR30.6 (for Extended Local Auth, MR30.7)
Meraki MR Wi-Fi 6 (802.11ax)	MR28, MR36, MR36H, MR44, MR45, MR46, MR46E, MR55, MR56, MR76, MR78, MR86	MR30.6 (for Extended Local Auth, MR30.7)
Meraki MR and Catalyst Wi-Fi 6E (802.11ax)	MR57, CW91XX	MR30.6 (for Extended Local Auth, MR30.7)
Wi-Fi 7 (802.11be)	CW91XX	MR30.6 (for Extended Local Auth, MR30.7)