Access Manager Datasheet
Overview
Access Manager is a cloud-delivered access control service that offers a powerful, scalable, and flexible way to ensure only authorized users and endpoints can access your resources—without the need for an external RADIUS server. It enables IT teams to effortlessly enforce and monitor network access for users and endpoints based on user identity, endpoint identity, network context, and identity and security context from external integrations like Microsoft Entra ID (Azure AD) and others.
Note: Access Manager is currently in early access preview and will be rolled out to customer organizations in phases. During this period, there will be no licensing enforcement (free trial for all organizations). Licensing details for general availability will be shared soon.
Once it is available in your organization, you can participate in a free trial by opting in to Access Manager on the early access page (Organization > Early Access).
Benefits
Access Manager provides several key advantages:
- Simplified management from one dashboard, reducing fragmented management and troubleshooting efforts.
- Reduced overhead by eliminating the need for external RADIUS servers, VPN tunnels, load balancers, and other infrastructure.
- Built-in scalability and high availability to support a growing number of users and endpoints.
- Automatic updates that ensure the latest features and patches are applied without user intervention.
- Zero trust adoption made easier and faster with seamless integration of micro-segmentation policies to restrict ransomware propagation.
- Immediate ability to apply conventional access controls, such as VLANs and ACLs, without configuring additional integrations.
- Seamless third-party cloud integrations to apply additional context-based authorization (e.g., Entra ID).
Architecture and key use cases
Architecture
The three major components in Access Manager's flow are network devices, external identity and security integrations, and cloud-delivered Access Manager services. Here’s how they work together:
- Network devices, such as switches and access points, are configured to use Access Manager as their authentication server.
- Authentication requests from endpoints are forwarded to Access Manager services in the cloud.
- These requests travel through an existing lightweight AES256 tunnel.
- After successful authentication, the session is evaluated against administrator-configured rules in Access Manager.
- Authentication methods include:
- Certificate-based (EAP-TLS)
- Username and password (EAP-TTLS)
- MAC address (MAB)
- Rules determine the session’s outcome.
- Authentication methods include:
- If a session matches any rule, the system applies the corresponding authorization.
- Conditions are based on:
- User identity
- Endpoint details
- External integration context
- Network context, such as SSIDs or networks
- Authorization options include:
- Security Group Tag (SGT)
- VLAN
- Group Policy
- Voice Domain
- The authorization is sent back to the network devices.
- Conditions are based on:
- Endpoints connect to the network based on the assigned authorization.
Use cases
Some of the key use cases for Access Manager are:
Use Case | Authentication and authorization |
---|---|
Securing managed endpoints with certificate based authentication |
Certificate-based authentication (EAP-TLS) with Entra ID user lookup.
|
Securing managed endpoints with username/password authentication |
Username and password-based authentication (EAP-TTLS/PAP) with Entra ID user lookup.
|
Securing non 802.1X supported IoT, OT etc. or other endpoints |
MAC Authentication Bypass (MAB) and/or iPSK.
|
Feature breakdown
Feature | Details |
---|---|
Authentication methods |
Following authentication methods are the currently supported:
|
Authorization options |
Following authorizations can be applied to sessions that are successfully authenticated:
|
Authentication fallback |
In the event of Network Devices losing connectivity to Access Manager services in the cloud, existing sessions will not be affected. For new connections, the following authentication fallback options are available:
Please note that, in this scenario, the new connections will not be evaluated against the configured rules. |
Certificate Authority (CA) integration |
External Certificate Authority (PKI) support with Certificate Revocation List (CRL) check. |
Attributes available for condition matching |
Access Manager rules use matching criteria and corresponding authorization applied as a result of the matching session. Following are the available attributes that can be included as part of matching criteria:
|
Hardware Compatibility
Following are the switches and access point that can leverage Access Manager as the authentication server:
Switches
Switch Models | Minimum Required Firmware |
---|---|
Cloud Managed Catalyst 9300 | CS17.1 |
MS390 | CS17.1 |
MS1XX, MS2XX and MS3XX | MS16 |
Access Points
Access Points Family | Access Points Models | Minimum Required Firmware |
---|---|---|
Meraki MR Wi-Fi 5 Wave 2 (802.11ac Wave 2) |
MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84 | MR30.6 (for Extended Local Auth, MR30.7) |
Meraki MR Wi-Fi 6 (802.11ax) |
MR28, MR36, MR36H, MR44, MR45, MR46, MR46E, MR55, MR56, MR76, MR78, MR86 | MR30.6 (for Extended Local Auth, MR30.7) |
Meraki MR and Catalyst Wi-Fi 6E (802.11ax) | MR57, CW91XX | MR30.6 (for Extended Local Auth, MR30.7) |
Wi-Fi 7 (802.11be) | CW91XX | MR30.6 (for Extended Local Auth, MR30.7) |