Access Manager Datasheet
Overview
Access Manager is a cloud-delivered Access Control service that offers a powerful, scalable, and flexible way to ensure only authorized users and endpoints can access your resources - without the need for an external RADIUS server. Access Manager enables IT teams to effortlessly enforce and monitor network access to the users and endpoints based on user identity, endpoint identity, network context, and identity and security context from external integrations like Microsoft Entra ID (Azure AD) etc.
Note: Access Manager is currently in early access preview and will be rolled out to customer organizations in phases. During this period, there will be no licensing enforcement (free trial for all organizations). Licensing details for general availability will be shared soon.
Once it is available on your organization, you can participate in a free trial by opting-in to Access Manager on Early Access page (Organization > Early Access).
Benefits
Following are some of the benefits of Access Manager:
| Simplified management from one dashboard reducing fragmented management and troubleshooting | Zero trust adoption made easier and faster with seamless integration with micro-segmentation policies to restrict ransomware propagation. |
| Reduced overhead by eliminating the need for external RADIUS servers, VPN tunnels, Load balancers etc. | Provides immediate ability to apply conventional access controls like VLANs, ACLs etc. without having to configure additional integrations. |
| Built-in scalability and high-availability to support growing number of users and endpoints. | Seamless 3rd party cloud integrations to apply additional context based authorization. (Eg. Entra ID) |
| Automatic updates ensuring the latest features and patches are applied without user intervention. |
Architecture and key use cases
Architecture
The three major components in Access Manager's flow are: Network devices, External identity and security integrations and Cloud-delivered Access Manager services.
- When network devices (switch, access point etc.) are configured to use Access Manager as its authentication server, the authentication requests coming in from the endpoints are forwarded to Access Manager services in the cloud through an existing lightweight AES256 tunnel.
- After a successful authentication (Certificate - EAP-TLS or Username/Password - EAP-TTLS or MAC address - MAB etc.), the session will be evaluated against the rules configured by the administrator on the Access Manager.
- If a session matches any rule with the conditions (based on user, endpoint, external integration context or network context like SSIDs, networks etc.) defined by the administrator, the corresponding authorization (SGT, VLAN, Group Policy, Voice Domain etc.) will be applied and sent back to the network devices.
- The endpoints will be connected to the network based on the assigned authorization.
Use cases
Some of the key use cases for Access Manager are:
| Use Case | Authentication and authorization |
| Securing endpoints that are managed by your organization |
Certificate based authentication (EAP-TLS) with Entra ID user lookup to apply user identity based authorization. Apply authorization (SGT, VLAN, Group Policy etc.) based on Entra ID user group membership like HR, Finance etc. and user attributes like City, State, Job title etc. Username and password based authentication (EAP-TTLS/PAP) with Entra ID user lookup to apply user identity based authorization. Similar to the above, you can apply authorization (SGT, VLAN, Group Policy etc.) based on user group membership and user-attributes from Entra ID. |
| Securing non 802.1X supported IoT, OT etc. or other endpoints |
MAC Authentication Bypass (MAB) and/or iPSK Apply authorization (SGT, VLAN, Group Policy etc.) based on specific or part of MAC address or endpoint groups with many MAC addresses. Also, using iPSK to apply authorization (SGT, VLAN, Group Policy etc.) based on unique pre-shared keys (PSKs) used by endpoints connecting to the network. |
Feature breakdown
| Feature | Details |
| Authentication methods |
Following are the currently supported authentication methods:
|
| Authorization options |
Following authorizations can be applied to sessions that are successfully authenticated:
|
| Authentication fallback |
In the event of Network Devices losing connectivity to Access Manager services in the cloud, existing sessions will stay as is but for new connections, following are some of the available authentication fallback options:
Please note that, in this scenario, the new connections will not be evaluated against the configured rules. |
| Certificate Authority (CA) integration |
External Certificate Authority (PKI) support with Certificate Revocation List (CRL) check
|
| Attributes available for condition matching |
Access Manager rules have matching criteria and corresponding authorization applied as a result for the matching session. Following are the available attributes that can be included as a part of matching criteria:
|
Hardware Compatibility
Following are the switches and access point that can leverage Access Manager as the authentication server:
Switches
| Switch Models | Minimum Required Firmware |
| Cloud Managed Catalyst 9300 | CS17.1 |
| MS390 | CS17.1 |
| MS1XX, MS2XX and MS3XX | MS16 |
Access Points
| Access Points Family | Access Points Models | Minimum Required Firmware |
|
Meraki MR Wi-Fi 5 Wave 2 (802.11ac Wave 2) |
MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74, MR84 | MR30.6 (for Extended Local Auth, MR30.7) |
|
Meraki MR Wi-Fi 6 (802.11ax) |
MR28, MR36, MR36H, MR44, MR45, MR46, MR46E, MR55, MR56, MR76, MR78, MR86 | MR30.6 (for Extended Local Auth, MR30.7) |
| Meraki MR and Catalyst Wi-Fi 6E (802.11ax) | MR57, CW91XX | MR30.6 (for Extended Local Auth, MR30.7) |
| Wi-Fi 7 (802.11be) | CW9176I/D1, CW9178I | MR30.6 (for Extended Local Auth, MR30.7) |