Access Manager - Architecture And Example Use Cases
Overview
Access Manager uses cloud-delivered services native to the Cisco Meraki dashboard to ensure only authorized users and endpoints can gain access to the network, replacing the need for external RADIUS server integration.
Note: Access Manager is currently an early access feature which is being rolled out to organizations in phases. You will not require a license for the duration of the trial
When Access Manager is available for your organization, you can join the free trial by choosing to opt-in on the Early Access page (Organization > Early Access).
Licensing requirements for general availability will be confirmed soon.
Architecture
There are three major components in the Access Manager architecture:
- Network Devices
- Identity and Security integrations
- Cloud-delivered Access Manager services
Network Devices, such as switches and access points, provide network connectivity to endpoints. When an endpoint connects to a SSID or switch port that uses Access Manager as its authentication server, authentication requests will be forwarded to the Cisco Meraki Cloud for policy evaluation.
Identity and Security Integrations are external services that provide identity, security, and behavior context for a user or an endpoint connecting to the network, such as Microsoft Entra ID. An administrator has the ability to include any identity or context information from these integrations as a part of matching criteria in the policy evaluation.
Cloud-delivered Access Manager Services are used to make policy decision determined by identity, context, and behavior-based rules configured by the organization administrator. For any session, if context information provided by Network Devices and identity / security services match these configured rules, access authorization will be granted to the endpoint.
Use Case Examples
There are many potential use cases for Access Manager, with support for both event driven identity and context-based authorization. Below we focus on two cases, securing managed and unmanaged endpoints:
| Use Case | Authentication and authorization |
|---|---|
| Securing endpoints managed by your organization |
Certificate based authentication (EAP-TLS) with Entra ID user lookup to apply user identity based authorization. Authorize Access Policies (Adaptive Policy SGT, VLAN, Group Policy) based on Entra ID user group membership like HR, Finance, or IT and user attributes like City, State, or Job title. Username and password based authentication (EAP-TTLS/PAP) with Entra ID user lookup for identity based authorization. Similar to above, you can authorize Access Policies (Adaptive Policy SGT, VLAN, Group Policy) based on user group membership and user-attributes from external identity and security sources such as Entra ID. |
| Securing endpoints not manged by your organization (non 802.1X supported IoT, OT, or other endpoints) |
MAC Authentication Bypass (MAB) and/or Identity Pre-shared Key (IPSK) Authorize Access Policies (Adaptive Policy SGT, VLAN, Group Policy) based on specific, or part of MAC address, or endpoint groups with many MAC addresses. Use IPSK to Authorize Access Policies (Adaptive Policy SGT, VLAN, Group Policy) based on specific, or part of MAC address, or endpoint groups with many MAC addresses, based on unique pre-shared keys (PSKs) allocated to endpoints. |
Securing Managed Endpoints - EAP-TLS Authentication with Entra ID Lookup
Traditional Pre-shared Key and username/password based authentication have become increasingly vulnerable to attacks.
Certificate-based EAP-TLS authentication allows administrators to control network access to managed endpoints by forwarding authentication
requests to the Cisco Meraki Cloud. The Access Manager services within the cloud will authorize the session based on the configured rules.
For example, as shown below, an endpoint is attempting certificate-based authentication. The Cisco Meraki Cloud receives the authentication response and evaluates the session against the rules configured by the administrator. In this example, an administrator has configured a rule that matches against the Certificate Issuer CN and Entra ID’s user-group. Traffic from any session matching these conditions will receive a VLAN tag of 250 and a Security Group Tag (SGT) of 30.
Securing Managed Endpoints - Username/Password Authentication Against Entra ID
While certificate based authentication is the most secure method, some organizations may not have their own Public Key Infrastructure (PKI), and so require an alternative authentication method such as username and password.
With username/password based authentication (EAP-TTLS/PAP) against Entra ID, you can control network access to managed endpoints without the need for deploying PKI. When an endpoint connects to your Network Device (switch or access point), the endpoint will be prompted to enter the username and password (Entra ID credentials). Once entered, the authentication requests will be forwarded to to the Cisco Meraki cloud and Access Manager services within the cloud will authenticate the endpoints against the Entra ID. If the authentication is successful, the session will be authorized, and access granted based on the configured rules.
For example, as shown below, an endpoint is authenticating using username and password. Cisco Meraki Cloud receives the authentication response and passes it to Entra ID. Once the authentication is successful, Access Manager will evaluate the session against the rules configured by the administrator. In this example, an administrator has configured a rule that matches against the Entra ID’s user-group. Traffic from any session matching this condition will receive a VLAN tag of 250 and an SGT of 30.
Securing Non 802.1X Supported IoT, OT or Other Endpoints - MAC Authentication Bypass (MAB)
Unmanaged endpoints, such as Internet of Things (IoT) and Operational Technology (OT) devices that do not support 802.1X are traditionally prone to security vulnerabilities, so it is essential to find a method to secure these devices.
Access Manager can be used to secure unmanaged endpoints using MAC Address Bypass (MAB).
For example, as shown below, a smart thermostat which does not support 802.1X is attempting to connect to the network. The Network Device will request the Identity of the endpoint. As the endpoint does not support 802.1x, it will not respond, and the process will timeout. The endpoint will send any packet which includes its MAC address in the source MAC field. This identity information is forwarded to the Cisco Meraki Cloud which evaluates the session against the configured rules. If all defined conditions are matched, authorization will be applied. In this example, traffic from any client matching the condition “part of Smart thermostats group” will receive a VLAN tag of 200 and an SGT of 20.
Note: for an extra layer of security in addition to MAB, you can assign an IPSK passphrase which, when matched, will apply the corresponding authorization to the session. Different VLAN tags or SGTs can then be applied to traffic based on the PSK being used by the endpoint.