Skip to main content
Cisco Meraki Documentation

Trusted Access for Secure Wireless Connectivity - Setup Guide


Meraki Trusted Access is a simple and secure way to join phones, tablets, and laptops to Meraki MR wireless networks using certificate-based 802.1x authentication without enrolling the device into an MDM platform like Meraki Systems Manager. Trusted Access eliminates the management overhead associated with building and maintaining an on-premise 802.1x EAP-TLS solution for wireless access with distributed Certificate Authority (CA) and RADIUS server environments.   

Trusted Access is currently supported on the following operating systems:

  • iOS/iPadOS 11+
  • macOS 10.13+
  • Android 10+ (beta using Hotspot 2.0/Passpoint)
  • Windows 10+ (beta app)

Follow this guide to setup Trusted Access in a Meraki network.  

Trusted Access Configuration Overview and Process Flow

Meraki MR network administrators create Trusted Access profiles in the Meraki Dashboard to define access to the wireless network. End users can then log into the Meraki Self-Service Portal using their available authentication credentials to download a configuration profile to their devices to join the SSID.

See the following diagram for a complete admin and user configuration process flow description.

Screen Shot 2019-11-18 at 9.55.38 AM.png


  • A network with a Meraki MR wireless access point.

  • A network with SM licenses in the same org as the MR. One SM license will be consumed for each Trusted Access device.

Step 1: Enable Authentication, SSP, and Trusted Access

  1. In the Meraki dashboard, navigate to Systems Manager > Configure > General
  2. Navigate to the User authentication settings section. Select your preferred end-user authentication method from the drop-down list provided.  To learn more about user authentication options check out this KB article.image10.png
  3. Navigate to the Self Service Portal settings section. Change the Self service Portal option to Enable SSP for this network.
    Screen Shot 2021-01-14 at 12.13.21 PM.png
  4. If you would like to allow all newly created users to automatically have access to the Self Service Portal, change the New User Access mode to Default grant.
  5. Take note of the Portal Link URL for your network. End users will need to visit this URL to set up and manage their Trusted Access devices.
  6. Navigate to the Trusted Access settings section. 
  7. If you would like to allow all newly created users to automatically be enabled with rights to use Trusted Access, change the New User Access mode to Default grant. 
  8. Set a Default device limit to limit the number of devices a user may register with Trusted Access.  The max limit is 10 devices.

Note: The Trusted Access usage permission and device limit can be manually overwritten on a per-user basis in the Systems Manager > Owners page for an individual user.

  1. In the bottom right corner of the page, click Save to confirm your changes.

Step 2: Create and Configure a Trusted Access SSID

  1. In your MR wireless network dashboard, navigate to Wireless > Configure > SSIDs.
  2. Choose an SSID to be used for Trusted Access. Click edit settings to take you to the SSID's Access control page. Screen Shot 2019-10-18 at 4.37.58 PM.png
  3. Under the Security section, select Enterprise with Meraki Cloud Authentication on the Access Control page. This is the required form of authentication for Trusted Access.
  4. Click the Add config button under SM Trusted Access to open the configuration modal.
  5. Set the Name of the configuration profile. This name will be visible to end users when configuring Trusted Access on their devices.  
  6. Choose the Systems Manager network you want users to use to register their devices when using this configuration. 
  7. Select an Access period type. 

    Static configurations require a start and end date. An end user may download a static configuration anytime, but access to the wireless network will be limited to the period between the defined dates. 

    Dynamic configurations require a defined period. End users may download a dynamic configuration to access the wireless network for the time specified in the access period. The period begins when the Trusted Acc s profile is downloaded and activated on the device.
  8. Choose a scope of tags to determine which users should have access to this configuration. For more information on how to use tags effectively, check out this KB article.  
  9. Click Add to close the configuration modal. Your new configuration will appear in the Tru ed Access configurations list, as seen in the example below:
  10. Navigate to the Splash page section and ensure it is set to None (direct access):clipboard_e9f78be72bc76d6e324dde0e28a2b6f99.png
  11. In the bottom right corner of the page, click Save to confirm your changes.

Note: To use Trusted Access with Android Passpoint (beta), you must enable Hotspot 2.0 on the SSID.

  1. In the Meraki Dashboard, navigate to Wireless > Configure > Hotspot 2.0
  2. Select the SSID from the dropdown menu
  3. Enter an Operator name and Venue name
  4. Change the Venue Type to Unspecified
  5. Change the Network type to Private network
  6. Enter in the Domain list  
  7. Click Save Changes 

Note: End users will have a corresponding profile to install for Wi-Fi access (from for each Trusted Access SSID created on a MR network. This can lead to multiple profiles for users to download for access (one for each SSID). Administrators deploying the same SSID name across various MR networks and wishing to simplify the end user's experience may consider the option of a MR Wireless template. A Wireless network template allows a single profile for users to install for Wi-Fi access while still being able to authenticate into every SSID. 

Step 3: Provision Owner Access

Next, you will have to provide access to owners (users) on your network to use Trusted Access. This can be done in a couple of ways. 

Check out this Knowledgebase article for more information about Owners, including how to create new owners.

To provide access to existing owners in your Systems Manager network:

  1. Navigate to Systems Manager > Configure > Owners 
  2. Click on the owner's name to open the edit modal.
  3. Under the SSP Options section, enable the Self Service Portal and Trusted Access settings
  4. The owner will automatically inherit its Trusted Access device limit as configured in Step 1-6.  You may change the device limit as needed.  
  5. Click Apply changes to close the modal and save the owner configuration.

To provide access to multiple existing owners in your Systems Manager network in bulk

  1. Navigate to Systems Manager > Configure > Owners 
  2. Select the owners you would like to configure by enabling the checkmark in the first field. 
  3. Click the Edit button. From the menu, enable the Self Service Portal and Trusted Access options. Set a max device count, and click Apply optionsclipboard_ed55ac7b0beb14ba5965f585a57d1b6b8.png