Meraki

watdee · ‎Jul 18 2025

Meraki Access Manager appears to perform case-sensitive matching when resolving certificate identities to Entra ID users.
If your certificate SAN contains TestUser@domain.com and Meraki stores the UPN as testuser@domain.com, the match will fail—even though logically they are the same. According to Microsoft UPNs are case-insensitive in Entra ID so Meraki should be matching these.

It's not only with Entra, you can test with a rule like this:

Endpoint certificate: Subject - SAN - RFC822 [Contains] testuser@domain.com and it will not match unless you type TestUser@domain.com which is exactly what's on the certificate.

By the way, my setup consists of:

Using Microsoft Cloud PKI with Intune SCEP profiles to issue user certificates (SAN includes RFC822 Name = UPN)
Wi-Fi profile deployed via Intune with EAP-TLS and authentication mode set to user
Meraki Access Manager configured with:
SSID set to Enterprise with Access Manager
Root CA uploaded and trusted
Identity field set to RFC822 Name
Access rules based on Entra ID group membership

Mloraditch · ‎Jul 18 2025

Highly suggest you open a support case, as a feature in early access this may be intended or may be a bug they haven't caught yet. Someone may notice here, but that will get something official documented.

If they eventually report back "as-designed" you can submit feedback: https://documentation.meraki.com/General_Administration/Other_Topics/Give_your_feedback_(previously_...

I've have definitely seen this sort of issue before when integrating windows based systems with ones built off of case sensitive systems and hopefully the can address.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Meraki

Community

Access Manager - Case Sensitivity Issue with EAP-TLS and Entra ID

Access Manager - Case Sensitivity Issue with EAP-TLS and Entra ID