Meraki

Community

Access Manager Configuration EAP-TLS

thoffmann_ECKD
Conversationalist
a month ago
a month ago

Access Manager Configuration EAP-TLS

Hi folks,

 

we want to use the Access Manager for a customer deployment for local 802.1X Authentication.

 

We have hybrid Win 11 notebooks with Microsoft Cloud PKI over intune. We deliver computer certificates to the clients. Now we want to authenticate with this certificate against the access Manager. 

 

We build a policy that says if in the cert ist XXX than allow access. We do not want to lookup to Entra ID, we only want to get access for client with certificate present in the first step.

 

If we deploy the config to the switch, we see in the log that the field with the computername is extracted from the local cert. But than the Access Manager throws an error:

 

 

Session Id

bf302f75-ee18-4c48-9731-6aa6ea894261

Time

Mar 21 06:57:38

Status

Failed

Failure/ Rejection info

Reason

There was an internal server error occured in authentication flow.

Suggested action

Please verify configurations and retry. We are taking a look. Please report if this issue is not fixed.

User

Username

host/XXX-19291600753

 

Has anyone the same issue?

 

Notice:

If we use MAB Auth the Access Manager works as well.

Labels:
0 Kudos
5 Replies 5
thomasthomsen
Kind of a big deal
a month ago
a month ago

Not on topic, but I think a new Techincal forum should be created just for Access Manager.

Mloraditch
Kind of a big deal
a month ago
a month ago

At the moment very few orgs have access to AM as it’s an early preview and not even rolled out fully to the Early Access page.

You may need to contact support to get an answer. If you do please share the resolution.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
thoffmann_ECKD
Conversationalist
4 weeks ago
4 weeks ago

Hi Guys,

 

after i started the conversation here, the log from the access manager changed. Now it seems that the authetication works for me. ihave also opened a ticket but there was no answer yet. Since i got a answer, i will post ist here.

 

Thanks

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

I don't have access to Access Manager yet ...

 

Try configuring the Windows 802.1x policy to only do user authentication (then it won't present computer certificates), and delivering user certificates to the users.

0 Kudos
ShaunB93
Here to help
a week ago
a week ago

Not exactly the same but similar enough. I ran into the same error when using 802.1x EAP-TLS with an Intune Cloud PKI issued user (not device) certificate.

My error below:

 

Failure/ Rejection info:

 

Reason

There was an internal server error occurred in authentication flow.

Suggested action

Please verify configurations and retry. We are taking a look. Please report if this issue is not fixed.

In my case, the Subject Common Name of the certificate was using the email address of the Entra ID user and Access Manager was set to use Subject Common Name as the user identity attribute. 

 

After verifying my Access Manager and endpoint configuration against the documentation:

Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup - Cisco Meraki Docume...
Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

 

I could not determine the cause of the error.


I raised a support case and the engineer suggested that because the Access Manager user identity is an email address which is also used by a Meraki Dashboard SAML administrator, that there is a potential issue/conflict here, wording from support below:

 

"I have analysed backend logs from this organization and could not see any issues or errors being reported about the Access Manager process.

 

However, the account that is used to authenticate, is also a SAML administrator in Dashboard. Since SAML administrator account email cannot be used for a Client VPN or Meraki Cloud Authentication (RADIUS) user accounts, we might be running into the same issue here."

I was able to resolve this in my case by changing the Subject Common Name on my user certificate to OnPremisesSamAccountName, authentications with this configuration are working as expected. 

As this was only a PoC/testing for me, I have not tested my original configuration (Subject Common Name using Entra ID user's email address) with a user who is not a Meraki Dashboard SAML admin. 

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.