Meraki

Community

Access Manager and EAP-TLS

stu84773
Comes here often
‎Jul 11 2025 3:03 AM
‎Jul 11 2025 3:03 AM

Access Manager and EAP-TLS

I'm currently evaluating Meraki Access Manager for EAP-TLS certificate-based authentication, and I'm a bit unclear on the CA requirements.

Some earlier articles I've come across suggest that third-party or external CAs may not be required, implying that Meraki might handle certificate issuance internally. However, in the Access Manager interface, I only see an option to upload CA certificates, which seems to indicate we’d need to bring our own PKI.

Can someone clarify:
Do we need to use our own Certificate Authority (e.g., Microsoft CA, SecureW2, etc.) for EAP-TLS authentication with Access Manager, or is there a built-in Meraki CA that can issue and manage certificates for clients?

Thanks in advance.

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 11 2025 3:24 AM
‎Jul 11 2025 3:24 AM

No, Meraki Access Manager does not currently include a built-in Certificate Authority (CA) to issue client certificates.

 

Meraki does provide its own RADIUS server certificate (used by Access Manager and local RADIUS on MR) that you can download and install on client devices to ensure trust during the TLS handshake.

 

Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

 

However, when you use Meraki MDM, you can use Meraki certificates.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_EAP-TLS_W...

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Blue_Bird
Getting noticed
‎Jul 11 2025 6:34 AM
‎Jul 11 2025 6:34 AM

Check this: 

 

Access Manager Certificate Based Authentication - EAP-TLS with Entra ID Lookup - Cisco Meraki Docume...
Access Manager - EAP-TLS Client Configuration (Windows, macOS and iOS) - Cisco Meraki Documentation

 

Thanks

0 Kudos
In response to Blue_Bird
EdNunez
Comes here often
‎Jul 11 2025 2:29 PM
‎Jul 11 2025 2:29 PM

I am using a root certificate from one of our Windows domain controllers and I am getting this error.  Any thoughts?

 

Failure/ Rejection info
Reason

The provided certificate is untrusted. This might be due to its signer being disabled, extra or duplicate certificates in the chain, or another untrusted reason.

 

Suggested action

Verify that the certificate chain does not contain duplicate or unnecessary certificates. Additionally, refer to the certificates page to ensure the signer is enabled and the chain is valid.

0 Kudos
In response to EdNunez
rhinkamper
Conversationalist
‎Aug 12 2025 1:08 PM
‎Aug 12 2025 1:08 PM

I am working through this myself as there is no documentation on how to do this with a Windows CA. But what I have come up with so far is.

 

  1. You have to setup user certificate auto enrollment.
  2. Take special note of how you manually configure the Wifi connection and configure your GPO accordingly. https://documentation.meraki.com/Access_Manager/Access_Manager_Configuration_Guides/Access_Manager_-...

 

I have gotten it to work with an endpoint certificate, and I am now working on the user part with Entra. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 13 2025 6:21 PM
‎Jul 13 2025 6:21 PM

Meraki Access Manager does not include a CA.

However, Meraki Systems Manager does - and Meraki Access Manager can use those certificates.

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_in_Meraki_Systems_Manager

https://documentation.meraki.com/SM/Profiles_and_Settings/Certificates_Payload_(Pushing_Certificates...

 

I've also set it up using Microsoft Intune CloudPKI.

 

You could use a Microsoft CA server in an AD environment and configure group policy to deploy certificates to machines/users.

0 Kudos
NetworkCcie
Conversationalist
‎Aug 20 2025 4:24 PM
‎Aug 20 2025 4:24 PM

Take a look at this access manager + cloud pki guide

 

https://www.hypershift.com/blog/meraki-intune-cloud-pki

0 Kudos
Edon
Here to help
3 weeks ago
3 weeks ago

Make sure upload and *Enable* your CA, then have your client configured to use a cert issues by your CA, create a access rule to match the CA [like common name]

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.