Meraki

Community

Trusted Access - EAP Failure on authentication to SSID

rhbirkelund
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

Trusted Access - EAP Failure on authentication to SSID

Hey

 

I've been trying to lab a couple of things today, one of them being Wireless Trusted Access. Since Meraki now supports Entra ID integration, it's possible to use Entra and IdP for the Wireless Trusted Access.

After working through a combination of three deployment guides, I've finally gotten so far as to getting the enrollment to work. 

I am able to browse to portal.meraki.com with my Network ID, login with Entra ID credentials and enroll my device for Trusted Access. Downloading and Installing the Profile for my iPhone, works.

I am almost at the finishline however, I've reached a block, that I have no idea what's causing it.

 

When I attempt to connect to my Trusted Access SSID, my client fails and the Eventlog shows EAP Failure. No other details, no nothing. And for the life of me, I cannot understand what's not working.

rhbirkelund_0-1764790752429.png

 

It seems there is some trust that is missing, but I'm not sure where it is, since this should all be provisioned automagically by Systems Manager.  

 

Organization -> Configure -> Certificates, has the SCEP CA as trusted anchor, but I'm not entirely sure, that this is related. 

 

Any ideas as to what I am missing?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

Meraki Trusted Access expects the certificate’s Subject Alternative Name to match the Entra ID UPN.
If your SCEP template issues certs with only a generic CN (e.g., “SCEP WiFi Certificate”), authentication fails.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
rhbirkelund
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

The SCEP certificate issuing is not something I do as such, but Meraki SM, upon enrollment. I login with my Entra Credentials to the SM portal, which creates a profile, including SCEP certificate. Once enrollment is done, as far as I understand the documentation, Entra is out of the picture again. 

From there on, it's the trust relationship between the Trusted Access profile and Meraki Cloud Authentication. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
alemabrahao
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

Based on your screenshot, I understand that the certificate is being presented, but Meraki doesn't trust it.

Try uploading the root and intermediate CAs used by SM to SCEP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
rhbirkelund
Kind of a big deal
Kind of a big deal
4 weeks ago
4 weeks ago

Yes, but that shouldn't necessary, since it's Meraki itself that's the Root and Intermediate CA. I also don't see where I should upload this. The Certificate page, is related to Access Manager. This is not Access Manager. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.