Cisco Meraki Part Number: LIC-ACCSMGR-A is a Cisco Access Manager Advantage Subscription License - 1 month
The Cisco Meraki Access Manager is a cloud‑delivered access control service designed to provide a robust, flexible and scalable solution for ensuring that only authorised users and endpoints gain access to your network resources—without requiring an external RADIUS server. It empowers IT teams to enforce and monitor network access based on multiple contexts: user identity, endpoint posture, network context and external integrations such as Microsoft Entra ID.
Key Benefits
- Simplified management via a single dashboard, reducing fragmented tools and troubleshooting overhead.
- Elimination of traditional infrastructure burdens (e.g., external RADIUS servers, VPN tunnels, load‑balancers) and associated overhead.
- Built‑in scalability and high availability to seamlessly support growing numbers of users and endpoints.
- Automatic updates to ensure you’re always running the latest security features and patches.
- Accelerated zero‑trust deployment by enabling micro‑segmentation policies and restricting lateral movement of threats.
- Immediate support for conventional access controls (VLANs, ACLs) without extensive additional integrations.
- Deep integration with third‑party cloud identity and security services to apply contextual authorisations (for example via Entra ID).
Architecture & Use‑Cases
Architecture
The solution is built around three core components:
- Network devices such as switches and access‑points are configured to use Access Manager as the authentication server. Authentication inquiries are forwarded over an AES256‑tunnel to the cloud service.
- Cloud access control service evaluates the session using administrator‑defined rules that consider user identity, endpoint attributes, network context and external integration signals.
- Network enforcement delivers authorisations (like VLAN assignment, Group Policy, Security Group Tags, voice domain permissions) back to the network device, which then grants network access accordingly.
Key Use‑Cases
- Certificate‑based authentication (EAP‑TLS) with identity lookup in Entra ID to apply authorisation (for example based on job title, user group or location).
- Username/password (EAP‑TTLS/PAP) authentication with identity provider lookup and rich authorisation mapping.
- Securing devices not supporting 802.1X (IoT/OT endpoints) using MAC Authentication Bypass (MAB) and/or identity pre‑shared keys (iPSK), while still applying rich authorisation logic.
Feature Breakdown
Authentication Methods
- Certificate‑based (EAP‑TLS) with Entra ID user lookup.
- Username and password (EAP‑TTLS/PAP) with Entra ID user lookup.
- MAC Authentication Bypass (MAB).
- Identity Pre‑Shared Key (iPSK) for endpoints without native 802.1X support.
Authorisation Options
- Security Group Tag (SGT).
- VLAN ID or VLAN name assignment.
- Group Policy enforcement.
- Voice domain permissions.
- Identity PSK (iPSK) mapping.
Additional Capabilities
- Resilient fallback options: Existing sessions remain unaffected if connectivity to the cloud service is lost; new connections support fallback mechanisms such as local RADIUS or critical‑VLAN/fail‑open for wired scenarios.
- Support for external Certificate Authority (PKI) integration including Certificate Revocation List (CRL) checks.
- Granular matching criteria for policy rules including certificate attributes (Issuer CN, SAN), identity provider attributes (user groups, city/state, job title), RADIUS attributes, network and endpoint context (SSID, MAC address, device group).
Hardware Compatibility
The Access Manager service is compatible with a broad array of network devices, establishing a seamless path to modern access control:
- Switches: Supported models include Cloud Managed Catalyst (CS17.1, IOS XE 17.15.3), MS390 (CS17.1) and MS1XX/MS2XX/MS3XX/MS4XX families (minimum firmware MS17).
- Access Points: Supported families include Meraki MR Wi‑Fi 5 Wave 2 (e.g., MR20, MR33, MR42E...), Wi‑Fi 6 (MR28, MR36H, etc), and Wi‑Fi 6E/7 (e.g., MR57, CW91XX) units.
