Configure Cisco Meraki to Interoperate with Okta via RADIUS using EAP-TTLS


This is an Early Access feature. To enable it, contact Okta Support.

This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server Agent and EAP-TTLS.. The following network diagram shows the flow between Meraki and several endpoints using Okta.

Important Note


Contact Okta Support to have EAP-TTLS support enabled for your Okta org.

This guide was verified against:

  • Okta RADIUS agent 2.10.0.
  • Cisco Meraki MR16, Firmware version 25.13


Cisco Meraki to Okta tenant process flow diagram.
Process Flow

The data flow has the following steps:

  1. A supplicant (Mobile Device/Laptop/Desktop) tries to associate with the Meraki Access Point (AP).
  2. The Meraki AP contacts the Okta RADIUS agent with the user's identity
  3. The Okta RADIUS agent requests the start of the EAP-TTLS conversation, which is forwarded to the supplicant
  4. A TLS channel is established between the supplicant and the Okta RADIUS agent.
    Within the tunnel, the supplicant sends the configured username and password to the Okta RADIUS agent.
  5. The Okta RADIUS agent sends authentication information to the Okta tenant.
  6. The Okta tenant sends the authentication response back to the Okta RADIUS agent.
  7. The Okta RADIUS agent sends an Accept or Reject message to the Meraki AP.
  8. The Meraki AP accepts or rejects the terminal access request.




This and similar integrations required either CA provided or self signed certificates.
Obtain client and server certificates from a known certificate authority such as DigiCert, Comodo SSL or other authorities.
Okta does not endorse any specific certificate authority.