Configure Cisco Meraki to Interoperate with Okta via RADIUS using EAP-TTLS


This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.

This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. and EAP-TTLS.. The following network diagram shows the flow between Meraki and several endpoints using Okta.

Important Note


Contact Okta Support to have EAP-TTLS support enabled for your Okta orgThe Okta container that represents a real-world organization..

This guide was verified against:

  • Okta RADIUS agent 2.10.0.
  • Cisco Meraki MR16, Firmware version 25.13


Cisco Meraki to Okta tenant process flow diagram.
Process Flow

The data flow has the following steps:

  1. A supplicant (Mobile Device/Laptop/Desktop) tries to associate with the Meraki Access Point (AP).
  2. The Meraki AP contacts the Okta RADIUS agent with the user's identity
  3. The Okta RADIUS agent requests the start of the EAP-TTLS conversation, which is forwarded to the supplicant
  4. A TLS channel is established between the supplicant and the Okta RADIUS agent.
    Within the tunnel, the supplicant sends the configured username and password to the Okta RADIUS agent.
  5. The Okta RADIUS agent sends authentication information to the Okta tenant.
  6. The Okta tenant sends the authentication response back to the Okta RADIUS agent.
  7. The Okta RADIUS agent sends an Accept or Reject message to the Meraki AP.
  8. The Meraki AP accepts or rejects the terminal access request.