Cisco Meraki
Renato.neves (Talk | contribs) (→RADIUS Server) |
Renato.neves (Talk | contribs) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 5: | Line 5: | ||
If you don't have a SSID, you need to setup one first. | If you don't have a SSID, you need to setup one first. | ||
− | To create a new SSID go to "Wireless > SSIDs", choose an unconfigured SSID, rename (e.g.: " | + | To create a new SSID go to "Wireless > SSIDs", choose an unconfigured SSID, rename (e.g.: "CoffeeBean") and enable it: |
[[File:Meraki ssid.png|800px]] | [[File:Meraki ssid.png|800px]] | ||
Line 24: | Line 24: | ||
=== RADIUS Server === | === RADIUS Server === | ||
− | === RADIUS Authentication === | + | ==== RADIUS Authentication ==== |
On "RADIUS for splash page", click in "Add a Server" and fill with the following info: | On "RADIUS for splash page", click in "Add a Server" and fill with the following info: | ||
− | * Host: | + | * Host: the [[Captive_Portal#RADIUS_Server|primary RADIUS server host]] according to your environment/region |
* Port: 1812 | * Port: 1812 | ||
* Secret: the provided RADIUS client secret | * Secret: the provided RADIUS client secret | ||
− | === RADIUS Accounting === | + | Repeat the procedure and add a server for the secondary RADIUS server. |
+ | |||
+ | ==== RADIUS Accounting ==== | ||
On "RADIUS accounting", select "RADIUS accounting is enabled". | On "RADIUS accounting", select "RADIUS accounting is enabled". | ||
Line 38: | Line 40: | ||
On "RADIUS accounting servers", click in "Add a Server" and fill with the following info: | On "RADIUS accounting servers", click in "Add a Server" and fill with the following info: | ||
− | * Host: | + | * Host: the [[Captive_Portal#RADIUS_Server|primary RADIUS server host]] according to your environment/region |
* Port: 1813 | * Port: 1813 | ||
* Secret: the provided RADIUS client secret | * Secret: the provided RADIUS client secret | ||
− | + | Repeat the procedure and add a server for the secondary RADIUS server. | |
+ | |||
+ | <span style="color:red">Important note:</span> by default, the "RADIUS accounting" settings are not available in the Meraki account. You need to open a support case to request Meraki to enable this option. Just go to "Help > Cases", create a new case and usually within a day Meraki enables it. | ||
[[File:Meraki access control radius.png|800px]] | [[File:Meraki access control radius.png|800px]] | ||
+ | |||
+ | You can also set "Captive portal strength" to "Block all access until sign-on is complete". | ||
=== Walled Garden === | === Walled Garden === | ||
− | Allow | + | Allow CoffeeBean Identity and Access Platform URLs and social network URLs by configuring the Walled garden destinations. |
On "Walled garden", you need to enable it by choosing "Walled garden is enabled" and fill the required domains on "Walled garden ranges". | On "Walled garden", you need to enable it by choosing "Walled garden is enabled" and fill the required domains on "Walled garden ranges". |
Latest revision as of 23:35, 3 September 2021
The following guide was created using Cisco Meraki MR18 APs.
Contents |
Configuring the SSID
If you don't have a SSID, you need to setup one first.
To create a new SSID go to "Wireless > SSIDs", choose an unconfigured SSID, rename (e.g.: "CoffeeBean") and enable it:
Now you need to setup the SSID Access control and Splash page. The next steps explain each of them.
Configuring the Access Control
To configure the SSID Access Control, go to "Wireless > Access control", select the SSID previously created or your own SSID and apply the following settings:
Network Access
- Association requirements: Open (no encryption)
- Splash page: Sign-on with my RADIUS server
RADIUS Server
RADIUS Authentication
On "RADIUS for splash page", click in "Add a Server" and fill with the following info:
- Host: the primary RADIUS server host according to your environment/region
- Port: 1812
- Secret: the provided RADIUS client secret
Repeat the procedure and add a server for the secondary RADIUS server.
RADIUS Accounting
On "RADIUS accounting", select "RADIUS accounting is enabled".
On "RADIUS accounting servers", click in "Add a Server" and fill with the following info:
- Host: the primary RADIUS server host according to your environment/region
- Port: 1813
- Secret: the provided RADIUS client secret
Repeat the procedure and add a server for the secondary RADIUS server.
Important note: by default, the "RADIUS accounting" settings are not available in the Meraki account. You need to open a support case to request Meraki to enable this option. Just go to "Help > Cases", create a new case and usually within a day Meraki enables it.
You can also set "Captive portal strength" to "Block all access until sign-on is complete".
Walled Garden
Allow CoffeeBean Identity and Access Platform URLs and social network URLs by configuring the Walled garden destinations.
On "Walled garden", you need to enable it by choosing "Walled garden is enabled" and fill the required domains on "Walled garden ranges".
Add the entries according to Walled Garden for the Social Login URLs:
Important note: by default, the "Walled garden ranges" do not accept domain names and wildcards. You need to open a support case to request Meraki to enable this option. Just go to "Help > Cases", create a new case and usually within a day Meraki enables it.
Addressing and traffic
- Client IP assignment: NAT mode: Use Meraki DHCP
- Content filtering: Block adult content
Then save your changes.
Configuring the Splash Page
To configure the SSID Splash Page, go to "Wireless > Splash page", select the SSID previously created or your own SSID.
You need to define a "Custom splash URL":
- Or provide a URL where users will be redirected: the provided captive portal login URL
On "Splash behavior", you can configure:
- Splash frequency: customize how often your users will see the splash page (e.g: Every hour).
- Where should users go after the splash page?: select "A different URL:" and fill the provided captive portal start URL
Then save your changes.
SSID Availability
By default, the SSID is enabled on all APs.
If you want to limit on which APs the SSID is available, you can configure a Per-AP availability on "Wireless > SSID availability" by selecting which AP tags should be matched:
Then save your changes.