Introduction
This guide describes the configuration steps to enable an external captive portal in the Cisco Meraki plataform.
The following guide was created using an Cisco wireless network with the following components:
- AP: Cisco Meraki MR18
Requirements
You need to have a Venue with at least one Network Device (AP) configured in order to broadcast the Wireless Network SSID.
Configuring the SSID
If you don't have a SSID, you need to setup one first.
To create a new SSID go to "Wireless > SSIDs", choose an unconfigured SSID, rename (e.g.: "CoffeeBean") and enable it:
Now you need to setup the SSID Access control and Splash page. The next steps explain each of them.
Configuring the Access Control
To configure the SSID Access Control, go to "Wireless > Access control", select the SSID previously created or your own SSID and apply the following settings:
Network Access
- Association requirements: Open (no encryption)
- Splash page: Sign-on with my RADIUS server
RADIUS Server
RADIUS Authentication
On "RADIUS for splash page", click in "Add a Server" and fill with the following info:
- Host: the primary RADIUS server host according to your environment/region.
- Port: 1812
- Secret: the provided RADIUS client secret.
Repeat the procedure and add a server for the secondary RADIUS server.
RADIUS Accounting
On "RADIUS accounting", select "RADIUS accounting is enabled".
On "RADIUS accounting servers", click in "Add a Server" and fill with the following info:
- Host: the primary RADIUS server host according to your environment/region.
- Port: 1813
- Secret: the provided RADIUS client secret.
Repeat the procedure and add a server for the secondary RADIUS server.
Important note: by default, the "RADIUS accounting" settings are not available in the Meraki account. You need to open a support case to request Meraki to enable this option. Just go to "Help > Cases", create a new case and usually within a day Meraki enables it.
You can also set "Captive portal strength" to "Block all access until sign-on is complete".
Walled Garden
Allow CoffeeBean Identity and Access Platform URLs and social network URLs by configuring the Walled Garden destinations.
On "Walled Garden", you need to enable it by choosing "Walled Garden is enabled" and fill the required domains on "Walled Garden ranges".
Add the entries according to Walled Garden for the Social Login URLs:
Important note: by default, the "Walled Garden ranges" do not accept domain names and wildcards. You need to open a support case to request Meraki to enable this option. Just go to "Help > Cases", create a new case and usually within a day Meraki enables it
Addressing and traffic
- Client IP assignment: NAT mode: Use Meraki DHCP
- Content filtering: Block adult content
Then save your changes.
Configuring the Splash Page
To configure the SSID Splash Page, go to "Wireless > Splash page", select the SSID previously created or your own SSID.
You need to define a "Custom splash URL":
- Or provide a URL where users will be redirected: the provided captive portal login URL.
On "Splash behavior", you can configure:
- Splash frequency: customize how often your users will see the splash page (e.g: Every hour).
- Where should users go after the splash page?: select "A different URL:" and fill the provided captive portal start URL.
Then save your changes.
SSID Availability
By default, the SSID is enabled on all APs.
If you want to limit on which APs the SSID is available, you can configure a Per-AP availability on "Wireless > SSID availability" by selecting which AP tags should be matched:
Customer Parameters
The summary of customer specific parameters is:
Basic Settings
- Or provide a URL where users will be redirected: the provided captive portal login URL.
- Where should users go after the splash page?: the provided captive portal start URL.
- Walled Garden ranges: get the list of hostnames you want to allow for unauthenticated users at our documentation.
- Radius Authentication:
- Host: the RADIUS server IP according to your environment/region.
- Port: the RADIUS server authentication port according to your environment/region.
- Secret: the provided shared secret.
- Radius Authentication:
- Host: the RADIUS server IP according to your environment/region.
- Port: the RADIUS server accounting port according to your environment/region.
- Secret: the provided shared secret.
.