Cisco Meraki
Integrate Cisco Meraki wireless networks with IronWifi's cloud-based RADIUS authentication and external captive portal. This guide covers RADIUS server configuration, splash page setup, walled garden configuration, and WPA-Enterprise options for secure guest and employee WiFi access.
Prerequisites
In Meraki Dashboard:
- Administrator access to your Meraki organization
- At least one MR access point online and managed
In IronWifi Console (complete these first):
- Create a Network and note these RADIUS details:
- Primary and backup server IP addresses
- Authentication port (default: 1812)
- Accounting port (default: 1813)
- Shared secret
- Create a Captive Portal with vendor set to Cisco Meraki and note the Splash Page URL
Configuration Steps
Sign in to Meraki Dashboard and select your network.
Step 1: Create or Select SSID
- Navigate to Wireless → Configure → SSIDs
- Enable an SSID slot and give it a name (e.g., "Guest WiFi")
- Click Edit Settings to configure
Step 2: Configure Access Control
Navigate to Wireless → Configure → Access control, then select your SSID.
Security Settings
| Setting | Value | Notes |
|---|---|---|
| Association requirements | Open (no encryption) | For captive portal |
| Splash page | Sign-on with my RADIUS server | External captive portal |
For WPA2-secured guest networks, you can use "WPA2-Enterprise" association with "Sign-on with my RADIUS server" splash page.
RADIUS Authentication Servers
Under RADIUS for splash page, click Add server:
Primary Server:
| Field | Value |
|---|---|
| Host | {Primary IP from IronWifi} |
| Port | {Auth port, typically 1812} |
| Secret | {Shared secret from IronWifi} |
Secondary Server:
| Field | Value |
|---|---|
| Host | {Backup IP from IronWifi} |
| Port | {Auth port, typically 1812} |
| Secret | {Shared secret from IronWifi} |
RADIUS Settings:
| Setting | Recommended Value |
|---|---|
| Failover policy | Deny access |
| Load balancing policy | Strict priority order |
| Network access control (NAC) | Disabled |
| CoA support | Enabled |
Step 3: Configure RADIUS Accounting
RADIUS Accounting may need to be enabled by Meraki support. If you don't see accounting options, contact Meraki support to enable this feature for your organization.
Enable RADIUS accounting and add servers:
Primary Accounting Server:
| Field | Value |
|---|---|
| Host | {Primary IP from IronWifi} |
| Port | {Acct port, typically 1813} |
| Secret | {Shared secret from IronWifi} |
Secondary Accounting Server:
| Field | Value |
|---|---|
| Host | {Backup IP from IronWifi} |
| Port | {Acct port, typically 1813} |
| Secret | {Shared secret from IronWifi} |
Step 4: Configure Walled Garden
The walled garden allows unauthenticated users to reach specific domains (needed for the splash page and authentication providers to work).
Under Walled garden, toggle to Enabled and add entries.
Required Entry
Always add the IronWifi server:
107.178.250.42/32
Additional Entries by Authentication Provider
Only add entries for authentication methods you've enabled in your IronWifi captive portal:
| Provider | Required Walled Garden Entries |
|---|---|
*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com | |
*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com | |
*.linkedin.com, *.licdn.com, linkedin.com | |
| Twitter/X | *.twitter.com, *.twimg.com, twitter.com, *.x.com, x.com |
| Apple | *.apple.com, *.icloud.com, appleid.apple.com |
| Microsoft/Azure AD | *.microsoft.com, *.microsoftonline.com, *.msftauth.net, *.msauth.net, login.microsoftonline.com |
| Stripe | *.stripe.com, js.stripe.com |
| PayPal | *.paypal.com, *.paypalobjects.com |
| Twilio (SMS) | *.twilio.com |
Avoid overly broad entries like *.* as this allows users to bypass authentication entirely.
Step 5: Configure Splash Page
- Navigate to Wireless → Configure → Splash page
- Select your SSID from the dropdown
- Configure:
| Setting | Value |
|---|---|
| Custom splash URL | {Splash Page URL from IronWifi} |
| Splash page behavior | Block all access until sign-on is complete |
| Splash frequency | Every day |
Optional Settings:
| Setting | Recommended Value | Notes |
|---|---|---|
| Controller disconnection behavior | Open | Allows access if Meraki cloud unavailable |
| Splash timeout | 30 minutes | Time before requiring re-auth after page shown |
Step 6: Session and Bandwidth Settings (Optional)
These settings help manage network resources but are not required for captive portal functionality.
Navigate to Wireless → Configure → Firewall & traffic shaping, select your SSID.
Per-Client Bandwidth Limit
| Setting | Recommended | Notes |
|---|---|---|
| Limit download | 5-10 Mbps | Prevents single user from consuming all bandwidth |
| Limit upload | 2-5 Mbps | Adjust based on your needs |
IronWifi can also control bandwidth via RADIUS attributes, allowing different limits for different user groups.
Per-SSID Bandwidth Limit
Set overall SSID bandwidth to prevent guest network from impacting business operations.
Advanced Configurations
The following configurations are optional and depend on your specific requirements.
VLAN Assignment
Assign guest users to a dedicated VLAN:
- Navigate to Wireless → Configure → Access control
- Select your guest SSID
- Under Addressing and traffic:
- Client IP assignment: Bridge mode or NAT mode
- VLAN tagging: Specify guest VLAN ID
Dynamic VLAN Assignment:
IronWifi can assign VLANs dynamically via RADIUS:
- Configure VLANs in Meraki
- In IronWifi, configure user groups with VLAN assignments
- Enable RADIUS VLAN attributes in the network settings
Group Policies
Apply Meraki Group Policies based on user attributes:
- Navigate to Network-wide → Configure → Group policies
- Create policies (e.g., "Guest Basic", "Guest Premium")
- In IronWifi, configure RADIUS to return the
Filter-Idattribute matching your policy name
Data-Carrier Detect
Controls session behavior when clients disconnect:
| Setting | Behavior |
|---|---|
| Enabled (default) | Session revoked when client disconnects; re-auth required |
| Disabled | Client can reconnect within session timeout without re-auth |
To disable:
- Navigate to Wireless → Configure → Access control
- Find Data-carrier detect option
- Disable for seamless roaming experience
MAC-Based Authentication
For devices without browsers (printers, IoT devices):
Option 1: Meraki Whitelist
- Navigate to Network-wide → Configure → Clients
- Find the device by MAC address
- Click the device and select Whitelist
Option 2: IronWifi MAC Authentication
- In IronWifi, enable MAC-based authentication on the Captive Portal
- Add device MAC addresses to authorized list
- Device will auto-authenticate on subsequent connections
Hotspot 2.0 / Passpoint
For seamless WiFi access without captive portal interaction, see the dedicated Cisco Meraki Passpoint Configuration guide.
Alternative: WPA2-Enterprise Without Captive Portal
If you need 802.1X authentication without a splash page (users authenticate with credentials directly in their device WiFi settings):
- Navigate to Wireless → Configure → Access control
- Select your SSID
- Set Association requirements to WPA2-Enterprise with my RADIUS server
- Set Splash page to None
- Add RADIUS servers as documented above
- In IronWifi, create user accounts under Users for each person who needs access
Testing and Verification
After completing the configuration steps above, verify everything works correctly.
Test RADIUS Connectivity
From Meraki Dashboard:
- Navigate to Wireless → Configure → Access control
- Click Test next to each RADIUS server
- Enter test username and password from IronWifi
- Verify "Success" response
Test Captive Portal Flow
- Connect a device to the guest SSID
- Open a browser and navigate to
http://example.com - Verify redirect to IronWifi splash page
- Complete authentication
- Verify internet access is granted
Verify in IronWifi Console
- Navigate to Reports → Authentications
- Look for recent authentication attempts
- Verify successful authentications show "Access-Accept"
Check Meraki Event Log
- Navigate to Network-wide → Monitor → Event log
- Filter by your SSID
- Look for:
- "Splash page shown"
- "RADIUS authentication successful"
- "Client associated"
Troubleshooting
If testing reveals issues, use this section to diagnose and resolve common problems.
Splash Page Not Loading
| Symptom | Cause | Solution |
|---|---|---|
| Blank page | Missing walled garden entry | Add 107.178.250.42/32 to walled garden |
| SSL error | HTTPS intercept issue | Add splash domain to walled garden |
| Timeout | RADIUS unreachable | Verify RADIUS server settings |
| Wrong page | Incorrect splash URL | Check Custom Splash URL setting |
Verification steps:
- Check walled garden includes
107.178.250.42/32 - Verify Custom Splash URL is exact match from IronWifi
- Test direct access to splash URL in browser
- Check Meraki event log for redirect entries
RADIUS Authentication Failures
| Symptom | Cause | Solution |
|---|---|---|
| Timeout | Server unreachable | Check IP, port, firewall |
| Reject | Wrong credentials | Verify shared secret matches |
| No response | Accounting not enabled | Contact Meraki support |
Verification steps:
- Use Meraki's built-in RADIUS test
- Check IronWifi Console → Logs for attempts
- Verify shared secret matches exactly (case-sensitive)
- Confirm firewall allows UDP ports 1812, 1813
Users Stuck After Authentication
| Symptom | Cause | Solution |
|---|---|---|
| Redirected back to splash | Session not created | Enable RADIUS accounting |
| Can't reach internet | VLAN issue | Check VLAN configuration |
| Partial access | DNS issues | Add DNS servers to allowed list |
Verification steps:
- Check accounting is enabled and servers are configured
- Verify session exists in IronWifi Console → Sessions
- Test DNS resolution from client device
Social Login Not Working
| Symptom | Cause | Solution |
|---|---|---|
| OAuth page won't load | Missing walled garden | Add provider domains |
| Login fails | Credentials issue | Check OAuth app settings |
| Popup blocked | CNA browser limitation | Provide "Open in browser" option |
Verification steps:
- Add all required domains for the provider to walled garden
- Test in full browser (not CNA popup)
- Verify OAuth credentials in IronWifi
Session/Timeout Issues
| Symptom | Cause | Solution |
|---|---|---|
| Frequent re-auth | Short session timeout | Increase splash frequency |
| Session drops on roaming | Data-carrier detect | Disable data-carrier detect |
| Users disconnected | Idle timeout | Adjust in IronWifi |
Best Practices
Security
- Use unique RADIUS shared secrets per network
- Enable RADIUS accounting for session tracking
- Set appropriate session timeouts
- Use VLAN isolation for guest traffic
Performance
- Set reasonable per-client bandwidth limits
- Enable Cloud CDN for splash page assets
- Keep splash page design lightweight
- Use IronWifi's closest regional servers
User Experience
- Set splash frequency to reduce re-authentication
- Disable data-carrier detect for seamless roaming
- Offer multiple authentication options
- Test on both iOS and Android devices
Monitoring
- Review Meraki event logs regularly
- Monitor IronWifi authentication reports
- Set up alerts for authentication failures
- Track usage patterns for capacity planning
Quick Reference
Required Walled Garden (Copy/Paste)
107.178.250.42/32
Common Settings Summary
| Setting | Location | Value |
|---|---|---|
| Association | Access Control | Open |
| Splash page | Access Control | Sign-on with my RADIUS server |
| Splash URL | Splash page | From IronWifi Console |
| RADIUS Auth Port | Access Control | 1812 |
| RADIUS Acct Port | Access Control | 1813 |
| Walled Garden | Access Control | Enabled with IronWifi IP |
Meraki Dashboard Paths
| Configuration | Navigation Path |
|---|---|
| SSID Settings | Wireless → Configure → SSIDs |
| Access Control | Wireless → Configure → Access control |
| Splash Page | Wireless → Configure → Splash page |
| Hotspot 2.0 | Wireless → Configure → Hotspot 2.0 |
| Traffic Shaping | Wireless → Configure → Firewall & traffic shaping |
| Event Log | Network-wide → Monitor → Event log |
| Clients | Network-wide → Configure → Clients |