Captive Portal Solution Guide

Overview 

Providing guest WiFi access is a common requirement for many industries. Before opening up your network to the world, it's ideal to welcome the guest and deliver a terms of service, and in some cases it's an opportunity to interact with users in a dynamic and memorable way. In addition, an enrollment and authentication step may be required for security or premium level access.

Solution Use Cases

  • Customer Engagement
  • Compliance with Terms of Service
  • Social Analytics
  • Business Workflow
  • Bring Your Own Device (BYOD)
This document will guide you through the many options available with this technology and provide resources to dive deeper into each subject. It will also highlight the use cases for each option to help guide you delivering a great experience for all.

Built-in 

The easiest way to get a Captive Portal setup on your network is to use one of the many built-in options. Each option will have its own set of use cases and capabilities.
Use Cases
Instant Captive Portal without the hassle of custom software or third-party services. More Info Splash Page Overview Customizing the Splash page Custom Splash Page Themes

Click-through 

A click-through splash page displays a fully customizable HTML/CSS page to the wireless client the first time the client opens a web browser and makes an HTTP request. An administrator can use this splash page to display an acceptable use policy or network announcements. The client is only granted network access after clicking the “Continue” button on the splash page.
Use Cases
  • Branding
  • Terms of Service
More Info Enabling Click-through splash-page

Sign-on 

A sign-on splash page provides the functionality of the click-through splash page, but adds the ability to prompt the wireless client for a username and password. The client is only granted network access after he enters a username and password that are validated against a backend authentication server (either a Meraki-hosted authentication server or a customer-hosted RADIUS, Active Directory or LDAP server). The sign-on splash page may be hosted by the Meraki cloud or on an external web server. An administrator can configure whether new wireless clients are able to obtain network access when the sign-on splash page cannot be displayed or when the username/password credentials cannot be validated (i.e., the authentication server is unreachable). This setting is under the Configure tab on the Access Control page in the “Disconnection behavior” section. The sign-on splash page can be configured to allow or disallow multiple simultaneous logins for a single set of user credentials. Sign-on splash page is an authentication option that requires no client-side configuration. In addition, it is secured by SSL (HTTPS), so that usernames and passwords are sent to the Meraki cloud confidentially. However, when enabled, it requires clients to remember usernames and passwords, which they will need to enter periodically. As with the click-through splash page, clients that are incapable of displaying the splash page need to be considered.
Use Cases
  • Branding
  • Terms of Service
  • Registered user access (enhanced security)
There are a number of ways to leverage the Sign-on splash page. The following options are available where each has additional features and requirements:

Meraki Authentication 

When using Meraki Authentication for SSID Association requirements, a network administrator can easily create and edit user accounts from Dashboard. Organization administrators can also delete existing user accounts.
Use Cases
  • Guest Ambassador (receptionist who manages WiFi user accounts)
  • Self-registration
More Info Managing_User_Accounts_using_Meraki_Authentication Self-registration for Splash User Accounts

RADIUS 

Use a local or cloud hosted RADIUS server for enhanced authentication and accounting. With this option, additional capabilities unique to RADIUS are provided and further outlined below.
Use Cases
  • Service Provider grade access control and accounting
  • Microsoft Network Policy Server support
  • Quota enforcement
  • Single Sign-on
More Info Configuring RADIUS Authentication with a Sign-on Splash Page Creating and Applying Group Policies Interim Updates for Splash Sign-on CoA Disconnect for Splash Sign-on

LDAP 

Cisco Meraki access points support authentication through an externally hosted LDAP server. After the server is configured, the dashboard will require a minimal amount of setup to allow for LDAP authentication.
Use Cases
  • Native integration with the LDAP industry standard
  • Central authentication source
More Info Configuring Splash Page Authentication with an LDAP Server

Active Directory 

The Sign-on splash page can be integrated with an Active Directory server, allowing users to provide their domain credentials to gain access.
Use Cases
  • Native Active Directory support
More Info Integrating Active Directory with Sign-On Splash Page

Google 

Using the oAuth protocol, Meraki MR access points are able to authenticate users with Google accounts.
Use Cases
  • Native Google Apps support
  • Limit access to company employees
More Info Google Sign-In

Facebook 

Facebook login provides a social sign-on experience for users logging into Meraki MR access points and MX security appliances. You can use your Facebook page as the sign-on page a user sees when they first log in to your network. Users can then check-in with their Facebook credentials, update their status, and ‘like’ the Facebook page. The Facebook Wi-Fi FAQ is available on the Facebook website.
Use Cases
  • Social marketing
  • Guest demographics
More Info Facebook Login

Prepaid Pin 

Prepaid cards enable a network owner to generate pin codes and provide those pin codes to potential users. The network owner can use this as a way to charge users for access without using the Cisco Meraki payment system.
Use Cases
  • One time access
  • Free WiFi with voucher code (i.e. attached to receipt)
More Info Configuring a Prepaid Card Billing SSID

SMS 

Using the Meraki cloud, it is possible to allow new users to sign on via SMS authentication codes. By utilizing this approach, an administrator can tie each new user to a phone number that is displayed on the Clients page in dashboard under the 'Recent User' column. This data can be used to run SMS campaigns and for validation purposes to ensure that a user has provided personal information that can be used to track them, should they abuse the network.
Use Cases
  • Verified guest access
  • Contact information of guest users
More Info SMS Splash Page

Systems Manager Sentry 

Systems Manager Sentry Wi-Fi security provides automatic certificate-based EAP-TLS configuration in just a few clicks, eliminating the need for the use of a certificate authority (CA) and the additional management required for each device and user.
Use Cases
  • Seamless onboard with Meraki networks
  • Enhanced access control
  • Enhanced security
More Info Configuring EAP-TLS Wireless Authentication with Systems Manager Sentry Wifi

Cisco ISE 

Cisco Identity Services Engine may be used for guest management when paired with Meraki Access Points. Cisco ISE is another option for authorizing users enabling many additional business use cases. The Meraki APs will pass necessary information over to Cisco ISE using mac based authentication and honor a URL redirect that is received from the Cisco ISE Server. Using CoA the Cisco ISE server can ensure that the correct authorization is applied to the end user devices based on the authentication status.
Use Cases
  • Native integration with Cisco ISE
  • Enhanced security
More Info Central Web Authentication (CWA) with Cisco ISE
 

Developer and API Capabilities 

Captive Portal API

Many companies build splash page to run on their own servers. Since the built-in feature does not support custom forms or scripting, hosting your own solution will allow you the maximum flexibility of web technologies. The External Captive Portal API (EXCAP) is the primary mechanism for intercepting a client connection and processing the login. In addition the Dashboard API can further extend the capabilities by managing the network configuration. Note: These features are for advanced users and will require the ability to parse parameters with scripting languages in order to build a grant or login URL. Knowledge of only HTML is not sufficient.
Use Cases
  • Custom form
  • Social Authentication
  • Website Integration
  • Business Workflow
More Info Captive Portal API  

Dashboard API

The Dashboard API is a REST based interface for interacting with your Meraki network. By leveraging this API, you can further control the network and guest experience. The Captive Portal server will no longer interact with the client once authenticated. By using the Dashboard API, several options are available to mange the client session before and after the splash authorization process. Note: In order to interact with the Dashboard API, server-side processing must take place. This means that simple client side JavaScript will not suffice. Instead, environments like NodeJS, Ruby, PHP or Python w/ Flask must be used.
Use Cases
  • Custom authentication
  • Traffic Shaping (i.e. bandwidth control)
  • Network Access (i.e. access to network devices or networks)
  • Tiered access (i.e. free/paid/employee)
More info Dashboard API Overview Developers Portal

Splash Authorization 

The client authorization status can be viewed and changed using a few Dashboard API endpoints. This is helpful if you would like to end a client session for a number of reasons or pre-authorize a client.
Use Cases
  • Policy Violation
  • Timed Access
  • Session Limit
  • Pre-Authorization
API Endpoints 
[GET] Return the splash authorization for a client [PUT] Update a client's splash authorization  

Group Policies 

Group policies provide a flexible way of assigning network access, traffic shaping and bypass options for each client.
Use Cases
  • One-time Registration
  • Tiered Access (Free/Paid)
  • Network Level Access (BYOD/Guest/)
API Endpoints 
[GET] List the group policies in a network [GET] Return the policy assigned to a client on the network. [PUT] Update the policy assigned to a client on the network.