Step-by-step instructions to set up a Radius-based captive portal with Cisco Meraki access points and Cloudi-Fi for user authentication.

Use case

Configuring a Radius-based captive portal with Cisco Meraki MR access points is beneficial in various scenarios requiring advanced network access control and device recognition capabilities. Here are some everyday use cases where this configuration is advantageous:

1. Access Control: By implementing a Radius-based captive portal, you can enforce granular access control policies for your network. 
2. Bandwidth Allocation: With a Radius-based captive portal, you can allocate bandwidth based on user profiles. This allows you to prioritize critical applications or users with specific requirements, ensuring a fair distribution of network resources.
3. Session Continuity Between Different Sites: If multiple sites or branches are connected through a Cisco Meraki network, users can seamlessly move between different sites while maintaining their authenticated session, providing a consistent and uninterrupted network experience.

By leveraging a Radius server's authentication capabilities, you can enforce access control policies, allocate bandwidth effectively, and enhance device recognition and management across your network infrastructure. The following sections provide step-by-step instructions to enable this powerful configuration.

Prerequisites

Before starting, ensure that you have the following prerequisites:

• A Cisco Meraki access point.
• Cloudi-Fi Radius IPs and Secret  
• Access to the Cisco Meraki dashboard.
• Knowledge of your network’s IP addressing scheme.
• Enable API access to the Meraki portal and synchronise your Meraki networks with Cloudi-Fi.
• Access to your firewall to allow several ports:

1. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

1. IPs address of the Radius servers
2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)

You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.

1. What shared secret is used for the Radius server with Cisco Meraki? (Please save this confidential information securely, and do not share it publicly).

2. Configure your SSID

1. Log in to the Cisco Meraki dashboard
2. Select the Meraki network you want to enable the captive portal.
3. Navigate to the “Access Control” tab. 
4. Configure as follows:
   1. Give it a name 

Security: MAC-based access control (no encryption)

Splash Page: Click-Through

Advanced splash settings

3. Configure the Radius server

1. Enter the IP address of the Radius server and the port number obtained from the previous step.
2. Input the shared secret used for authentication between the Radius server and the Cisco Meraki access point.

4. Client IP and VLAN

1. While configuring the captive portal, you can assign clients specific IP addresses and VLANs upon successful authentication.
2. Scroll to the “Client IP and VLAN” section.
3. Choose the appropriate option for assigning IP addresses:
   1. Meraki AP Assigned (NAT Mode)
   2. External DHCP server assigned
4. Configure VLAN settings (if applicable):
   1. If you selected “Use VLAN tagging” in the previous step, select the VLAN tag number to assign clients after authentication.
   2. Ensure that the corresponding VLAN is properly configured on your network infrastructure.

5. Obtain the splash page URL from Cloudi-Fi dashboard

1. Open the Cloudi-Fi dashboard and go to Settings.
2. Navigate to the Integrations section and select Meraki.
3. Click on the three dots next to the Meraki integration and choose "Configure SSID."
4. Locate the Splash page URL provided in the configuration settings.

6. Configure the custom splash URL in Meraki dashboard

1. Return to the Cisco Meraki dashboard.
2. Navigate to the "Wireless" section and select the appropriate wireless network.
3. Under the "Splash Page" tab, select "Custom splash URL."
4. Paste the Splash page URL from the Cloudi-Fi dashboard into the provided field.

Troubleshooting

If you encounter any issues during the setup or operation of the Radius-based captive portal, you can use the Meraki Radius test feature to help diagnose and resolve the problem. Follow these troubleshooting steps:

1. Under the "Radius" authentication method, click on the "Test" link.
2. Enter the credentials of a test user.
3. Click the "Test" button to initiate the Radius authentication test.

The Meraki Radius test will simulate a user authentication attempt using the provided test credentials. It will help you identify any issues with the Radius server configuration or connectivity. Review the test results to troubleshoot and resolve the following common problems:

• Incorrect IP address or port: Ensure the Radius server’s IP address and port number are correctly entered in the Cisco Meraki dashboard.
• Shared secret mismatch: Double-check that the shared secret on the Radius server matches the one configured in the Cisco Meraki dashboard.
• Network connectivity: Verify network connectivity between the Cisco Meraki access point and the Radius server. Check for any firewall rules or network devices blocking the communication.
• Radius server configuration: Review the configuration of your Radius server to ensure it is correctly set up with the appropriate authentication protocols, encryption methods, and user accounts.

If the Meraki Radius test is successful, it indicates that the Radius server is properly configured and reachable from the Cisco Meraki access point.

What’s next?

Congratulations on enabling the Radius-based captive portal with Cisco Meraki! From now on, you can explore further profiling options for the captive portal, such as Group Policies. This helps you to enhance your network security and optimise your organisation’s network infrastructure.