Step-by-step instructions to set up an API captive portal with Cisco Meraki access points and Cloudi-Fi for user authentication.
Use case
The following sections will provide step-by-step instructions to enable Cloudi-Fi cloud-based WiFi Captive portal service with your existing Meraki architecture.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Cisco Meraki access point
- Access to the Cisco Meraki dashboard
- Knowledge of your network’s IP addressing scheme
- API access enabled for the Meraki portal
- Synchronization of Meraki networks with Cloudi-Fi
1. Generate the API Key
- Navigate to the Meraki administration page
- Select "Organization" then "API & Webhooks"
- Click on Generate API Key
- Tick the box to confirm that you saved the key and click on Done
Note: there is a limit of only two API keys per Meraki administrator.
2. Connect your Meraki organization with your Cloudi-Fi tenant
- Navigate to Cloudi-Fi administration UI
- Go to "Configuration" > "Integrations"
- Select "Meraki" from the integration list
If the "Integration" section is missing, ensure the "Integration Menu" is enabled in your Administrator's profile
- Click on "Enable this Integration" to initiate a new Activation.
- Synchronization Mode Selection:
- Currently, only "Automatic synchronization" mode is available.
- Click "Automatic" to proceed.
A manual mode will be introduced in the future for companies opting not to share an API key.
- Configuration Steps:
- Choose the appropriate Meraki Cloud (World or China).
- Paste the API key from the Meraki portal.
- Click "Connect" to initiate the synchronization process.
- Wizard Configuration:
- The wizard will automatically import your Meraki networks.
- Imported networks will appear in Cloudi-Fi Admin UI under "locations".
Note: It could be useful to create multiple activations if you have devices connected to different Meraki Clouds or multiple Meraki Organisations.
3. Define the synchronization settings
- Define the following parameters:
- Activation name
-
Create_locations
- From networks - only network tags will be imported
- From AP tags - only AP tags will be imported
-
Import
- Both MR (access points) and MX (security appliances)
- Only MX
- Only MR
-
Scan
- Everywhere: Automatically adds new Meraki networks to the locations list
-
Only some networks / Only some network tags: New networks appear in the integration for selective import
4. Configure SSID
The last step lets you deploy your Meraki guest WIFI from Cloudi-Fi on a chosen SSID.
- Automatic: Cloudi-Fi will push Guest configuration on SSIDs selected
- Manual: if you don't want to let Cloudi-Fi change your Meraki configuration, you can select "Manual" to get the information required to set up your Meraki Splash page / ACLs with Cloudi-Fi.
5. Verify Cloudi-Fi location creation
Verify that Meraki networks are successfully imported as Cloudi-Fi locations Cloudi-Fi > Admin UI > Locations.
If you edit the location, you can see that the Wizard has automatically imported the MAC addresses of the Meraki devices. This parameter is used to identify the location.
6*. Create the Guest SSID
(*) Optional - when Manual SSID configuration is selected (see Step 4: Configure SSID)
- Confirm that Meraki networks have been correctly imported into Cloudi-Fi locations by checking Cloudi-Fi > Admin UI > Locations.
6.1 Captive portal deployed on MX Devices
- Navigate to the Meraki Dashboard > Security & SD-WAN > Wireless settings.
- Enable an available SSID.
- Enter a name for the SSID.
- Assign your SSID to your VLAN
- Select Security type: Open.
- Access Control for MX Devices:
- Navigate to Meraki Dashboard > Security & SD-WAN > Access Control.
- Select your VLAN
Configure with:
- Splash page : select “Click Through”
- Network access control : select “Disabled”
- Captive portal strength : select “Block all access until sign-on is complete”
- Walled garden : select “Walled garden is enabled”
- Walled garden range :
- Controller disconnection behavior : select “Restricted: only currently associated clients and whitelisted devices will be able to use the network”
Navigate to Meraki Dashboard > Security & SD-WAN > Splash page.
- Select your VLAN
- Opt for a Custom splash URL
- Enter the Cloudi-Fi URL (refer to Custom Splash Page in Step 4: Configure SSID)
6.2 Captive portal deployed on MR Devices
- SSID Configuration for MR Devices :
- Navigate to Meraki Dashboard > Wireless > SSID.
- Enable an available SSID.
- Enter a name for the SSID and save changes.
- Navigate to Meraki Dashboard > Wireless > Access Control.
- Select the configured SSID.
- Navigate to Meraki Dashboard > Wireless > SSID.
- Security : select “Open (no encryption)”
- WPA encryption : select “Disabled”
- Splash page : select “Click Through”
- Client IP and VLAN : This setting depends on your network architecture, for instance, if you already have a DHCP server and dedicated DHCP range for Guest users. For easy deployment, we recommend using the "NAT mode" option. The Access-Point will act as a DHCP server, and all WiFi clients will be seen outside of the wireless network with the Access Point LAN IP.
For MR devices, go to Meraki Dashboard > Wireless > Access Control. Then select your SSID and in the Walled garden ranges, add *.cloudi-fi.net
- Captive portal strength : select “Block all access until sign-on is complete”
- Walled garden : select “enabled”
- Walled garden range :
- Controller disconnection behavior : select “Restricted”
Navigate to Meraki Dashboard > Wireless > Splash page.
- Select your SSID
- Choose to use a Custom splash URL
- Enter the Cloudi-Fi URL (refer to Custom Splash Page in Step 4: Configure SSID)
7*. Prevent guest users from accessing your internal networks
(*) Optional - when Manual SSID configuration is selected (see Step 4: Configure SSID)
-
Configuration for MR Devices :
- Navigate to Meraki Dashboard > Wireless > Firewall & Traffic Shaping.
- Select the SSID in question.
- Modify the existing rule to deny Guest users access to private IP ranges.
- Save the changes.
8. Syslog forwarding
- Syslog Configuration for Meraki Networks or Templates:
- Go to Network Wide > Configure > General.
- Find the Logging or Reporting section.
- Enter Syslog server details:
- Server IP: see Radius and Syslog servers
- Port: 514
- Roles: URLs & Flows.
For more information on Cloudi-Fi's solution partnership with Cisco Meraki, visit our Cisco Meraki Partner page here.
Troubleshooting:
If you still encounter any issues during the setup or operation, you can first follow Cloudi-Fi's first-level troubleshooting guide. If you are still having issues, we invite you to contact the Cloudi-Fi support team.
What’s next?
Congratulations on enabling the API captive portal with Cisco Meraki!