Enabling Meraki-Hosted Authentication
The option to select a Meraki-hosted authentication server appears when either of the following are configured on the Configure > Access control:
- Sign-on splash page
WPA2-Enterprise with 802.1X authentication
A backslash "\" cannot be used in the "Password" field. If a password contains the backslash "\" user authentication will fail.
The Meraki-hosted authentication server is configured through the Meraki cloud. On the Network-wide > Users, an administrator can create, edit, and remove user accounts. For each user account, an administrator can configure the user’s name, the e-mail address and password that the user will use to log in, and optionally, an expiration time (to create a user account that self-expires after some period of time).
An expiration time can also be configured on a user account, so that the account becomes invalid after a certain amount of time elapses; this feature is useful for guest accounts. Finally, the Access Control page provides an option for “self-registration”, which allows users to create their own accounts. However, administrators still need to manually add those accounts to the list of users allowed on the network before the account has access. Admins can be given special access with "Guest Ambassador" privileges to access this menu to authorize accounts.
Many organizations want to be able to quickly and easily get guests online, and at the same time, control who is on the network.
The Meraki cloud allows administrators to create “guest ambassadors”, who can create guest user accounts but cannot otherwise modify the system. For example, a network administrator can create a guest ambassador account for a receptionist. In turn, the receptionist can create user accounts for guests who need temporary access to the wireless network.
Guest ambassador accounts are configured on the Administrators page. A guest ambassador who logs into the Meraki cloud can access the “Guest Management Portal”, which only allows the creation of user accounts on SSIDs that are configured to use the Meraki-hosted authentication server.
For more information on user management, please see the Meraki cloud authentication deep dive.
End-users can sign on using credentials created in the Meraki-hosted server either via splash or via WPA2. In both cases, the username for sign-on will be the email address and the password will have been chosen by either the end-user when creating their own account via the Meraki splash, or chosen by the administrator when manually creating the end-user's account.
Sign-on window with WPA2 on Macbook.
Sign-on window with a splash page.
User accounts configured in the Meraki-hosted authentication server are global to the networks in the organization. So, a password change to a user account in one network applies to other networks in which the user account may be used.
Meraki APs must be able to reach the Meraki cloud in order to use the Meraki-hosted authentication server. If the Meraki cloud becomes temporarily unavailable, existing wireless clients (already authenticated) remain connected, but new wireless clients are unable to authenticate to access the wireless network. An administrator can configure whether new wireless clients are able to obtain network access when the Meraki cloud is unavailable under the Configure tab on the Access Control page in the “Disconnection behavior” section.