External Identity Sources
The option to select a RADIUS server appears when the following is configured on the Configure > Access control page:
- Sign-on splash page
Many organizations have an existing user authentication or directory server that they would like to use to control access to the wireless LAN. Common server types include LDAP and Active Directory. Any type of authentication server with a RADIUS interface can be integrated with a Meraki wireless network. The Meraki cloud allows an administrator to configure multiple RADIUS servers for failover.
When an externally hosted RADIUS server is used with either MAC-based access control or WPA2-Enterprise with 802.1x authentication, the Meraki APs must be able to reach the RADIUS server. The Meraki cloud offers a test tool that enables an administrator to verify connectivity of all of the Meraki APs to the RADIUS server, and to check a particular set of user credentials against the RADIUS server. The test tool appears under the Configure tab on the Access Control page.
When an externally hosted RADIUS server is used with sign-on splash page, an administrator can configure the Meraki wireless network to use an externally hosted RADIUS server for user authentication. The Meraki cloud acts as an intermediary in this configuration to provide (1) a consistent end user experience (e.g., the wireless user is not presented with the splash page again if he re-associates to another AP) and (2) RADIUS accounting features.
If using RADIUS based Splash page the Meraki cloud needs to contact an external RADIUS server, the Meraki cloud must be able to reach the RADIUS server. This requirement may necessitate firewall changes that allow inbound connections to the RADIUS server. If the RADIUS server becomes temporarily unavailable, existing wireless clients (already authenticated) remain connected, but new wireless clients are unable to authenticate to access the network.
When WPA2-Enterprise is selected, RADIUS is sent directly from the management IP address of the AP.
The option to select a Active Directory appears when the following is configured on the Configure > Access control page:
- Sign-on splash page
If your network does not require the additional configuration options provided by RADIUS integration, there are certain advantages if the APs can communicate directly with Active Directory without a RADIUS server acting as an intermediary. Native AD integration eliminates the need to configure Microsoft NPS (or any other RADIUS server). Also, when using RADIUS integration with multi-domain forests, for example a school that has one domain for faculty and another for students that is using sign-on splash authentication, users must remember to include their domain with their username, which can easily be forgotten. Or alternatively, a complex hierarchy of RADIUS proxy servers or custom scripts might be required to make the log in process easier for the user.
In order to configure native Active Directory integration, sign-on splash must be configured and Use My Active Directory Server selected from the Authentication Server drop-down menu under Configure->Access control.
Once Active Directory server option has been selected, the internal IP addresses of any domain controllers that will be used for authentication should be entered, along with the credentials of an Active Directory administrator that has read rights to all domain controllers that will used.
It is highly recommended that a separate account is created for the purpose of providing Active Directory authentication. Users should take the following steps to secure the account:
Create a Global Security Group in your domain (or forest)
Create a user account and add it to the new group.
Update the user account so that the new Security group is the user’s primary group.
Remove the Domain Users group from the account.
This will isolate the account from acting like a normal domain user.
LDAP Server Integration
The option to select a LDAP appears when the following is configured on the Configure > Access control page:
- Sign-on splash page
Similarly to Active Directory, Meraki wireless networks can natively integrate with LDAP authentication servers when using sign-on splash page. The manner with which this authentication is configured is very similar to that described for Externally Hosted Active Directory Server. In order to configure native LDAP integration, sign-on splash must be configured and Use My LDAP Server selected from the Authentication Server drop-down menu under Configure->Access control.
Once the LDAP server option has been selected, the internal IP addresses of any LDAP servers that will be used for authentication should be entered, along with the appropriate port number and the credentials of an LDAP administrator with administrative rights to all domains that will be used. The common name (cn) and domain components (dn) should be entered in the format shown below:
The management IP address of the Access Point is used to connect to the LDAP Server.