Skip to main content

 

Cisco Meraki Documentation

Microsoft Entra ID Integration with Splash Page

Overview

Microsoft Entra ID (formerly known as Microsoft Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is designed to help organizations manage users and their access to applications, both on-premises and in the cloud.  This feature implementation allows admins to configure SSIDs on Meraki to support the authentication of their Microsoft Entra ID users via Splash Page.

Prerequisites

Firmware: MR28+ 
Licensing: MR Enterprise

Configuration


In dashboard, navigate to Wireless > Configure > Access Control

  1. Select the SSID in the top Left Corner.

  2. Under Splash Page, Select Sign on With Microsoft Entra ID and add your Allowed Domains.

Note: The built-in Microsoft domain does work but must include the domain Allowed domain field in dashboard.
All custom domains (i.e. not an onmicrosoft.com) Must be verified.

  1. Navigate to Advanced Splash Settings below and then set the Captive Portal Strength to "Block all access until sign-on is complete".

Note: By default you should block a client's access to the internet once it is placed into the captive portal, it is important that the Captive portal strength for the splash is set to "Block all access until Sign-on is complete" under the Access-control page of the SSID (This will not disassociate the client from the SSID, only block internet access).

  1. Set Walled Garden to Enabled, and then add the domains from Microsoft’s  Azure portal authentication urls documentation to the Walled Garden Ranges. If a domain is not specified, all valid Entra ID accounts will be permitted to access the SSID.

Note: If using an unmanaged Android device add "device.login.microsoftonline.com" to the Walled Garden ranges.

  1. Save the configuration

Granting Microsoft Admin Consent to Cisco Application

  1. Network admins can sign-in using the below link to grant admin permission to the Cisco application.

https://login.microsoftonline.com/organizations/adminconsent?client_id=d1b29572-1b35-40cc-9152-a8056ab586c4


 

  1. Navigate to Microsoft Entra ID > Enterprise applications

  2. Search for the application Cisco Meraki Network Access

  3. Under Permission, click the blue button - Grant admin consent for Cisco

Note: Alternatively, admins can connect to the configured Entra SSID to grant admin consent.

  1. Connect to the configured SSID

  2. Click Sign in with Microsoft

3. Accept the permission request to add the application to the admin Entra ID account. 

4. Verify that the new Cisco Meraki Network Access app is present in the Enterprise application portal.

Authentication Process

When connecting to the AP an un-authorized user's first HTTP GET request  will be redirected to the splash page server hosted within dashboard. The splash page presents the option to log onto the SSID using the user's Microsoft AD account.

1. Sign in to the user account to sign on to the application. 

2. Users are then directed to the Microsoft login screen hosted on Microsoft active directory servers.

3. After the user enters their credentials, they will be permitted or prompted to re-enter valid credentials,

4. Once accurate credentials are provided users will be granted access to the network.  

Troubleshooting SSID Configuration

This section describes how to identify and mitigate common issues experienced with Splash page configuration in dashboard.

  1. The built-in Microsoft domain onmicrosoft.com must be included in the Allowed domain field in the splash page of Dashboard. 

Edit section

Troubleshooting Entra ID Configuration

If you encounter errors during the connection to the Entra ID SSID please confirm all of the below Entra ID account configurations have been verified.

  1. The Entra ID  user attempting to authenticate with the network must have an active email associated with their account.
  2. Within the Microsoft AD account the Cisco Meraki Application must be a verified application. Please refer to the section
    Granting Microsoft Admin Consent to the Meraki Enterprise Application  
  3. The Azure user attempting to authenticate with the network must have an active email associated with their account.

Note: The associated user email must be the same as the user principal name. If they are not the same the Entra ID sign-in attempt will fail with the below error.
clipboard_eaf5aca504366a8c3712a7fe79822798a.png

3.1. To verify, sign in to the Azure Portal: Go to https://portal.azure.com and sign in with your Azure account credentials.

3.2.Navigate to Azure Active Directory:

3.3. In the left-hand navigation pane, select Microsoft Entra ID. Select Users:

3.4. Under the Manage section, select Users. Search for the User

3.5. Use the search bar and search for the relevant User

3.6. Check the User Properties

3.7. Click on the Properties tab of the selected User and ensure that there is a valid email.
 

clipboard_e411513f4ba8d0d8a7978afef1ed7b613.png

Email Domain Verification

  1. Sign in to the Azure ID Portal: Go to https://portal.azure.com and sign in with your Entra ID account credentials.

  2. Navigate to Azure Active Directory: In the left-hand navigation pane, select Microsoft Entra ID

  3. Under the Manage section, select Custom domain names.

  4. Confirm the domain is verified.

Monitoring

If a Sign-on Splash Page is used, login attempts are reported in dashboard under Wireless > Monitor > Splash logins and Wireless > Monitor > Login attempts.

Wireless > Monitor > Splash logins page:

2017-07-25 10_13_24-Login Attempts - Meraki Dashboard.png

For comprehensive API documentation, steps to configure the Entra ID with Splash Page and sample source code, please visit our Developer Hub

  • Was this article helpful?