Home > Wireless LAN > Encryption and Authentication > Sponsored Guest

Sponsored Guest

Overview

Sponsored Guest is a wireless guest authentication feature that allows admins to specify an email domain that guests must request access from to reach the wireless network. For example, an admin at "Example Company" could specify that guest users must request wireless access permissions from someone using an email ending with "@examplecompany.com". When a guest user connects to the SSID, they will be brought to a splash page, and will have to specify a "sponsor" who has an email on the "@examplecompany.com" domain. That sponsor receives a confirmation email and must then verify that they want that guest to connect. 
 

1.png

Determining Need

This feature is useful to ensure only permitted guests are allowed to use Guest wireless services. This feature is available for all currently supported MR access points. More information about MR devices that are no longer supported can be found on our product End of Life page.

Note: This feature does not require Meraki Authentication.

Configuration

To enable Sponsored Guest Login, administrators must navigate to Wireless > Access Control. Under the Splash Page section, the option for Sponsored guest login needs to be selected:

 

2.png

 

In addition to enabling the feature, network administrators need to also specify the sponsor email domains that guests can use to request approval for access, along with the duration of authentication. Although there are no limitations as to what the guest's email domain will be, the sponsor email they use must be on the domain(s) specified on the dashboard in order for the sponsor to receive a link and authorize the guest access. As for the sponsorship duration, the duration options are 1 hour, 1 day (24 hours), or 1 week (7 days).   

 

3.png

 

Please note that any user with an email from the specified domain will be able to grant access to the guests if the guests select that email. If an organization needs only specific emails, like the emails of the IT administrators, to grant access to guest users, the IT administrator team has to have emails on a different domain than the other employees of the organization and must specify that domain as the "sponsor email domain", a domain with only those few email addresses on. For example, if the specified domain is meraki.net, any employee with a username@meraki.net email will be able to sponsor the guests. If the administrators want only specific emails to have the authority, then the specified domain has to be a different domain for example "@merakiguestsponsor.net" with only a few emails on that domain like username@merakiguestsponsor.net that can be specified by guests to grant access to them.  

Connecting to the SSID

When a user connects to the guest SSID, a splash page will be displayed automatically. If using an Apple device the Apple pop-up window will show the splash page. Users need to enter their own name and email address and click Continue.

 

4.png

 

Please note that if the SSID is an open SSID, after choosing to connect to the SSID, the end device shows connected and gets an IP address of the specified VLAN on the SSID, but even with that, the device does not have access to the internal resources nor they can surf the Internet. If the administrator does not want the devices to even get an IP address, they should not leave the SSID as open and should instead specify a PSK for the association. 

 

After entering their own credentials, the user will then be prompted to enter their sponsor’s email. Users need to enter a sponsor email that matches one of the previously configured email domains. Using an undefined domain will return an error asking users to confirm the email.

 

5.png

 

After the user enters a sponsor email from the allowed domains, the next window notifies the user that their request is pending sponsor approval.

 

6.png

 

The sponsor will receive an email notification requesting approval for guest access. The name specified by the user will be used in the email sent to the sponsor.

 

7.png

 

After the sponsor clicks on the link in the email, a new page will open in the sponsor's web browser indicating that the request has been approved.

 

8.png

 

Once approved by the sponsor, the user is then redirected to google.com and will be able to browse the internet.

 

9.png

 

Additionally, guest users will be notified of the approval via email.

 

10.png

 

If a user disconnects and reconnects within the approved time, the device will automatically get internet access. If the user reconnects to the SSID after the approval period has expired, the whole process will be repeated again. This function is currently limited to a maximum of 1 week (7 days) per authorization.

Note: Devices that have been authenticated for a specified duration can have their authentication manually revoked by dashboard administrators, and administrators do not have to wait for the authorized duration to end for access to expire. The option to revoke the guest is available from Network-Wide > Clients, on their client details page:

After revoking the authorization, the splash status changes to Not authorized and the end device will stop having access to the Internet or the internal resources after a couple minutes.

 

bgfO0KnjMQtFzgDfgBqhyU4iFmDDvxu98-tugAyPbpWvFPQU8vnWlNQjahzPmMtw9jQVVA=s2048.png

 

Please note that the disconnection will not be immediate as the expiry of the ongoing flows will take a few minutes.

Devices are authorized by user accounts, and authorization applies to any device using the approved credentials. (This means that once a user has been approved, they can use the same name and email address on the pop-up windows on another device and get connected immediately without specifying a sponsor's email.)

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 8934

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community