Sponsored Guest
Overview
Sponsored Guest Login is a wireless guest authentication feature that allows admins to specify an email domain that guests must request access from to reach the wireless network. For example, an admin at "Example Company" could specify that guest users must request wireless access permissions from someone using an email ending with "@examplecompany.com". When a guest user connects to the SSID, they will be brought to a splash page, and will have to specify a "sponsor" who has an email on the "@examplecompany.com" domain. That sponsor receives a confirmation email and must then verify that they want that guest to connect.
Determining Need
This feature is useful to ensure only permitted guests are allowed to use Guest wireless services. This feature is available for all currently supported MR access points. More information about MR devices that are no longer supported can be found on our product End of Life page.
Note: This feature does not require Meraki Authentication.
Configuration
To enable Sponsored Guest Login, administrators must navigate to Wireless > Access Control. Under the Splash Page section, the option for Sponsored guest login needs to be selected:
In addition to enabling the feature, network administrators also need to specify the sponsor email domains that guests can use to request approval for access, along with the duration of authentication. Although there are no limitations as to what the guest's email domain will be, the sponsor email they use must be on the domain(s) specified on the dashboard in order for the sponsor to receive a link and authorize the guest access.
Note: The maximum number of sponsor email domains that can be added at any one time is 5.
As for the sponsorship duration, the duration options are flexible and can be specified as values between 30 minutes and 6 weeks. The maximum sponsorship duration is an upper hard limit for sponsored guest access.
The session time can be set to:
- automatically grant the access duration (30 minutes to 6 weeks) specified by the “Maximum sponsorship duration” during the splash page registration
- allow users to request access for a session duration that is limited by the “Maximum sponsorship duration” specified by the Meraki Administrator
Please note that any user with an email from the specified domain will be able to grant access to the guests if the guests select that email. If an organization needs only specific emails, like the emails of the IT administrators, to grant access to guest users, the IT administrator team has to have emails on a different domain than the other employees of the organization and must specify that domain as the "sponsor email domain", a domain with only those few email addresses on. For example, if the specified domain is meraki.net, any employee with a username@meraki.net email will be able to sponsor the guests. If the administrators want only specific emails to have the authority, then the specified domain has to be a different domain for example "@merakiguestsponsor.net" with only a few emails on that domain like username@merakiguestsponsor.net that can be specified by guests to grant access to them.
Connecting to the SSID
When a user connects to the guest SSID, a splash page will be displayed automatically. If using an Apple device the Apple pop-up window will show the splash page. Users need to enter their name and email address as well as the desired duration and click Continue. A time interval between 30 minutes and 6 weeks can be chosen.
Note: The duration value requested by the guest cannot exceed the “Maximum sponsorship duration” set by the Meraki Admin on the Access control page. For example, if a visitor requested 1 day of the wireless network access and the “Maximum sponsorship duration” is set to 8 hours only 8 hours of the access will be granted.
Please note that if the SSID is an open SSID, after choosing to connect to the SSID, the end device shows connected and gets an IP address of the specified VLAN on the SSID, but even with that, the device does not have access to the internal resources nor they can surf the Internet. If the administrator does not want the devices to even get an IP address, they should not leave the SSID as open and should instead specify a PSK for the association.
After entering their own credentials, the user will then be prompted to enter their sponsor’s email. Users need to enter a sponsor email that matches one of the previously configured email domains. Using an undefined domain will return an error asking users to confirm the email.
After the user enters a sponsor email from the allowed domains, the next window notifies the user that their request is pending sponsor approval.
The sponsor will receive an email notification requesting approval for guest access. The name specified by the user will be used in the email sent to the sponsor.
After the sponsor clicks on the link in the email, a new page will open in the sponsor's web browser indicating that the request has been approved.
Once approved by the sponsor, the user is then redirected to google.com and will be able to browse the internet.
Additionally, guest users will be notified of the approval via email.
If a user disconnects and reconnects within the approved time, the device will automatically get internet access. If the user reconnects to the SSID after the approval period has expired, the whole process will be repeated again. This function is currently limited to a maximum of 1 week (7 days) per authorization.
Note: Devices that have been authenticated for a specified duration can have their authentication manually revoked by dashboard administrators, and administrators do not have to wait for the authorized duration to end for access to expire. The option to revoke the guest is available from Network-Wide > Clients, on their client details page:
After revoking the authorization, the splash status changes to Not authorized and the end device will stop having access to the Internet or the internal resources after a couple minutes.
Not authorized:
Authorized:
Please note that the disconnection will not be immediate as the expiry of the ongoing flows will take a few minutes.
Devices are authorized by user accounts, and authorization applies to any device using the approved credentials. (This means that once a user has been approved, they can use the same name and email address on the pop-up windows on another device and get connected immediately without specifying a sponsor's email.)