Skip to main content
Cisco Meraki Documentation

Scoping Active Directory per SSID

By default, when using Active Directory for Splash Page authentication, all users in AD can be granted access. However, by using Organizational Units (OU) and a custom AD admin account, it is possible to limit which users can get through authentication. This document will show you how to limit the scope of users that can be authenticated to an SSID using a Splash Page with Active Directory Integration.

Note: This is an advanced configuration that requires day-to-day knowledge of Active Directory to be done correctly. Please refer to Microsoft documentation and support for assistance.

 

First, you will need to create users for each group of users. In this case, we have Students and Staff. We will use this example to limit Staff Users from accessing the Student SSID.

ec252919-8d9f-426c-be60-acf986766c7d

Right click and select Properties of the Staff OU

3d5c18fb-9244-42ba-a0ce-068d6a26345b

Deny the StudentLDAPUser's READ rights for the Staff OU

4ea4cdcb-9aef-4a7d-8e8e-a6f8d33556ee

Now, you will use this StudentLDAPUser to Bind to AD under 'Configure >> Access Control' for your Student SSID:

0991f50c-9cfa-4611-899c-77958b9a4fbe

Since this user does not have the ability to read the Staff OU, Staff Users will not be able to use this SSID. You will need to apply this Deny to all User OU's that should not be allowed to access this SSID. 

You will repeat the same steps to Deny Students from accessing the Staff SSID. You'll need to Deny Read permissions for StaffLDAPUser for all OU's that should not have access to the Staff SSID.