Using a Sign-on Splash Page to Restrict Wireless Access by MAC address
click 日本語 for Japanese
MAC-based authentication restricts wireless access to specific client devices but traditionally requires a RADIUS server. For smaller deployments, it is easier to configure MAC-based authentication using a Sign-on Splash Page.
Configure a Sign-on Splash page
On Wireless > Access Control, select a sign-on splash page with Meraki Authentication as shown below. This requires users to enter a user name and password managed from Network-Wide > Users to access the network.
Note: This cannot be used in conjunction with WPA2-Enterprise encryption, and an error will be presented if attempted.
Ensure the Captive Portal Blocks All Traffic
By default the splash page allows unauthenticated users to pass non-HTTP traffic. To prevent this, change the Captive portal strength setting to Block all access until sign-on is complete on Wireless > Access control.
Add Known Machines to the Allow List
Adding machines to the allow list allows them to bypass the splash page requirement. To add an existing device to the allow list, find that machine on the Network-Wide > Clients page. Check the box to the left of their device name, and use the Apply policy dropdown to allow list that machine. Click here for more information about adding clients to the allow list or block list.
Note: Applying custom group policies to specific client devices is an alternative method of bypassing the splash page.
Add Unknown Machines to the Allow List
If a specific device should be added to the allow list but has not connected to the SSID, add the device to the Network-Wide > Clients page. Select Add clients on the right to add to the clients list by MAC address and add the client to the allow list.
For more detailed instructions, see Pre-Configure Network Policy for Client Devices. See Finding the MAC address of a Windows or Mac computer for instructions on locating a machine's MAC address.
With this configuration, users that have been added to the allow list will bypass the splash page entirely. All other users will be blocked by a splash page they do not have credentials for.