Skip to main content
Cisco Meraki

Using a Sign-on Splash Page to Restrict Wireless Access by MAC address

MAC-based authentication restricts wireless access to specific client devices but traditionally requires a RADIUS server. For smaller deployments, it is easier to configure MAC-based authentication using a Sign-on Splash Page

Configure a Sign-on Splash page

On Wireless > Access Control, select a sign-on splash page with Meraki Authentication as shown below. This requires users to enter a user name and password managed from Network-Wide > Users to access the network.

 

Note: This cannot be used in conjunction with WPA2-Enterprise encryption, and an error will be presented if attempted.

Ensure the Captive Portal Blocks All Traffic

By default the splash page allows unauthenticated users to pass non-HTTP traffic. To prevent this, change the Captive portal strength setting to Block all access until sign-on is complete on Wireless > Access control.

Add Known Machines to the Whitelist 

Adding machines to the whitelist allows them to bypass the splash page requirement. To add an existing device to the whitelist, find that machine on the Network-Wide > Clients page. Check the box to the left of their device name, and use the Apply policy dropdown to whitelist that machine. Click here for more information about whitelisting and blocking clients. 


 

Note: Applying custom group policies to specific client devices is an alternative method of bypassing the splash page. 

Add Unknown Machines to the Whitelist

If a specific device should be whitelisted but has not connected to the SSID, add the device to the Network-Wide > Clients page. Select Add clients on the right to add to the clients list by MAC address and whitelist the client. 

For more detailed instructions, see Pre-Configure Network Policy for Client Devices. See Finding the MAC address of a Windows or Mac computer for instructions on locating a machine's MAC address.


 

With this configuration, whitelisted users will bypass the splash page entirely. All other users will be blocked by a splash page they do not have credentials for.