Cisco Meraki devices (MR access points and MX security appliances) support the use of a sign-on Splash Page, requiring network users to authenticate in a web browser before being allowed access to the network. This splash page can be integrated with an Active Directory server, allowing users to provide their domain credentials to gain access.
This article outlines how to configure a sign-on Splash Page with Active Directory.
When using Active Directory authentication, your Access Points need to perform a secure LDAP bind using SSL\TLS via the starttls command. The LDAP bind authenticates the user logging into the splash page as illustrated below:
In order to configure a splash page with Active Directory authentication, configuration steps must be completed on both Dashboard and Active Directory, outlined below:
The following requirements must be configured on each AD server being used for authentication:
When Active Directory authentication is configured, the MR queries the Global Catalog over TCP port 3268. Therefore the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.
Once all AD servers have been primed with the configuration requirements outlined above, the following steps outline how to set up AD authentication with a sign-on splash page:
Once the configuration has been saved, connectivity and functionality can be tested within Dashboard. Under the Active Directory servers section within Wireless > Configure > Access Control, click the Test button and input a valid domain user's credentials (the domain should be left out of the username).
The image below shows an example use of the test functionality:
This test will then check every AP configured to use the SSID, and where each AP will query the AD server to check if the test credentials are valid:
If this test fails, it is first recommended to ensure that all of the Active Directory requirements outlined above are met, and ensure that each "Failed" AP has network connectivity to the server.
For more detailed troubleshooting steps, please refer to our documentation regarding Troubleshooting Active Directory Authentication with a Sign-on Splash Page.
Once the configuration above has been completed, the Meraki device should be able to communicate with the Active Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and compatible with the current certificate.
Please reference Microsoft documentation for error code details and troubleshooting assistance.
For additional information regarding sign-on splash pages and Active Directory integration, please refer to the following documentation: