Skip to main content
Cisco Meraki Documentation

Configuring SSIDs and Access Control for Education

Cisco Meraki Access Points (APs) support up to 16 SSIDs (15 user configurable and 1 permanently reserved for mesh), each with its own access controls and firewall rules. Educators may find it necessary to create separate SSIDs for faculty, students, and guests.

The steps below provide examples of education-oriented SSIDs with different tiers of access by using firewall and traffic shaping rules.

Configuration Overview

This article will explain how to enable and configure three SSIDs, one for each type of user:

  1. Name wireless networks for Faculty, Students, and Guests
  2. Configure Access Control Configuration for Faculty SSID
  3. Configure Firewall and Traffic Shaping for Faculty SSID
  4. Configure Access Control Configuration for Student SSID
  5. Configure Firewall and Traffic Shaping for Student SSID
  6. Configure Access Control Configuration for Guest SSID
  7. Configure Firewall and Traffic Shaping for Guest SSID
  8. Enable wireless networks for Faculty, Students, and Guests

Adding several SSIDs has a negative impact on capacity and performance. See the article Multi-SSID Deployment Considerations for more detail.  

Naming wireless networks for Faculty, Students, and Guests

  1. Log into Dashboard
  2. Navigate to Wireless > Configure > SSIDs
  3. For the Name section, click the rename link for an unused SSID
  4. Type the name of your SSID in the field. This is the name of the wireless network your faculty, students, or guests will connect to.
  5. Click the Save changes button

-24 09_51_33-Network Overview - Meraki Dashboard.png

Access Control Configuration for Faculty SSID

  1. Navigate to Wireless > Configure > Access control
  2. Select your faculty network from the SSID drop down

Network access:

  1. Find the section Security
  2. For Association requirements, choose Password with WPA2 only
  3. Type the WPA2 key in the field. This is the password internal users will be prompted to enter for when connecting.
    Note: To configure an externally hosted RADIUS server for WPA2-Enterprise, go here.

New Splash Page UI.png

Splash page:

  1. For Splash page, choose Sign-on with Meraki Authentication
  2. For the Self-Registration option, select “Allow users to create accounts”
  3. For the Simultaneous logins option, select “Limit users to one device at a time

 

Addressing and traffic:

  1. Find the section Client IP and VLAN
  2. For Client IP and VLAN, choose External DHCP server assigned and chose Bridge mode which will make clients part of the LAN
    Note: In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs.
  3. Click the Save changes button

New client IP and VLAN.png

Firewall and traffic shaping for Faculty SSID

  1. Navigate to Wireless > Configure > Firewall & traffic shaping
  2. Select your faculty network from the SSID drop down
  3. Find the section Block IPs and port
  4. For Outbound rules, select “Allow” for Wireless clients accessing LAN
  5. For Layer 7 firewall rules, click on Add a layer 7 firewall rule link and select (at least) the following recommended applications:
    • Gaming
    • Peer-to-peer (P2P)
    • Web file sharing
      Note: More information on blocking specific applications not listed under Layer 7 firewall rules can be found here.
  6. Click the Save changes button

New Firewall UI.png

Access Control Configuration for Student SSID

  1. Navigate to Wireless > Configure > Access control
  2. Select your student network from the SSID drop down

Network access:

  1. Find the section Security
  2. For Security, choose Password with WPA2 Only
  3. Type the WPA2 key in the field. This is the password internal users will be prompted for when connecting. 

New Association Requirements UI.png

Splash page:

  1. For Splash page, choose Click-through
    Note: More information about enabling the click-through splash page can be found here.
  2. For the Captive portal strength option, select “Block all access until sign-on is complete
  3. Find the section Client IP and VLAN
  4. For Client IP and VLAN, choose External DHCP server assigned and chose Bridge mode which will make clients part of the LAN
    Note: In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs.
  5. Click the Save changes button

New client IP and VLAN.png

Firewall and traffic shaping for Student SSID

  1. Navigate to Wireless > Configure > Firewall & traffic shaping
  2. Select your student network from the SSID drop down
  3. Find the section Block IPs and port
  4. For Outbond rules, select “Allow” for Wireless clients accessing LAN
  5. For Layer 7 firewall rules, click on Add a layer 7 firewall rule link and select at least the following recommended applications:
    • Gaming
    • Peer-to-peer (P2P)
    • VoiP & video conferencing
    • Video & music
    • Web file sharing
      Note: More information on blocking specific applications not listed under Layer 7 firewall rules can be found here.
  6. Find the section Traffic shaping rules
  7. Set the Per-client bandwidth limit to “2 Mbps” and Enable speedburst
  8. Click the Save changes button

 

New Firewall UI v2.png

New Traffic Shaping rules.png

Access Control Configuration for Guest SSID

  1. Navigate to Wireless > Configure > Access control
  2. Select your guest network from the SSID drop down

Network access:

  1. Find the section Security
  2. For Security, choose Open (no encryption)

Open Security New UI.png

Splash page:

  1. For Splash page, choose None (direct access)
  2. Find the section Client IP and VLAN
  3. For Client IP and VLAN, choose Meraki AP assigned (NAT Mode)
    Note: In NAT mode, Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other.
  4. Click the Save changes button

New No Splash Page.png

New Nat Mode.png

Firewall and traffic shaping for Guest SSID

  1. Navigate to Configure > Firewall & traffic shaping
  2. Select your guest network from the SSID drop down
  3. Find the section Block IPs and port
  4. For Outbound rules, select “Deny” for Wireless clients accessing LAN
  5. For Layer 7 firewall rules, click on Add a layer 7 firewall rule link and select the following applications:
    • File sharing
    • Gaming
    • Peer-to-peer (P2P)
    • VoiP & video conferencing
    • Video & music
    • Web file sharing
      Note: More information on blocking specific applications not listed under Layer 7 firewall rules can be found here.
  6. Find the section Traffic shaping rules
  7. Set the Per-client bandwidth limit to “1 Mbps” and Enable speedburst
  8. Set the Per-SSID bandwidth limit to “5 Mbps”
  9. Click the Save changes button

New Traffic shaping layer 7.png

New Traffic shaping 15 speedburst.png

Enabling wireless networks for Faculty, Students, and Guests

  1. Navigate to Wireless> Configure > SSIDs
  2. Enable the faculty, student, and guest networks
  3. Click the Save changes button

Now that these steps are completed, the AP's in your network will broadcast three separate SSIDs (Faculty, Students, and Guests). Each has its own set of access controls, firewall and traffic shaping rules.

Additional Resources

Please use the following links for help with configuring other aspects of your SSIDs:

  • Was this article helpful?