Home > Wireless LAN > WiFi Basics and Best Practices > Configuring SSIDs and Access Control for Education

Configuring SSIDs and Access Control for Education

Cisco Meraki Access Points (APs) support up to fifteen concurrent SSIDs, each with its own access controls and firewall rules. Educators may find it necessary to create separate SSIDs for faculty, students, and guests.

The steps below provide examples of education-oriented SSIDs with different tiers of access by using firewall and traffic shaping rules.

Configuration Overview

This article will explain how to enable and configure three SSIDs, one for each type of user:

  1. Name wireless networks for Faculty, Students, and Guests
  2. Configure Access Control Configuration for Faculty SSID
  3. Configure Firewall and Traffic Shaping for Faculty SSID
  4. Configure Access Control Configuration for Student SSID
  5. Configure Firewall and Traffic Shaping for Student SSID
  6. Configure Access Control Configuration for Guest SSID
  7. Configure Firewall and Traffic Shaping for Guest SSID
  8. Enable wireless networks for Faculty, Students, and Guests

Naming wireless networks for Faculty, Students, and Guests

  1. Log into Dashboard
  2. Navigate to Wireless > Configure > SSIDs
  3. For the Name section, click the rename link for an unused SSID
  4. Type the name of your SSID in the field. This is the name of the wireless network your faculty, students, or guests will connect to.
  5. Click the Save changes button

Access Control Configuration for Faculty SSID

  1. Navigate to Wireless > Configure > Access control
  2. Select your faculty network from the SSID drop down
  3. Find the section Network access
  4. For Association requirements, choose Pre-shared key with WPA2
  5. Type the WPA2 key in the field. This is the password internal users will be prompted to enter for when connecting.
    Note: To configure an externally hosted RADIUS server for WPA2-Enterprise, go here.
  6. For Splash page, choose Sign-on with Meraki Authentication
  7. For the Self-Registration option, select “Allow users to create accounts”
    Note: More information about Self-registration for user accounts can be found here.
  8. For the Simultaneous logins option, select “Limit users to one device at a time”
  9. Find the section Addressing and traffic
  10. For Client IP assignment, choose Bridge mode: Make clients part of the LAN
    Note: In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs.
  11. Click the Save changes button

Firewall and traffic shaping for Faculty SSID

  1. Navigate to Wireless > Configure > Firewall & traffic shaping
  2. Select your faculty network from the SSID drop down
  3. Find the section Firewall
  4. For Layer 3 firewall rules, select “Allow” for Wireless clients accessing LAN
  5. For Layer 7 firewall rules, click on Add a layer 7 firewall rule link and select (at least) the following recommended applications:
    • Gaming
    • Peer-to-peer (P2P)
    • Web file sharing
      Note: More information on blocking specific applications not listed under Layer 7 firewall rules can be found here.
  6. Click the Save changes button

Access Control Configuration for Student SSID

  1. Navigate to Wireless > Configure > Access control
  2. Select your student network from the SSID drop down
  3. Find the section Network access
  4. For Association requirements, choose Pre-shared key with WPA2
  5. Type the WPA2 key in the field. This is the password internal users will be prompted for when connecting. 
  6. For Splash page, choose Click-through
    Note: More information about enabling the click-through splash page can be found here.
  7. For the Captive portal strength option, select “Block all access until sign-on is complete”
  8. Find the section Addressing and traffic
  9. For Client IP assignment, choose Bridge mode: Make clients part of the LAN
    Note: In Bridge mode, Meraki devices operate transparently (no NAT or DHCP). Clients receive DHCP leases from the LAN or use static IPs. 
  10. Click the Save changes button

Firewall and traffic shaping for Student SSID

  1. Navigate to Wireless > Configure > Firewall & traffic shaping
  2. Select your student network from the SSID drop down
  3. Find the section Firewall
  4. For Layer 3 firewall rules, select “Allow” for Wireless clients accessing LAN
  5. For Layer 7 firewall rules, click on Add a layer 7 firewall rule link and select at least the following recommended applications:
    • Gaming
    • Peer-to-peer (P2P)
    • VoiP & video conferencing
    • Video & music
    • Web file sharing
      Note: More information on blocking specific applications not listed under Layer 7 firewall rules can be found here.
  6. Find the section Traffic shaping rules
  7. Set the Per-client bandwidth limit to “2 Mbps” and Enable speedburst
  8. Click the Save changes button

Access Control Configuration for Guest SSID

  1. Navigate to Wireless > Configure > Access control
  2. Select your guest network from the SSID drop down
  3. Find the section Network access
  4. For Association requirements, choose Open (no encryption)
  5. For Splash page, choose None (direct access)
  6. Find the section Addressing and traffic
  7. For Client IP assignment, choose NAT mode: Use Meraki DHCP
    Note: In NAT mode, Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other.
  8. Click the Save changes button

Firewall and traffic shaping for Guest SSID

  1. Navigate to Configure > Firewall & traffic shaping
  2. Select your guest network from the SSID drop down
  3. Find the section Firewall
  4. For Layer 3 firewall rules, select “Deny” for Wireless clients accessing LAN
  5. For Layer 7 firewall rules, click on Add a layer 7 firewall rule link and select the following applications:
    • File sharing
    • Gaming
    • Peer-to-peer (P2P)
    • VoiP & video conferencing
    • Video & music
    • Web file sharing
      Note: More information on blocking specific applications not listed under Layer 7 firewall rules can be found here.
  6. Find the section Traffic shaping rules
  7. Set the Per-client bandwidth limit to “1 Mbps” and Enable speedburst
  8. Set the Per-SSID bandwidth limit to “5 Mbps”
  9. Click the Save changes button

Enabling wireless networks for Faculty, Students, and Guests

  1. Navigate to Configure > SSIDs
  2. Enable the faculty, student, and guest networks
  3. Click the Save changes button

Now that these steps are completed, the AP's in your network will broadcast three separate SSIDs (Faculty, Students, and Guests). Each has its own set of access controls, firewall and traffic shaping rules.

Additional Resources

Please use the following links for help with configuring other aspects of your SSIDs:

You must to post a comment.
Last modified
15:53, 23 Jul 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 2160

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case