Many organizations require two wireless networks (formally known as SSIDs) for client access. In most cases, the desired end result is one SSID for internal users - a secure encrypted extension of the wired LAN - and a second SSID that provides Internet-only access to your guests with minimal administrative overhead. This article describes how to configure, name and enable each SSID so that each provides the proper level of access to connected clients. Consult the following whitepaper to learn more about Wireless Guest Access at the Office.
Note: This configuration applies to MR Access Points only. For a similar configuration on the Z1 Teleworker Gateway and MX60W Security Appliance, see this page.
Name and Enable the 'Guest' and 'Internal' SSIDs
- In Dashboard, navigate to Wireless > Configure > SSIDs.
- For the Name section of each SSID, click the rename link.
- Enable and rename the Guest and Internal SSIDs appropriately. This is the name of the wireless network that clients will see in their list of available network connections.
- Click the Save Changes button.
Configure the 'Guest' SSID
- Navigate to Wireless > Configure > Access control.
- Select your guest network from the SSID drop-down menu.
- For Association requirements, choose Open (no encryption).
- For Splash page, choose None (direct access).
Note: To configure a Click-through splash page to display a company logo or welcome message, see Enabling Click-through splash-page or Customizing the Splash page.
- Scroll down to the Addressing and traffic section of the page.
- Ensure that "NAT mode: Use Meraki DHCP" is selected. In NAT mode, Clients receive IP addresses in an isolated 10.0.0.0/8 network. Clients cannot communicate with each other. See this article for more information on NAT mode.
- Click Save Changes at the bottom of the page.
- Navigate to the Configure > Firewall & traffic shaping page.
- Ensure that the Guest network is selected on the SSID drop-down menu at the top of the page.
- In the Layer 3 firewall rules section, select Deny from the drop-down menu for the rule labeled Wireless clients accessing LAN. More information on this setting is available in 'Deny Local LAN' settings in Cisco Meraki MR firewall.
- Scroll down to the Traffic shaping rules section and select a Per-client and/or Per-SSID bandwidth limit.
- Click Save Changes.