Skip to main content
Cisco Meraki Documentation

Access Control

The Access Control page allows administrators to configure splash page settings for an MX appliance.

If VLANs are configured on the Security & SD-WAN> Configure > Addressing & VLANs page, splash settings are configured separately for each VLAN. Use the Select VLAN drop-down at the top of the Security & SD-WAN > Configure > Access Control page to choose the VLAN you wish to modify splash settings for.

Splash pages with Active Directory

The MX Splash Page feature is not currently compatible with Active Directory integration. Because of this, enabling Active Directory integration will cause Access Control not to appear in the menu. This restriction will be removed when future improvements allow the two features to be used in tandem.

Network Access

Here you can set the splash type and configure associated options. The splash types available are as follows:

  • None (direct access): Users will not be required to go through a splash page to get access to the network.
  • Click-through: Users will be required to view and acknowledge a splash page before accessing the network. This is often a terms and conditions page or a welcome page.
  • Sign-on with Facebook Login: Users will be required to check in to a specified Facebook page before accessing the network. This option uses Facebook's "Facebook Wi-Fi" feature, so for more information on configuring Facebook Login, see the Facebook Wi-Fi FAQ.
  • Sign-on with my RADIUS server: Users will be required to provide credentials that will be checked against the specified RADIUS server.
  • Sign-on with 3rd party credentialsUsers must authenticate to a configured 3rd party authentication service before gaining access to the network. Currently only Google oAuth is supported for 3rd party credentials. For more information about configuring this option, please refer to our Google Sign-In article. 

Network Access Control

This section is only being maintained for legacy purposes. NAC no longer functions with any modern browsers, as it requires the use of a plugin that's no longer supported by them.

Network access control (NAC) scans clients connecting to a network to see if they are running anti-virus software, in order to ensure that the network is protected from infected machines.

The scan is done by a Java applet in the browser. If supported anti-virus software is detected running on the client machine, the client will be allowed onto the network. If not, the client will be quarantined in a remediation portal where they can download anti-virus software. This remediation portal can be set manually by selecting "Send users to a custom URL" from the Remediation drop-down. If "Send users to the standard remediation site" is selected, the user will be redirected to a page where they can download Microsoft Security Essentials.

Clients running Windows XP, 7, Vista, or 8 will be scanned for supported anti-virus software. Non-Windows clients are not scanned. An updated list of detected anti-virus software can be found here.

Captive portal options

The following options can be configured for the captive portal that users are placed in before they have passed through the splash page:

  • Captive portal strength
    • Block all access until sign-on is complete: Users who have not yet passed through the splash page have no network access except to hosts added to the walled garden,  DHCP servers, and DNS servers. The devices will still receive an IP address and will be able to resolve domain names.
    • Allow non-HTTP traffic prior to sign-on: Users who have not yet passed through the splash page cannot send or receive traffic on TCP port 80 (HTTP) except to hosts that have been added to the walled garden, but can pass other types of traffic normally to any destination.
  • Walled garden: Enabling the walled garden allows you to specify a list of IP addresses and domains that users can access before passing through the splash page. Items in this list should be separated by spaces, and domains can include wildcards in the form of an asterisk ( * ).
  • Controller disconnection behavior: Specifies how to treat clients when the Cloud Controller is unreachable. The options listed below apply to MR only. 
    • Open: Splash is disabled when the Cloud Controller is unreachable.
    • Restricted: Only whitelisted clients and clients who have already passed through the splash page will be able to access the network.
    • Default for your settings: Automatically sets the controller disconnection behavior based on the splash mode. If click-through splash is enabled, the default behavior is Open. If sign-on splash is enabled, the default behavior is Restricted.

To configure the content and behavior of the splash page itself, see Splash Page.

Note: Captive Portal Controller Disconnection Behavior does not apply to MX.


  • Was this article helpful?