Meraki Guest Wireless Access Made (REALLY) Easy

The shortest path between two points is a straight line, but is it always the right answer?

Want to spin up a new SSID, give it access to the Internet and call the guest wireless problem on your network solved?  Over the years, this is one (albeit cheap) way organizations have been allowing guest access to the Internet, but several questions with this design are left unanswered:

  • How do I centrally track who is accessing what?
  • How do I limit the access to the specific time frame when the visitor is on my campus?
  • How do I prevent unauthorized users from connecting so they don’t use up network resources?

If you already have or are looking at investing in a Meraki wireless infrastructure and want to implement a secure and easily managed guest wireless network, then this is the guide for you!  This solution will answer the above questions in addition to alleviating other design concerns.

All of the answers lie in the dashboard

The first step to creating your guest wireless network is to set up a new SSID.  I called mine “Be My Guest”.  In this instance, I prefer to force guest users to use a WPA2 pre-shared key because their communications are always encrypted and it’s a simple set up from the client perspective.   You can leave the SSID as an “Open” SSID, but that leaves your guests and network open to potential abuse.

The second step is to set the splash page function to use “Sign-on with Meraki authentication”, as shown here:

Other recommended settings include:

  • Captive portal strength set to “Block all access until sign-on is complete”
  • Self-registration set to “Don’t allow users to create accounts”
  • Controller disconnection behavior set to “Restricted”

Regarding the addressing, traffic settings, and client IP assignment, this allows for you to be a bit more creative on how you want this guest network to operate.  For example, you can set the SSID to Bridge Mode, then dump your guest traffic into a specific VLAN that is terminated on a Wireless DMZ of a firewall.  If you do not already have something like this readily available, the easiest method would be to use NAT mode.  Just be sure to set up your firewall and traffic shaping rules accordingly if running in NAT mode:

When in doubt, delegate

After your SSID and networking is all set up, your guest wireless users can now connect to your SSID with the pre-shared key they were given. However, now they will be prompted to log into the network via a Meraki captive portal.  How do our guests get user credentials you might ask?

This is the best part!  You now are able to empower key members of your user base and make them Guest Ambassadors!  Gone are the days of tickets into the help desk for guest access creation.  Simply go into your Meraki organization and create a new administrator and set the target networks access only to “Guest Ambassador”.

Once they set up their Guest Ambassador account(s), they are now able to create new guest accounts, set expiration times, passwords and can choose to print or email the guest credentials to them.

Now that you’ve made your life just a bit easier. . . 

With this new guest network now set up and humming along, you can focus on more important tasks or projects that are on your plate.  However, if you need assistance with setting guest wireless up or have other infrastructure requests or questions, Peters & Associates can help!  Email info@peters.com to find out more.

By | 2018-12-18T11:44:36+00:00 December 13th, 2018|Infrastructure Services|0 Comments

About the Author:

Mike has celebrated 12 years with Peters & Associates. As Infrastructure Architect, Mike is responsible for design and deployment of robust network and security solutions to help carry our valued clients into the future. Mike specializes on the ‘plumbing’ side of IT, dealing with routing, switching, wireless and security throughout. He has received certifications from multiple vendors, such as CCNP, CCNP Security and MCSE.

Leave A Comment