Providing guest WiFi access is a common requirement for many industries. Before opening up your network to the world, it’s ideal to welcome the guest and deliver a terms of service, and in some cases it’s an opportunity to interact with users in a dynamic and memorable way. In addition, an enrollment and authentication step may be required for security or premium level access.
Solution Use Cases
- Customer Engagement
- Compliance with Terms of Service
- Social Analytics
- Business Workflow
- Bring Your Own Device (BYOD)
This document will guide you through the many options available with this technology and provide resources to dive deeper into each subject. It will also highlight the use cases for each option to help guide you delivering a great experience for all.
The easiest way to get a Captive Portal setup on your network is to use one of the many built-in options. Each option will have its own set of use cases and capabilities.
Instant Captive Portal without the hassle of custom software or third-party services.
A click-through splash page displays a fully customizable HTML/CSS page to the wireless client the first time the client opens a web browser and makes an HTTP request. An administrator can use this splash page to display an acceptable use policy or network announcements. The client is only granted network access after clicking the “Continue” button on the splash page.
- Terms of Service
A sign-on splash page provides the functionality of the click-through splash page, but adds the ability to prompt the wireless client for a username and password. The client is only granted network access after he enters a username and password that are validated against a backend authentication server (either a Meraki-hosted authentication server or a customer-hosted RADIUS, Active Directory or LDAP server).
The sign-on splash page may be hosted by the Meraki cloud or on an external web server. An administrator can configure whether new wireless clients are able to obtain network access when the sign-on splash page cannot be displayed or when the username/password credentials cannot be validated (i.e., the authentication server is unreachable). This setting is under the Configure tab on the Access Control page in the “Disconnection behavior” section.
The sign-on splash page can be configured to allow or disallow multiple simultaneous logins for a single set of user credentials.
Sign-on splash page is an authentication option that requires no client-side configuration. In addition, it is secured by SSL (HTTPS), so that usernames and passwords are sent to the Meraki cloud confidentially. However, when enabled, it requires clients to remember usernames and passwords, which they will need to enter periodically. As with the click-through splash page, clients that are incapable of displaying the splash page need to be considered.
- Terms of Service
- Registered user access (enhanced security)
There are a number of ways to leverage the Sign-on splash page. The following options are available where each has additional features and requirements:
Developer and API Capabilities
Captive Portal API
Many companies build splash page to run on their own servers. Since the built-in feature does not support custom forms or scripting, hosting your own solution will allow you the maximum flexibility of web technologies. The External Captive Portal API (EXCAP) is the primary mechanism for intercepting a client connection and processing the login. In addition the Dashboard API can further extend the capabilities by managing the network configuration.
Note: These features are for advanced users and will require the ability to parse parameters with scripting languages in order to build a grant or login URL. Knowledge of only HTML is not sufficient.
- Custom form
- Social Authentication
- Website Integration
- Business Workflow
The Dashboard API is a REST based interface for interacting with your Meraki network. By leveraging this API, you can further control the network and guest experience.
The Captive Portal server will no longer interact with the client once authenticated. By using the Dashboard API, several options are available to mange the client session before and after the splash authorization process.
- Custom authentication
- Traffic Shaping (i.e. bandwidth control)
- Network Access (i.e. access to network devices or networks)
- Tiered access (i.e. free/paid/employee)
The client authorization status can be viewed and changed using a few Dashboard API endpoints. This is helpful if you would like to end a client session for a number of reasons or pre-authorize a client.
- Policy Violation
- Timed Access
- Session Limit
Group policies provide a flexible way of assigning network access, traffic shaping and bypass options for each client.
- One-time Registration
- Tiered Access (Free/Paid)
- Network Level Access (BYOD/Guest/)