Skip to main contentSkip to search
Skip to main content

Cisco Meraki

Key Takeaways
  • Cisco Meraki MR access points integrate with IronWiFi via standard RADIUS authentication -- configure primary and secondary RADIUS servers under Wireless > Access control for automatic failover.
  • The single most common configuration mistake is omitting 
    107.178.250.42/32
    from the walled garden, which prevents the splash page from loading.
  • Meraki supports both open SSID with external captive portal (sign-on with RADIUS server) and WPA2-Enterprise with 802.1X -- choose based on whether you need guest splash pages or direct credential-based authentication.
  • Always configure both RADIUS authentication and accounting servers; RADIUS accounting is required for session tracking and may need to be enabled by Meraki support for your organization.
  • For social login (Google, Facebook, LinkedIn), add each provider's domains to the walled garden -- unauthenticated users cannot reach OAuth endpoints without these entries.

Integrate Cisco Meraki wireless networks with IronWiFi's cloud-based RADIUS authentication and external captive portal. This guide covers RADIUS server configuration, splash page setup, walled garden configuration, and WPA-Enterprise options for secure guest and employee WiFi access.

Prerequisites

In Meraki Dashboard:

  • Administrator access to your Meraki organization
  • At least one MR access point online and managed

In IronWiFi Console (complete these first):

  1. Create a Network and note these RADIUS details:
    • Primary and backup server IP addresses
    • Customer authentication port
    • Customer accounting port
    • Shared secret
  2. Create a Captive Portal with vendor set to Cisco Meraki and note the Splash Page URL

Configuration Steps

Sign in to Meraki Dashboard and select your network.

Step 1: Create or Select SSID

  1. Navigate to WirelessConfigureSSIDs
  2. Enable an SSID slot and give it a name (e.g., "Guest WiFi")
  3. Click Edit Settings to configure

Step 2: Configure Access Control

Navigate to WirelessConfigureAccess control, then select your SSID.

Security Settings

SettingValueNotes
Association requirementsOpen (no encryption)For captive portal
Splash pageSign-on with my RADIUS serverExternal captive portal
tip

For WPA2-secured guest networks, you can use "WPA2-Enterprise" association with "Sign-on with my RADIUS server" splash page.

RADIUS Authentication Servers

Under RADIUS for splash page, click Add server:

Primary Server:

FieldValue
Host
{Primary IP from IronWiFi}
Port
{Customer Authentication Port}
Secret
{Shared secret from IronWiFi}

Secondary Server:

FieldValue
Host
{Backup IP from IronWiFi}
Port
{Customer Authentication Port}
Secret
{Shared secret from IronWiFi}

RADIUS Settings:

SettingRecommended Value
Failover policyDeny access
Load balancing policyStrict priority order
Network access control (NAC)Disabled
CoA supportEnabled

Step 3: Configure RADIUS Accounting

note

RADIUS Accounting may need to be enabled by Meraki support. If you don't see accounting options, contact Meraki support to enable this feature for your organization.

Enable RADIUS accounting and add servers:

Primary Accounting Server:

FieldValue
Host
{Primary IP from IronWiFi}
Port
{Customer Accounting Port}
Secret
{Shared secret from IronWiFi}

Secondary Accounting Server:

FieldValue
Host
{Backup IP from IronWiFi}
Port
{Customer Accounting Port}
Secret
{Shared secret from IronWiFi}

Step 4: Configure Walled Garden

The walled garden allows unauthenticated users to reach specific domains (needed for the splash page and authentication providers to work).

Under Walled garden, toggle to Enabled and add entries.

Required Entry

Always add the IronWiFi server:

107.178.250.42/32

Additional Entries by Authentication Provider

Only add entries for authentication methods you've enabled in your IronWiFi captive portal:

ProviderRequired Walled Garden Entries
Google
*.google.com
, 
*.googleapis.com
, 
*.gstatic.com
, 
accounts.google.com
Facebook
*.facebook.com
, 
*.fbcdn.net
, 
connect.facebook.net
, 
facebook.com
LinkedIn
*.linkedin.com
, 
*.licdn.com
, 
linkedin.com
Twitter/X
*.twitter.com
, 
*.twimg.com
, 
twitter.com
, 
*.x.com
, 
x.com
Apple
*.apple.com
, 
*.icloud.com
, 
appleid.apple.com
Microsoft Entra ID
*.microsoft.com
, 
*.microsoftonline.com
, 
*.msftauth.net
, 
*.msauth.net
, 
login.microsoftonline.com
Stripe
*.stripe.com
, 
js.stripe.com
PayPal
*.paypal.com
, 
*.paypalobjects.com
Twilio (SMS)
*.twilio.com
warning

Avoid overly broad entries like 

*.*
as this allows users to bypass authentication entirely.

Step 5: Configure Splash Page

  1. Navigate to WirelessConfigureSplash page
  2. Select your SSID from the dropdown
  3. Configure:
SettingValue
Custom splash URL
{Splash Page URL from IronWiFi}
Splash page behaviorBlock all access until sign-on is complete
Splash frequencyEvery day

Optional Settings:

SettingRecommended ValueNotes
Controller disconnection behaviorOpenAllows access if Meraki cloud unavailable
Splash timeout30 minutesTime before requiring re-auth after page shown

Step 6: Session and Bandwidth Settings (Optional)

These settings help manage network resources but are not required for captive portal functionality.

Navigate to WirelessConfigureFirewall & traffic shaping, select your SSID.

Per-Client Bandwidth Limit

SettingRecommendedNotes
Limit download5-10 MbpsPrevents single user from consuming all bandwidth
Limit upload2-5 MbpsAdjust based on your needs
tip

IronWiFi can also control bandwidth via RADIUS attributes, allowing different limits for different user groups.

Per-SSID Bandwidth Limit

Set overall SSID bandwidth to prevent guest network from impacting business operations.

Advanced Configurations

The following configurations are optional and depend on your specific requirements.

VLAN Assignment

Assign guest users to a dedicated VLAN:

  1. Navigate to WirelessConfigureAccess control
  2. Select your guest SSID
  3. Under Addressing and traffic:
    • Client IP assignment: Bridge mode or NAT mode
    • VLAN tagging: Specify guest VLAN ID

Dynamic VLAN Assignment:

IronWiFi can assign VLANs dynamically via RADIUS:

  1. Configure VLANs in Meraki
  2. In IronWiFi, configure user groups with VLAN assignments
  3. Enable RADIUS VLAN attributes in the network settings

Group Policies

Apply Meraki Group Policies based on user attributes:

  1. Navigate to Network-wideConfigureGroup policies
  2. Create policies (e.g., "Guest Basic", "Guest Premium")
  3. In IronWiFi, configure RADIUS to return the 
    Filter-Id
    attribute matching your policy name

Data-Carrier Detect

Controls session behavior when clients disconnect:

SettingBehavior
Enabled (default)Session revoked when client disconnects; re-auth required
DisabledClient can reconnect within session timeout without re-auth

To disable:

  1. Navigate to WirelessConfigureAccess control
  2. Find Data-carrier detect option
  3. Disable for seamless roaming experience

MAC-Based Authentication

For devices without browsers (printers, IoT devices):

Option 1: Meraki Whitelist

  1. Navigate to Network-wideConfigureClients
  2. Find the device by MAC address
  3. Click the device and select Whitelist

Option 2: IronWiFi MAC Authentication

  1. In IronWiFi, enable MAC-based authentication on the Captive Portal
  2. Add device MAC addresses to authorized list
  3. Device will auto-authenticate on subsequent connections

Hotspot 2.0 / Passpoint

For seamless WiFi access without captive portal interaction, see the dedicated Cisco Meraki Passpoint Configuration guide.

Alternative: WPA2-Enterprise Without Captive Portal

If you need 802.1X authentication without a splash page (users authenticate with credentials directly in their device WiFi settings):

  1. Navigate to WirelessConfigureAccess control
  2. Select your SSID
  3. Set Association requirements to WPA2-Enterprise with my RADIUS server
  4. Set Splash page to None
  5. Add RADIUS servers as documented above
  6. In IronWiFi, create user accounts under Users for each person who needs access
tip

For WPA2-Enterprise deployments, always configure both primary and secondary RADIUS servers to ensure authentication continues if one server becomes unreachable.

Testing and Verification

After completing the configuration steps above, verify everything works correctly.

Test RADIUS Connectivity

From Meraki Dashboard:

  1. Navigate to WirelessConfigureAccess control
  2. Click Test next to each RADIUS server
  3. Enter test username and password from IronWiFi
  4. Verify "Success" response

Test Captive Portal Flow

  1. Connect a device to the guest SSID
  2. Open a browser and navigate to 
    http://example.com
  3. Verify redirect to IronWiFi splash page
  4. Complete authentication
  5. Verify internet access is granted

Verify in IronWiFi Console

  1. Navigate to ReportsAuthentications
  2. Look for recent authentication attempts
  3. Verify successful authentications show "Access-Accept"

Check Meraki Event Log

  1. Navigate to Network-wideMonitorEvent log
  2. Filter by your SSID
  3. Look for:
    • "Splash page shown"
    • "RADIUS authentication successful"
    • "Client associated"

Troubleshooting

If testing reveals issues, use this section to diagnose and resolve common problems.

Splash Page Not Loading

warning

The most common cause of splash page issues is a missing walled garden entry. Always verify that 

107.178.250.42/32
is in your walled garden before investigating other causes.

SymptomCauseSolution
Blank pageMissing walled garden entryAdd 
107.178.250.42/32
to walled garden
SSL errorHTTPS intercept issueAdd splash domain to walled garden
TimeoutRADIUS unreachableVerify RADIUS server settings
Wrong pageIncorrect splash URLCheck Custom Splash URL setting

Verification steps:

  1. Check walled garden includes 
    107.178.250.42/32
  2. Verify Custom Splash URL is exact match from IronWiFi
  3. Test direct access to splash URL in browser
  4. Check Meraki event log for redirect entries

RADIUS Authentication Failures

SymptomCauseSolution
TimeoutServer unreachableCheck IP, port, firewall
RejectWrong credentialsVerify shared secret matches
No responseAccounting not enabledContact Meraki support

Verification steps:

  1. Use Meraki's built-in RADIUS test
  2. Check IronWiFi Console → Logs for attempts
  3. Verify shared secret matches exactly (case-sensitive)
  4. Confirm firewall allows UDP traffic on your customer authentication and accounting ports

Users Stuck After Authentication

SymptomCauseSolution
Redirected back to splashSession not createdEnable RADIUS accounting
Can't reach internetVLAN issueCheck VLAN configuration
Partial accessDNS issuesAdd DNS servers to allowed list

Verification steps:

  1. Check accounting is enabled and servers are configured
  2. Verify session exists in IronWiFi Console → Sessions
  3. Test DNS resolution from client device

Social Login Not Working

SymptomCauseSolution
OAuth page won't loadMissing walled gardenAdd provider domains
Login failsCredentials issueCheck OAuth app settings
Popup blockedCNA browser limitationProvide "Open in browser" option

Verification steps:

  1. Add all required domains for the provider to walled garden
  2. Test in full browser (not CNA popup)
  3. Verify OAuth credentials in IronWiFi

Session/Timeout Issues

SymptomCauseSolution
Frequent re-authShort session timeoutIncrease splash frequency
Session drops on roamingData-carrier detectDisable data-carrier detect
Users disconnectedIdle timeoutAdjust in IronWiFi

Common Mistakes

Based on thousands of Meraki-IronWiFi deployments, these are the configuration errors that cause the most support tickets:

  1. Omitting the walled garden entry -- The single most frequent cause of "splash page not loading" issues. Always add 
    107.178.250.42/32
    to the walled garden before testing.
  2. Using the wrong RADIUS port -- Meraki defaults to port 1812, but IronWiFi assigns a custom authentication port per network. Copy the exact port from your IronWiFi Network settings.
  3. Mismatched shared secrets -- RADIUS shared secrets are case-sensitive and must match character-for-character between Meraki and IronWiFi. Copy-paste rather than retyping.
  4. Not configuring RADIUS accounting -- Without accounting, IronWiFi cannot track sessions or enforce session limits. Enable accounting servers alongside authentication servers.
  5. Forgetting social login walled garden entries -- If you enable Google or Facebook login but do not add 
    *.google.com
    , 
    *.googleapis.com
    , 
    *.facebook.com
    , and 
    *.fbcdn.net
    to the walled garden, OAuth popups will fail to load.
  6. Setting the splash URL incorrectly -- The splash URL must be copied exactly from the IronWiFi captive portal settings, including the protocol (
    https://
    ). A common error is adding extra path segments or trailing slashes.

Best Practices

Security

  • Use unique RADIUS shared secrets per network
  • Enable RADIUS accounting for session tracking
  • Set appropriate session timeouts
  • Use VLAN isolation for guest traffic

Performance

  • Set reasonable per-client bandwidth limits
  • Enable Cloud CDN for splash page assets
  • Keep splash page design lightweight
  • Use IronWiFi's closest regional RADIUS servers to minimize authentication latency

User Experience

  • Set splash frequency to reduce re-authentication
  • Disable data-carrier detect for seamless roaming
  • Offer multiple authentication options
  • Test on both iOS and Android devices

Monitoring

  • Review Meraki event logs regularly
  • Monitor IronWiFi authentication reports
  • Set up alerts for authentication failures
  • Track usage patterns for capacity planning

Quick Reference

Required Walled Garden (Copy/Paste)

107.178.250.42/32

Common Settings Summary

SettingLocationValue
AssociationAccess ControlOpen
Splash pageAccess ControlSign-on with my RADIUS server
Splash URLSplash pageFrom IronWiFi Console
RADIUS Auth PortAccess ControlCustomer Authentication Port
RADIUS Acct PortAccess ControlCustomer Accounting Port
Walled GardenAccess ControlEnabled with IronWiFi IP

Meraki Dashboard Paths

ConfigurationNavigation Path
SSID SettingsWireless → Configure → SSIDs
Access ControlWireless → Configure → Access control
Splash PageWireless → Configure → Splash page
Hotspot 2.0Wireless → Configure → Hotspot 2.0
Traffic ShapingWireless → Configure → Firewall & traffic shaping
Event LogNetwork-wide → Monitor → Event log
ClientsNetwork-wide → Configure → Clients

Frequently Asked Questions

Q: Do I need to contact Meraki support to enable RADIUS accounting?

In some Meraki organizations, RADIUS accounting is not enabled by default. If you do not see accounting options in your dashboard, contact Meraki support to enable it. Accounting is required for session tracking and accurate usage reporting in IronWiFi.

Q: Can I use WPA2-Enterprise and a captive portal on the same SSID?

Yes. Set Association requirements to WPA2-Enterprise and Splash page to Sign-on with my RADIUS server. Users will first authenticate via 802.1X, then see the splash page. However, most deployments use separate SSIDs for each method.

Q: Why is my splash page not loading after configuration?

The most common cause is a missing walled garden entry. Verify that 

107.178.250.42/32
is added to the walled garden in Wireless > Configure > Access control. Also confirm the Custom Splash URL matches the URL from your IronWiFi Captive Portal settings exactly.

Q: How do I assign different VLANs to different user groups?

Configure VLAN tagging in Meraki under Addressing and traffic, then set up user groups in IronWiFi with RADIUS attributes 

Tunnel-Type := VLAN
, 
Tunnel-Medium-Type := IEEE-802
, and 
Tunnel-Private-Group-Id := [VLAN ID]
. IronWiFi dynamically returns the VLAN assignment during authentication.

Q: Can I use both primary and secondary RADIUS servers for failover?

Yes, and it is strongly recommended. Add both the primary and secondary RADIUS server IPs from your IronWiFi Network settings. Set failover policy to Deny access and load balancing to Strict priority order so the secondary is only used when the primary is unreachable.

For this vendor

Shared configuration

Was this page helpful?