Skip to main content

Search

Cloudi-Fi Knowledge Base

How to handle IoT Devices using a Dedicated SSID in Cisco Meraki with MAC Based Authentication

Alexandre de THOMASSON
  • Updated

This guide provides a comprehensive overview of how to configure and manage Internet of Things (IoT) devices using Cisco Meraki with MAC-based authentication through the Cloudi-Fi platform through a dedicated SSID for IOT. By following the steps outlined in this document, network administrators can ensure secure and efficient connectivity for IoT devices within their network.

If you want to set one single SSID for your Guests and IOTs authentication please follow this documentation (see How to handle IoT and Guest Devices Using a Single SSID in Cisco Meraki)

 

Prerequisites

Before starting, ensure that you have the following prerequisites:

Source Destination Port Protocol Action Comment
Guest subnet Cloudi-Fi IPs 1812-1813 UDP Allow RADIUS traffic
Guest subnet Any 80 TCP Allow HTTP traffic
Guest subnet Any 443 TCP Allow HTTPS traffic
Guest subnet Any 53 UDP/TCP Allow DNS resolution
* * * * Deny To be adjusted according to your needs

 

1. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

  1. IPs address of the Radius servers
  2. Ports: UDP 1812 (Authentication) & 1813 (Accounting)

You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.

Cloudi-Fi - Get Radius secret for Meraki

What shared secret is used for the Radius server with Cisco Meraki? (Please save this confidential information securely, and do not share it publicly).

 

2. Create the Guest SSID

Navigate to Meraki Dashboard > Wireless > SSID.

Enable an available SSID.

Enter a name for the SSID and save changes.

 

3. Set Access Control parameters

Navigate to Meraki Dashboard > Wireless > Access Control and select the configured SSID.

 

Security

  • Security: Choose MAC-based access control (no encryption) > my RADIUS server
  • WPA encryption : select “Disabled”

 

Splash page

  • Splash page : select “None”

 

RADIUS

  • Set your RADIUS Server(s)
    • Host IP or FQDN: Enter the IP address of the Radius server and the port number obtained from the previous step.
    • Auth Port: 1812
    • Shared Secret: Input the shared secret used for authentication between the Radius server and the Cisco Meraki access point.
  • RADIUS testing : enable
  • RADIUS attribute : Filter-ID
    • Purpose: Automatically applies Meraki Group Policy based on the device or the user it is linked to (e.g., employee vs guest policies).
Cisco Meraki configure Radius server for captive portal

 

Client IP and VLAN

While configuring the captive portal, you can assign clients specific IP addresses and VLANs upon successful authentication. 

Choose the appropriate option for assigning IP addresses:

  • Meraki AP Assigned (NAT Mode)
  • External DHCP server assigned

Configure VLAN settings (if applicable):

  • If you selected “Use VLAN tagging” in the previous step, select the VLAN tag number to assign clients after authentication.
  • Ensure that the corresponding VLAN is properly configured on your network infrastructure.

 

4. Create your IOT Security Profile(s)

The Security Profile defines the user-group that Cloudi-Fi will share with Meraki during the Radius authentication of the IOT device (in the Access-Accept reply). 

The shared User Group will follow the format: cloudifi-SecurityProfileName. For example, a security profile named "Whitelist" will result in a user group shared with Meraki in the format: cloudifi-Whitelist.

Security Profiles are particularly useful for creating Meraki-side policies tailored to the different IoT profiles present on your network. For example, you could create a Security Profile dedicated to printers, and on the Meraki side, allow access only to specific ports or destinations for that profile.

Go to your Cloudi-Fi Admin Console and navigate to Network > Security Profiles and select "Add profile"

  • Name ( e.g. Printers)
  • Location (e.g. All)
  • Description
  • Type : Whitelist

By default, for an unknwon IOT (i.e. never connected to Cloudi-Fi solution and not added in Whitelist), the following User Group will be return to Meraki with an Access-Accept: cloudifi-Quarantine.

 

5. Bypass captive portal for your IOT security profiles

As part of IoT RADIUS authentication, the cloudifi-SecurityProfileName attribute will be returned in the RADIUS Access-Accept message. It is necessary to configure a default group policy (cloudifi-Quarantine) to block access, as well as dedicated group policies for each of our IoT security profiles (e.g., cloudifi-Whitelist).

Navigate to Meraki Dashboard > Network wide > Group policies and select Add a group.

 

Default group policies : cloudifi-Quarantine

  • Name: cloudifi-Quarantine
  • Schedule (e.g. Scheduling disabled)
  • Bandwidth (e.g. Use SSID default)
  • Firewall and traffic shaping (e.g. Custom SSID firewall & shaping rules)
  • Layer 3 firewall
    • Policy : Deny
    • Protocol : Any
    • Destination : Any
    • Port : Any
  • Adaptive Policy SGT (e.g. Do not assign SGT)
  • VLAN (e.g. Use SSID default)
  • Splash: Bypass
  • Bonjour forwarding (e.g. Use SSID default )

 

Custom group policies (e.g. cloudifi-Printers)

  • Name (e.g. cloudifi-Printers)
  • Schedule (e.g. Scheduling disabled)
  • Bandwidth (e.g. Use SSID default)
  • Firewall and traffic shaping (Custom SSID firewall & shaping rules)
  • Layer 3 firewall - e.g.
    • Policy : Allow
    • Protocol : Any
    • Destination : Any
    • Port : Any
  • Adaptive Policy SGT (e.g. Do not assign SGT)
  • VLAN (e.g. Use SSID default)
  • Splash: Bypass
  • Bonjour forwarding (e.g. Use SSID default )

 

 

6. Add and Register IoT Devices in Cloudi-Fi

Go to your Cloudi-Fi Admin Console and navigate to Network > Devices.

Then, click Add Device and enter the following:

In Network

  • Device Name (e.g., SmartPrinter-001)
  • MAC Address of the device
  • Security Profile (e.g. Printers)

In Identification

  • Device type
  • Linked user

 

For an IoT device, if you assign both a Security Profile and a linked user, the profile of the linked user will be the one shared in the Access-Accept response.

For example, if you configure an IoT device with 

  • Security profiles : "Printers"

  • Linked user : John Doe as linked user who has the visitor-profile called "Partner"

In this case, the visitor profile takes priority, and cloudifi-Partner user-group will be shared for the IoT device in the ACCESS-ACCEPT-RADIUS response. As a result, when the IoT device attempts to connect, it will be matched to the cloudifi-Partner group and not cloudifi-Printers.

 

Once added

  • The device is automatically whitelisted.
  • It can connect to the SSID without a captive portal.
  • The session and validity will inherit from the default session duration defined in Admin Console > Policies > Privileges.

 

Additional Notes

  • Any device that attempts to connect to the SSID will be available on the Cloudi-Fi platform.
  • You can view unassigned devices and manually assign them to a user to apply relevant policies.