How to handle IoT and Guest Devices Using a Single SSID in Cisco Meraki with MAC Based Authentication – Cloudi-Fi Knowledge Base

This guide provides a comprehensive overview of configuring and managing Guest authentication (via captive portal) and IoT authentication (via MAC-based authentication) using Cisco Meraki and the Cloudi-Fi platform, with one single SSID. By following the steps outlined in this document, network administrators can ensure secure and efficient connectivity for Guest and IoT devices within their network.

Prerequisites

Before starting, ensure that you have the following prerequisites:

A Cisco Meraki access point.
Cloudi-Fi Radius IPs and Secret
Access to the Cisco Meraki dashboard.
Knowledge of your network’s IP addressing scheme.
Enable API access to the Meraki portal and synchronise your Meraki networks with Cloudi-Fi.
Access to your firewall to allow several ports:

Source	Destination	Port	Protocol	Action	Comment
Guest subnet	Cloudi-Fi IPs	1812-1813	UDP	Allow	RADIUS traffic
Guest subnet	Any	80	TCP	Allow	HTTP traffic
Guest subnet	Any	443	TCP	Allow	HTTPS traffic
Guest subnet	Any	53	UDP/TCP	Allow	DNS resolution
*	*	*	*	Deny	To be adjusted according to your needs

1. Get Radius information

You will need the Radius information (Server IPs, Secret, Ports) to proceed with the setup.

IPs address of the Radius servers
Ports: UDP 1812 (Authentication) & 1813 (Accounting)

You can get the Secret by asking in the Chatbot. Cloudi-Fi’s Support team will provide you with the necessary information.

Cloudi-Fi - Get Radius secret for Meraki

What shared secret is used for the Radius server with Cisco Meraki? (Please save this confidential information securely, and do not share it publicly).

2. Create the Guest SSID

Navigate to Meraki Dashboard > Wireless > SSID.

Enable an available SSID.

Enter a name for the SSID and save changes.

3. Set Access Control parameters

Navigate to Meraki Dashboard > Wireless > Access Control and select the configured SSID.

Security

Security: Choose MAC-based access control (no encryption) > my RADIUS server
WPA encryption : select “Disabled”

Splash page

Splash page : select “Click Through”
Advanced splash settings
- Captive portal strength : select “Block all access until sign-on is complete”
- Walled garden : select “enabled”
- Walled garden range :
  - *.cloudi-fi.net
  - Additional domains may needed depending on your authentication modes
- Controller disconnection behavior : select “Restricted”

Meraki UI - MR - Access control - detail.png

RADIUS

Set your RADIUS Server(s)
- Host IP or FQDN: Enter the IP address of the Radius server and the port number obtained from the previous step.
- Auth Port: 1812
- Shared Secret: Input the shared secret used for authentication between the Radius server and the Cisco Meraki access point.
RADIUS testing : enable
RADIUS attribute : Filter-ID
- Purpose: Automatically applies Meraki Group Policy based on the device or the user it is linked to (e.g., employee vs guest policies).

Client IP and VLAN

While configuring the captive portal, you can assign clients specific IP addresses and VLANs upon successful authentication.

Choose the appropriate option for assigning IP addresses:

Meraki AP Assigned (NAT Mode)
External DHCP server assigned

Configure VLAN settings (if applicable):

If you selected “Use VLAN tagging” in the previous step, select the VLAN tag number to assign clients after authentication.
Ensure that the corresponding VLAN is properly configured on your network infrastructure.

4. Create your IOT Security Profile(s)

The Security Profile defines the user-group that Cloudi-Fi will share with Meraki during the Radius authentication of the IOT device (in the Access-Accept reply).

The shared User Group will follow the format: cloudifi-SecurityProfileName. For example, a security profile named "Whitelist" will result in a user group shared with Meraki in the format: cloudifi-Whitelist.

Security Profiles are particularly useful for creating Meraki-side policies tailored to the different IoT profiles present on your network. For example, you could create a Security Profile dedicated to printers, and on the Meraki side, allow access only to specific ports or destinations for that profile.

Go to your Cloudi-Fi Admin Console and navigate to Network > Security Profiles and select "Add profile"

Name ( e.g. Printers)
Location (e.g. All)
Description
Type : Whitelist

5. Bypass captive portal for your IOT security profiles

As part of IoT RADIUS authentication, the attribute cloudifi-SecurityProfileName will be returned in the RADIUS Access-Accept message. Since this SSID will host both devices that must go through the captive portal (visitor devices) and devices that must bypass it (IoT devices), it is necessary to configure one or more group policies in Meraki to enforce whether the captive portal is bypassed or not.

Navigate to Meraki Dashboard > Network wide > Group policies and select Add a group.

Name (e.g. cloudifi-Printers)
Schedule (e.g. Scheduling disabled)
Bandwidth (e.g. Use SSID default)
Firewall and traffic shaping (e.g. Custom SSID firewall & shaping rules)
Layer 3 firewall - e.g.
- Policy : Allow
- Protocol : Any
- Destination : Any
- Port : Any
Adaptive Policy SGT (e.g. Do not assign SGT)
VLAN (e.g. Use SSID default)
Splash: Bypass
Bonjour forwarding (e.g. Use SSID default )

6. Add and Register IoT Devices in Cloudi-Fi

Go to your Cloudi-Fi Admin Console and navigate to Network > Devices.

Then, click Add Device and enter the following:

In Network

Device Name (e.g., SmartPrinter-001)
MAC Address of the device
Security Profile (e.g. Printers)

In Identification

Device type
Linked user

For an IoT device, if you assign both a Security Profile and a linked user, the profile of the linked user will be the one shared in the Access-Accept response.

For example, if you configure an IoT device with

Security profiles : "Printers"
Linked user : John Doe as linked user who has the visitor-profile called "Partner"

In this case, the visitor profile takes priority, and cloudifi-Partner user-group will be shared for the IoT device in the ACCESS-ACCEPT-RADIUS response. As a result, when the IoT device attempts to connect, it will be matched to the cloudifi-Partner group and not cloudifi-Printers.

Once added

The device is automatically whitelisted.
It can connect to the SSID without a captive portal.
The session and validity will inherit from the default session duration defined in Admin Console > Policies > Privileges.

Additional Notes

Any device that attempts to connect to the SSID will be available on the Cloudi-Fi platform.
You can view unassigned devices and manually assign them to a user to apply relevant policies.

Search

Cloudi-Fi Knowledge Base