Captive Portal for Cisco Meraki

Una guida di riferimento tecnico autorevole di livello intermedio per l'integrazione degli access point Cisco Meraki MR con il captive portal cloud di Purple. Copre le configurazioni dettagliate della Meraki Dashboard, le impostazioni del server RADIUS (porte 1812/1813), le eccezioni dei domini wildcard per il walled garden e i parametri di timeout della sessione per implementazioni WiFi guest ad alte prestazioni.

📖 8 minuti di lettura📝 1,892 parole🔧 2 esempi pratici❓ 3 domande di esercitazione📚 8 definizioni chiave

Ascolta questa guida

Visualizza trascrizione del podcast

Welcome to the Purple Technical Briefing Series. I'm your host, and today we're covering something that comes up on almost every enterprise guest WiFi deployment we work on: configuring a captive portal on Cisco Meraki MR access points, and specifically how to integrate that with Purple's cloud platform using RADIUS authentication. Whether you're an MSP onboarding a new hospitality client or an in-house network architect at a retail chain, this episode will give you the precise configuration steps and the reasoning behind each one.

Let's set the scene. You've got a venue — could be a hotel, a conference centre, a stadium, or a retail park — running Cisco Meraki MR access points managed through the Meraki Dashboard. The brief is to deploy a branded guest WiFi experience that captures first-party data, enforces terms of service acceptance, and feeds analytics back into a marketing platform. That's exactly what Purple is built to do, and Meraki is one of our most common hardware deployments globally.

Now, the key architectural point to understand before you touch a single setting is this: on Cisco Meraki, RADIUS authentication for a splash page is not processed locally by the access point. The RADIUS Access-Request is sourced from the Meraki cloud — from the Dashboard infrastructure — not from the AP on your LAN. This is a critical distinction that catches out a lot of engineers on their first Meraki deployment. It means your RADIUS server, in this case Purple's cloud RADIUS endpoint, needs to be reachable from the internet, and your firewall rules need to permit traffic from Meraki's Dashboard IP ranges, not just from your local AP subnet. You'll find the current Dashboard IP ranges under Help, then Firewall Info in your Meraki Dashboard.

Right, let's get into the configuration. I'll walk you through this in the order you'd actually do it in a live deployment.

Step one: SSID configuration. In the Meraki Dashboard, navigate to Wireless, then Configure, then SSIDs. Select the SSID slot you want to use for guest access. Give it a clear name — something like GuestWiFi or VenueName underscore Guest. Under the Association requirements, set Security to Open, no encryption. This is correct and intentional — the security layer for guests is handled by the captive portal and the RADIUS authentication, not by WPA encryption. If you're deploying in a PCI DSS environment, you'll want to ensure guest traffic is isolated on its own VLAN, which we'll cover shortly.

Step two: Splash page and authentication. Still on the Access Control page for your SSID, scroll down to the Splash page section. Set it to Sign-on with, and from the dropdown, select my RADIUS server. This is the critical setting that tells Meraki to authenticate users against an external RADIUS server before granting network access. Below that, you'll see the Captive portal strength option. Set this to Block all access until sign-on is complete. This is what enforces the walled garden — without it, guests could bypass the portal entirely.

Step three: RADIUS server configuration. Under the RADIUS section, click Add server. You'll need three pieces of information from your Purple account: the RADIUS server IP address or FQDN, the authentication port which is UDP 1812, and the shared secret. Purple provides these in the venue configuration section of the portal. For redundancy in production deployments, you should add a secondary RADIUS server — Purple provides a failover endpoint. Set the accounting port to UDP 1813 if you want session data fed back into Purple's analytics engine, which I'd strongly recommend for any venue where dwell time and session duration are meaningful metrics.

A quick note on RADIUS attributes. Meraki honours the Session-Timeout attribute returned in the RADIUS Access-Accept response. Purple uses this to control how long a guest session lasts before re-authentication is required. For a hotel, you might set this to 86,400 seconds — that's 24 hours. For a coffee shop, something like 3,600 seconds, one hour, is more appropriate. The Idle-Timeout attribute is also honoured, but only if RADIUS accounting is enabled. This disconnects idle sessions, which is important for capacity management in high-density venues.

Step four: Splash page URL. Navigate to Wireless, then Configure, then Splash page. Select your guest SSID from the dropdown. Set the Custom splash URL to the Purple portal URL for your venue. This is the URL that Meraki will redirect unauthenticated clients to. Meraki appends query parameters to this URL — including a login_url parameter — which Purple uses to complete the authentication handshake. Do not modify or strip these parameters.

Step five: the walled garden. This is where most deployments run into trouble. The walled garden is the list of domains and IP ranges that a guest device can reach before they've authenticated. Without the correct entries, the captive portal page itself won't load, because the browser will be blocked from reaching the Purple CDN and the social login providers.

Navigate back to Access Control for your guest SSID. Set Walled garden to Walled garden is enabled. In the Walled garden ranges field, you need to add the following. First, the Purple platform domains: star dot purple dot ai, and star dot venuewifi dot com. Second, the CDN domains that Purple uses to serve portal assets: star dot cloudfront dot net, and star dot akamaihd dot net. Third, the Meraki redirect infrastructure: star dot network-auth dot com. Fourth, if you're offering social login options, you need the relevant OAuth domains. For Google: accounts dot google dot com, star dot googleapis dot com, star dot gstatic dot com. For Facebook: star dot facebook dot com, star dot fbcdn dot net, and connect dot facebook dot net. For Twitter or X: star dot twitter dot com and star dot twimg dot com.

One important note on how Meraki handles wildcard domains in the walled garden. Meraki does support wildcard entries using the asterisk prefix, for example star dot cloudfront dot net. However, this is a DNS-based match — Meraki resolves the domain and allows the resulting IP addresses. This means that for CDN providers like CloudFront or Akamai, where the resolved IPs can change frequently, you should use the domain wildcard rather than static IP ranges. Static IP entries are fine for Purple's RADIUS endpoints, which are stable, but not for CDN traffic.

Now let's talk about two real-world scenarios I've worked on directly.

The first is a 350-room hotel in the UK. The client was running Meraki MR46 access points across three buildings, with about 400 concurrent guest devices at peak. The initial deployment used a click-through splash page — no RADIUS, just terms acceptance. The problem was they had zero insight into who was connecting, no email capture, and no way to run post-stay marketing campaigns. We migrated them to Purple with RADIUS-based sign-on. The configuration was straightforward, but the gotcha was that their upstream firewall was blocking outbound UDP on port 1812 to anything outside the local subnet. Once we added the Meraki Dashboard IP ranges to the firewall allow-list, authentication worked immediately. Post-deployment, the hotel captured email addresses from approximately 68 percent of connecting guests in the first month, and their marketing team ran a re-engagement campaign that drove a measurable uplift in direct bookings.

The second scenario is a retail chain with 45 stores, each running Meraki MR33 access points. The challenge here was scale and consistency. Manually configuring 45 SSIDs with the correct RADIUS settings and walled garden lists would be error-prone and time-consuming. The solution was to use Meraki's template-based configuration. We built a single network template with the correct SSID, RADIUS, and walled garden settings, then bound all 45 store networks to that template. Any change — say, adding a new social login provider to the walled garden — is made once in the template and propagates to all stores automatically. Purple's analytics then aggregated footfall and dwell time data across all stores, giving the retail operations team a single dashboard view of guest behaviour by store, by region, and by time of day.

Let me give you three rules of thumb that will save you time on every Meraki captive portal deployment.

Rule one: Always check the Meraki Dashboard IP ranges before you configure RADIUS. The ranges change occasionally, and if your firewall is blocking them, authentication will fail silently from the user's perspective — they'll just see the portal page hang. Use the built-in RADIUS test tool in the Dashboard under Access Control to verify connectivity before you go live.

Rule two: Use domain wildcards in the walled garden, not IP ranges, for any CDN-hosted content. CDN IP ranges are large and change frequently. A wildcard domain entry is more maintainable and more reliable.

Rule three: Enable RADIUS accounting on port 1813 even if you think you don't need it yet. Session data is valuable for troubleshooting disconnection issues and for feeding accurate dwell time metrics into your analytics platform. It costs nothing to enable and is very hard to retrofit after the fact.

Now, a few rapid-fire questions I get asked regularly.

Can I use Meraki's built-in splash page instead of Purple? Yes, but you lose the data capture, the analytics, the marketing automation, and the GDPR-compliant consent management. The built-in splash is fine for a basic click-through, but it's not a guest intelligence platform.

Does this configuration work on Meraki MX firewalls as well as MR access points? The RADIUS splash page configuration is supported on MR access points. MX appliances handle client VPN authentication differently. For guest WiFi specifically, you're configuring the MR SSIDs.

What about WPA3? Meraki MR access points support WPA3 on enterprise SSIDs. For guest captive portal deployments, the SSID is typically Open, so WPA3 doesn't apply directly. However, if you're deploying a Passpoint or OpenRoaming SSID alongside your captive portal SSID — which Purple supports — that SSID uses WPA3-Enterprise with 802.1X, and that's where WPA3 becomes relevant.

To wrap up: the Cisco Meraki and Purple integration is well-tested and reliable, but it requires attention to three things: RADIUS source IP routing, walled garden completeness, and session timeout configuration. Get those three right and the deployment is straightforward. The business case is clear — venues that deploy a properly configured guest WiFi platform with data capture consistently see measurable returns in marketing engagement and operational insight.

If you want to go deeper, check out Purple's guide on implementing 802.1X authentication with cloud RADIUS, and our Cisco Wireless AP deployment guide on the Purple blog. Both are linked in the show notes.

Thanks for listening. If you've got a specific deployment scenario you'd like us to cover, get in touch with the Purple technical team. We'll see you in the next episode.

📚 Part of our core series: WiFi multi-tenant →

Sintesi esecutiva

Questa guida di riferimento autorevole fornisce un framework di configurazione completo e dettagliato per integrare le reti wireless Cisco Meraki con il captive portal basato su cloud di Purple. Progettato per IT manager, architetti di rete e managed service provider (MSP), questo documento descrive in dettaglio le configurazioni esatte richieste all'interno della Meraki Dashboard per distribuire una soluzione WiFi guest sicura e ad alte prestazioni [1].

Disaccoppiando il livello di guest intelligence dall'hardware, le sedi aziendali possono sfruttare le piattaforme certificate Guest WiFi e WiFi Analytics di Purple per acquisire dati di prima parte ricchi e conformi al GDPR, garantendo al contempo l'integrità della rete e la conformità normativa [2]. Questa guida affronta i parametri di integrazione critici, tra cui l'autenticazione RADIUS (porte 1812/1813), le eccezioni dei domini walled garden, la risoluzione wildcard CDN e i meccanismi di reindirizzamento dei guest in diverse sedi fisiche come i settori Retail , Healthcare , Hospitality e gli hub di Transport .

Approfondimento tecnico

Per integrare con successo gli Access Point (AP) Cisco Meraki MR con un captive portal esterno come Purple, gli ingegneri di rete devono comprendere l'architettura sottostante del piano di controllo e dei dati. A differenza dei tradizionali controller wireless on-premise in cui le richieste di autenticazione RADIUS provengono dal controller fisico o dai singoli AP, Cisco Meraki utilizza un'architettura gestita in cloud [1].

Separazione tra piano di controllo e piano dati

Quando un client guest si associa a un SSID aperto configurato per un captive portal esterno, l'AP Meraki MR inserisce il client in uno stato di pre-autenticazione. In questo stato, tutto il traffico è bloccato ad eccezione delle query DNS, del DHCP e del traffico destinato a indirizzi IP o hostname esplicitamente definiti nel Walled Garden [3].

I messaggi effettivi di RADIUS Access-Request non vengono generati dall'AP Meraki MR locale. Provengono invece dalla Cisco Meraki Dashboard Cloud Infrastructure [1]. Si tratta di una distinzione architetturale fondamentale:

> "I messaggi di richiesta di accesso RADIUS per una splash page proverranno dalla dashboard, non dai dispositivi Meraki locali. Pertanto, non è possibile specificare qui l'indirizzo IP LAN privato del server RADIUS." [1]

Di conseguenza, i firewall a monte che proteggono i server RADIUS devono consentire il traffico in entrata dall'intero blocco di intervalli IP in uscita della Meraki Dashboard, che sono dinamici e specifici per regione [1]. Questi intervalli possono essere recuperati dinamicamente tramite la Meraki Dashboard alla voce Help > Firewall info [1].

Protocollo di autenticazione RADIUS (PAP)

Per l'autenticazione della splash page di accesso, Meraki utilizza il Password Authentication Protocol (PAP) [1]. Sebbene il PAP sia storicamente non crittografato, l'integrazione Meraki-Purple mitiga i rischi di sicurezza attraverso una crittografia a più livelli:

Crittografia Client-to-Cloud: Il client guest stabilisce una sessione HTTPS (SSL/TLS) sicura direttamente con il captive portal ospitato di Purple. Le credenziali (ad es. token di social login, moduli e-mail) vengono crittografate in transito dal browser del client ai server di Purple [1].
Crittografia RADIUS Shared Secret: Quando il Cloud Meraki invia la richiesta RADIUS Access-Request al server Cloud RADIUS di Purple, crittografa la password dell'utente utilizzando la RADIUS Shared Secret configurata e una funzione XOR standard in conformità con la specifica RFC 2865 [1]. Ciò garantisce che le credenziali in chiaro non vengano mai trasmesse sulla rete internet pubblica.

Attributi RADIUS supportati

Il Cloud Meraki e il Cloud RADIUS di Purple scambiano diversi attributi chiave durante l'handshake di autenticazione per applicare i parametri e le policy di sessione:

Attributo RADIUS	Tipo	Direzione	Descrizione e contesto pratico
User-Name	Stringa	Richiesta	L'identificativo dell'utente guest (ad es. indirizzo e-mail, indirizzo MAC) [1].
User-Password	Stringa	Richiesta	La password utente crittografata o il token di sessione [1].
Called-Station-ID	Stringa	Richiesta	Formattato come `AP_MAC:SSID_NAME` (ad es. `AA-BB-CC-DD-EE-FF:GuestWiFi`). Fondamentale per il routing delle policy basato sulla posizione [1].
Calling-Station-ID	Stringa	Richiesta	L'indirizzo MAC fisico del client (ad es. `11-22-33-44-55-66`). Utilizzato per il tracciamento del dispositivo e il ripristino della sessione [1].
Session-Timeout	Intero	Accetta	La durata massima della sessione in secondi. Dopo la scadenza, il client viene reindirizzato al captive portal [1].
Idle-Timeout	Intero	Accetta	Il tempo massimo di inattività in secondi. Se non viene trasferito alcun dato, la sessione viene terminata. Richiede RADIUS Accounting [1].
Filter-Id	Stringa	Accetta	Trasmette il nome di una specifica Group Policy di Meraki da applicare al client (ad es. limitazione della larghezza di banda o blocco di categorie specifiche) [1].

Guida all'implementazione

Questa procedura dettagliata di configurazione illustra come integrare gli access point Cisco Meraki MR con il captive portal esterno di Purple.

Passaggio 1: Configurare il controllo degli accessi SSID

Passare a Wireless > Configure > Access control nella Meraki Dashboard [1]. Selezionare l'SSID guest di destinazione e configurare i seguenti parametri:

Association Requirements: Impostare su Open (no encryption) [1]. Ciò garantisce un'esperienza di onboarding senza attriti. Se si richiede il transito guest crittografato, prendere in considerazione l'implementazione di Passpoint / Hotspot 2.0 con Cloud RADIUS [4].
Splash Page: seleziona Sign-on with e scegli my RADIUS server dal menu a discesa [1].
RADIUS Servers: fai clic su Add server e inserisci gli endpoint primario e secondario di Cloud RADIUS di Purple [1]:
- Host IP: 116.203.120.121 (Primario) e 195.201.123.149 (Secondario)
- Port: 1812 (Autenticazione) [1]
- Secret: [Il tuo segreto condiviso Purple]
RADIUS Accounting: imposta su RADIUS accounting is enabled e aggiungi i server di accounting:
- Host IP: 116.203.120.121 (Primario) e 195.201.123.149 (Secondario)
- Port: 1813 (Accounting)
- Secret: [Il tuo segreto condiviso Purple]
Captive Portal Strength: seleziona Block all access until sign-on is complete [1]. Questo impone rigorosamente che i client non possano accedere a Internet senza passare attraverso la splash page.

Passaggio 2: Configura l'URL della splash page personalizzata

Passa a Wireless > Configure > Splash page [1]. Seleziona il tuo SSID guest e configura:

Custom Splash URL: seleziona Or point to a custom URL e inserisci l'URL di reindirizzamento di Purple:
- https://login.venuewifi.com/ip/v2/meraki
Splash Page Redirect: imposta su The URL they were trying to fetch o reindirizzali a una landing page specifica (ad es. la homepage della tua struttura) [3].

Passaggio 3: Configura le eccezioni dei nomi di dominio del Walled Garden

Per garantire che i client guest possano caricare il Captive Portal, scaricare risorse da Content Delivery Network (CDN) e completare l'autenticazione social (ad es. Google o Facebook OAuth), è necessario abilitare e configurare il Walled Garden [3].

Torna a Wireless > Configure > Access control e individua la sezione Walled Garden [1].

Imposta Walled Garden su Walled garden is enabled [1].
Nel campo Walled garden ranges, inserisci gli FQDN e i domini jolly richiesti [1].

Come Meraki gestisce i caratteri jolly e il traffico CDN

Gli access point Cisco Meraki MR supportano i domini jolly nel walled garden utilizzando il prefisso asterisco (ad es. *.purple.ai) [1]. Tuttavia, è fondamentale comprendere i meccanismi alla base:

Whitelisting basata su DNS: l'AP Meraki intercetta le richieste DNS del client. Quando il client richiede un dominio corrispondente a una voce nel walled garden, l'AP risolve il dominio nel suo indirizzo IP corrente e consente temporaneamente al client di comunicare con quell'IP [3].
IP CDN dinamici: le CDN come Amazon CloudFront (*.cloudfront.net) e Akamai (*.akamaihd.net) si risolvono in indirizzi IP altamente dinamici e distribuiti geograficamente che cambiano frequentemente. La whitelisting basata su DNS di Meraki gestisce questo aspetto in modo trasparente risolvendo i domini in tempo reale. Non utilizzare mai indirizzi IP statici per le risorse CDN nel tuo walled garden, poiché ciò causerebbe errori di caricamento intermittenti delle risorse del portale.

Best practice

Per garantire un'elevata disponibilità, sicurezza e un'esperienza utente ottimale, attieniti a queste best practice di implementazione standard del settore:

1. Segmentazione della rete e isolamento della VLAN

Non collegare mai direttamente il traffico guest alla LAN aziendale. Configura gli AP Meraki MR per taggare il traffico guest con una VLAN Guest dedicata (ad es. VLAN 30) [4]. Assicurati che questa VLAN termini su una DMZ o su un'istanza VRF (Virtual Routing and Forwarding) separata sul firewall a monte. Ciò riduce i rischi di movimento laterale e garantisce la conformità a standard di sicurezza come PCI DSS e GDPR [2] [4].

2. Configura il failover e la resilienza della sessione

I collegamenti di rete possono subire interruzioni. Per evitare che gli ospiti rimangano esclusi da Internet durante un'interruzione del server di autenticazione, configura la RADIUS Failover Policy nella dashboard di Meraki:

Failover Policy: imposta su Deny access per la massima sicurezza, oppure su Allow access se il mantenimento della connettività degli ospiti ha la priorità rispetto all'acquisizione dei dati durante un'interruzione.
Secondary Servers: configura sempre sia il server RADIUS primario che quello secondario per distribuire il carico e fornire il failover automatico [1].

3. Implementa i timeout di sessione e di inattività

Gestisci lo spettro wireless e i lease del pool DHCP configurando parametri di timeout appropriati [1]:

Session Timeout: imposta su 1440 minuti (24 ore) per gli ambienti ricettivi, consentendo agli ospiti di rimanere connessi per tutta la durata del soggiorno senza dover ripetere continuamente l'autenticazione [1]. Per il settore retail o i trasporti pubblici, riduci questo valore a 120 minuti (2 ore) per incoraggiare nuove interazioni e liberare i lease DHCP.
Idle Timeout: imposta su 15 minuti. Se un dispositivo client va in standby o lascia la struttura, l'AP termina la sessione, liberando le risorse di rete [1].

Risoluzione dei problemi e mitigazione dei rischi

Durante l'implementazione di Captive Portal esterni su Cisco Meraki, i tecnici riscontrano comunemente tre principali modalità di errore. Utilizza questa matrice diagnostica per isolare e risolvere rapidamente i problemi:

Sintomo	Causa principale	Passaggio diagnostico	Soluzione
La splash page non si carica; il browser visualizza "Connessione scaduta".	Il firewall a monte sta bloccando il traffico DNS o HTTP/HTTPS in uscita verso la CDN di Purple [1].	Prova a risolvere `login.venuewifi.com` da un dispositivo cablato sulla stessa VLAN.	Assicurati che la VLAN guest abbia accesso in uscita al DNS pubblico (UDP 53) e a HTTP/HTTPS (TCP 80/443).
La splash page si carica, ma l'autenticazione delle credenziali utente non riesce.	Il firewall a monte sta bloccando il traffico RADIUS proveniente dal cloud Meraki [1].	Utilizza l'utilità RADIUS Test nella dashboard di Meraki sotto Access Control [1].	Aggiungi gli intervalli IP in uscita della dashboard di Meraki (disponibili in Help > Firewall info) all'elenco di elementi consentiti in uscita del firewall per le porte UDP 1812 e 1813 [1].
L'accesso tramite social (ad es. Google OAuth) non riesce con un errore di reindirizzamento.	Mancano i domini helper OAuth richins nel Meraki Walled Garden [1].	Verificare la console del browser sul dispositivo client per individuare eventuali caricamenti di risorse bloccati.	Aggiungere i domini OAuth obbligatori (ad es. `.googleapis.com`, `.gstatic.com`) all'elenco Walled Garden [1].

ROI e impatto aziendale

L'integrazione di Cisco Meraki con Purple trasforma il WiFi per gli ospiti da un centro di costo a una risorsa aziendale strategica. Sfruttando hardware di livello enterprise e analisi avanzate, le organizzazioni ottengono ritorni misurabili su molteplici dimensioni:

Monetizzazione dei dati e portata del marketing: Raccogliendo indirizzi e-mail verificati e profili social, le strutture creano un database pulito e conforme di dati dei clienti di prima parte [2]. Questo alimenta direttamente i sistemi di customer relationship management (CRM) e di marketing automation, consentendo campagne di marketing altamente mirate e iper-locali.
Efficienza operativa: L'onboarding automatizzato tramite Purple riduce il carico di lavoro del personale della reception e del supporto IT. Nel settore dell'ospitalità, questo si traduce in un minor numero di reclami da parte degli ospiti relativi alla connettività WiFi e in una riduzione dei costi operativi.
Analisi avanzata del flusso di visitatori: Combinando le API di localizzazione di Meraki con il motore di analisi di Purple, i gestori delle strutture ottengono informazioni approfondite sul comportamento dei visitatori, inclusi il flusso di persone, i tempi di permanenza, i tassi di ritorno e le ore di punta [2]. Questi dati guidano decisioni informate in merito al personale, al layout dei punti vendita e alla valutazione degli immobili.

Riferimenti

Definizioni chiave

Captive Portal

A web page that is displayed to newly connected users of a Wi-Fi network before they are granted broader access to network resources.

Used by venues to enforce terms of service, collect user data, and authenticate guests via RADIUS before allowing internet access.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

Meraki APs query Purple's Cloud RADIUS servers to verify guest credentials and authorize network access.

Walled Garden

A restricted set of IP addresses or domain names that unauthenticated guest clients are permitted to access before completing the captive portal sign-on process.

Crucial for allowing clients to reach the hosted splash page, download CSS/JS assets from CDNs, and communicate with social login OAuth endpoints.

Session-Timeout

An RFC 2865 RADIUS attribute that specifies the maximum number of seconds a user session can remain active before requiring re-authentication.

Returned by Purple RADIUS in the Access-Accept packet to control how long a guest remains logged in (e.g., 24 hours for hotel guests).

Idle-Timeout

A RADIUS attribute that defines the maximum period of inactivity (no data transferred) allowed before the user's session is terminated.

Used to disconnect stale devices and reclaim IP addresses in high-density environments like stadiums or retail stores.

PAP (Password Authentication Protocol)

A simple, unencrypted authentication protocol used by RADIUS to validate user credentials.

Required by Cisco Meraki for external splash page RADIUS authentication. Security is maintained by encrypting the client-to-portal transit via HTTPS and encrypting the RADIUS packet password field using the shared secret.

Passpoint (Hotspot 2.0)

An industry standard developed by the Wi-Fi Alliance that enables cellular-like automatic roaming and secure connection to Wi-Fi networks.

Supported by Meraki MR access points and Purple to enable seamless, certificate-based guest onboarding without captive portals.

CMX (Cisco Meraki Location APIs)

An API framework that allows Meraki access points to export real-time location and presence data (probe requests) to third-party analytics platforms.

Integrated with Purple to provide detailed footfall, dwell time, and return rate analytics for physical venues.

Esempi pratici

A luxury 350-room hotel running Cisco Meraki MR46 access points needs to deploy a secure guest WiFi network. They want to capture guest emails, restrict bandwidth to 5 Mbps per guest, and ensure that guests only need to log in once every 7 days. How should the network architect configure the Meraki Dashboard and RADIUS settings?

SSID Setup: Configure an open SSID named 'Hotel_Guest' with the splash page set to 'Sign-on with' and 'my RADIUS server'.\n2. RADIUS Configuration: Enter Purple's primary (116.203.120.121) and secondary (195.201.123.149) RADIUS IPs. Set the authentication port to 1812 and the accounting port to 1813. Configure the shared secret.\n3. Timeout Parameters: In the RADIUS server profile or Purple dashboard, set the Session-Timeout attribute to 604800 seconds (7 days) and Idle-Timeout to 1800 seconds (30 minutes) to reclaim inactive DHCP leases.\n4. Traffic Shaping: In the Meraki Dashboard under Wireless > Configure > Firewall & traffic shaping, select the SSID, enable traffic shaping, and set a per-client limit to 5 Mbps downstream and 2 Mbps upstream.\n5. Walled Garden: Enable the walled garden and add *.purple.ai, *.venuewifi.com, and necessary CDN wildcards like *.cloudfront.net to allow the splash page to render pre-authentication.

Commento dell'esaminatore: This solution successfully balances user experience with network performance. Using a 7-day Session-Timeout prevents login fatigue for long-stay guests, while the 30-minute Idle-Timeout prevents IP address exhaustion in the DHCP pool. Configuring traffic shaping directly on the Meraki APs rather than relying on RADIUS attributes (like Maximum-Data-Rate-Downstream) is preferred as it reduces processing overhead on the APs and provides a more consistent enforcement mechanism.

A national retail chain with 45 stores wants to deploy guest WiFi across all locations using Meraki MR33 APs. They need to ensure consistent configuration, block corporate network access, and collect footfall analytics. How should this be implemented at scale?

Configuration Templates: Create a single Network Configuration Template in the Meraki Dashboard. Configure the guest SSID with Purple's RADIUS settings, walled garden domains, and the custom splash URL: https://login.venuewifi.com/ip/v2/meraki. Bind all 45 store networks to this template.\n2. VLAN Segmentation: On each store's local switch and firewall, configure a dedicated Guest VLAN (e.g., VLAN 50). In the Meraki SSID settings, set Client IP Assignment to 'External DHCP server' and specify VLAN 50. Ensure the firewall blocks all routing from VLAN 50 to corporate subnets.\n3. Location Analytics: Enable Meraki Scanning API (CMX) in the Meraki Dashboard under Network-wide > Configure > General. Enter the Purple Post URL and secret validator. This allows Meraki APs to stream real-time probe request data to Purple's analytics engine for footfall and dwell time reporting.

Commento dell'esaminatore: Deploying at scale requires automation and template-based management. By binding all networks to a single template, any future walled garden updates (such as adding a new social login provider) can be pushed to all 45 stores instantly, eliminating manual configuration errors. Enabling the Meraki Scanning API alongside RADIUS accounting ensures that the retailer captures both active guest session analytics and passive visitor footfall metrics, maximizing the business value of the deployment.

Domande di esercitazione

Q1. A network engineer deploys a new Meraki guest SSID with a Purple captive portal. Unauthenticated clients are successfully redirected to the login page, but when they attempt to use 'Log in with Google', the page spins and eventually fails with a DNS or timeout error. Other login methods (like email form) work perfectly. What is the most likely cause of this issue, and how should it be resolved?

Suggerimento: Consider what external domains the client's browser must reach to complete the Google OAuth handshake before the RADIUS authentication is completed.

Visualizza risposta modello

The most likely cause is that the Google OAuth helper domains are missing from the Meraki SSID's Walled Garden configuration. While the core Purple domains and CDN domains are allowed (which is why the splash page loads), the Google authentication servers are being blocked by the AP's pre-authentication firewall rules. To resolve this, navigate to Wireless > Configure > Access control, select the guest SSID, and append the following Google OAuth domains to the Walled Garden list: accounts.google.com, *.googleapis.com, *.gstatic.com, and *.googleusercontent.com. Once saved, the AP will permit the client to complete the Google authentication handshake and redirect back to Purple to complete the RADIUS login.

Q2. During a post-deployment audit of a high-density stadium WiFi network, the IT team notices that the DHCP pool for the guest VLAN (a /21 subnet with 2048 IPs) is completely exhausted within the first 2 hours of an event, even though active concurrent connections never exceed 800. RADIUS accounting is enabled. How can the network architect adjust the Meraki and RADIUS settings to mitigate this issue?

Suggerimento: Analyze the relationship between client session timeouts, idle timeouts, and DHCP lease times in high-density transient environments.

Visualizza risposta modello

The DHCP pool exhaustion is caused by transient clients (users walking past or entering the stadium briefly) connecting, obtaining an IP address, and then leaving the venue. Because the default Meraki Session-Timeout or DHCP lease time is too long, those IP addresses remain reserved even though the physical devices are no longer present. To resolve this, the architect should implement three coordinated changes: 1) Reduce DHCP Lease Time: On the DHCP server (or Meraki security appliance handling DHCP), reduce the lease time to 10 or 15 minutes. 2) Configure Idle Timeout: Ensure RADIUS accounting is enabled on port 1813 and configure an Idle-Timeout of 10 minutes (600 seconds) in the RADIUS Access-Accept profile. This tells the Meraki AP to terminate the session of any client inactive for 10 minutes. 3) Shorten Session Timeout: Reduce the global Session-Timeout for the stadium profile to 120 minutes (7200 seconds) to force periodic re-evaluation of active devices.

Q3. An MSP is configuring a Meraki guest SSID with a Purple captive portal. They have entered the correct Purple RADIUS server IPs and ports (1812/1813) in the Meraki Dashboard, but when testing with the built-in RADIUS 'Test' tool, all access points fail to reach the server. The MSP verifies that the RADIUS shared secret is correct and that the Purple cloud is online. What routing or firewall configuration did the MSP likely overlook?

Suggerimento: Recall where RADIUS authentication requests are sourced from in a Cisco Meraki cloud-managed architecture.

Visualizza risposta modello

The MSP likely configured their local network firewalls to allow outbound RADIUS traffic from the local AP subnets, but forgot that in a Meraki splash page deployment, RADIUS Access-Requests are sourced directly from the Cisco Meraki Dashboard Cloud Infrastructure, not from the local APs. To resolve this, the MSP must obtain the outbound IP ranges of the Meraki Dashboard (found in the Meraki Dashboard under Help > Firewall info) and configure their upstream corporate firewall to allow inbound and outbound UDP traffic on ports 1812 (Authentication) and 1813 (Accounting) between those Meraki Dashboard IP ranges and Purple's Cloud RADIUS servers. Additionally, they must ensure that the Meraki Dashboard IPs are added as valid RADIUS clients in the Purple portal configuration.

Continua a leggere questa serie

CommScope Ruckus Integration with Purple WiFi: Setup and Configuration Guide

Questa guida di riferimento tecnico fornisce un playbook di configurazione autorevole per l'integrazione delle architetture CommScope Ruckus con Purple WiFi. Dettaglia le implementazioni passo-passo per i Captive Portal per Guest WiFi, il WiFi sicuro per il personale tramite 802.1X e l'isolamento di rete multi-tenant tramite Ruckus Dynamic PSK.

Allied Telesis Access Points Integration with Purple WiFi

Questa guida fornisce un playbook di configurazione completo per l'integrazione degli access point Allied Telesis serie TQ con Purple WiFi. Copre il reindirizzamento del Captive Portal esterno, l'autenticazione RADIUS 802.1X e l'instradamento dinamico della VLAN tramite Private Pre-Shared Keys (PPSK) per distribuzioni multi-tenant sicure.

Cisco WLC and Catalyst Integration with Purple WiFi: Step-by-Step Guest Access Guide

Questa guida descrive in dettaglio l'integrazione passo-passo di Cisco WLC e Catalyst 9800 Wireless con Purple, coprendo il reindirizzamento al Captive Portal per Guest WiFi tramite Central Web Authentication, il WiFi aziendale sicuro per il personale tramite 802.1X EAP-TLS e la segmentazione multi-tenant tramite Cisco Identity Pre-Shared Keys (iPSK) con assegnazione dinamica della VLAN. È scritta per architetti di rete aziendali e direttori della sicurezza IT che distribuiscono l'infrastruttura Cisco nei settori hospitality, retail e grandi spazi pubblici.