跳至主要內容
繁體中文

Captive Portal for Cisco Meraki

這是一份權威的中階技術參考指南,旨在說明如何將 Cisco Meraki MR 存取點與 Purple 的雲端 Captive Portal 進行整合。內容涵蓋 Meraki Dashboard 的逐步設定、RADIUS 伺服器設定(連接埠 1812/1813)、walled garden 萬用字元網域排除,以及適用於高效能訪客 WiFi 部署的工作階段逾時參數。

📖 8 分鐘閱讀📝 1,892 字數🔧 2 範例3 練習題📚 8 關鍵定義

收聽此指南

查看播客逐字稿
Welcome to the Purple Technical Briefing Series. I'm your host, and today we're covering something that comes up on almost every enterprise guest WiFi deployment we work on: configuring a captive portal on Cisco Meraki MR access points, and specifically how to integrate that with Purple's cloud platform using RADIUS authentication. Whether you're an MSP onboarding a new hospitality client or an in-house network architect at a retail chain, this episode will give you the precise configuration steps and the reasoning behind each one. Let's set the scene. You've got a venue — could be a hotel, a conference centre, a stadium, or a retail park — running Cisco Meraki MR access points managed through the Meraki Dashboard. The brief is to deploy a branded guest WiFi experience that captures first-party data, enforces terms of service acceptance, and feeds analytics back into a marketing platform. That's exactly what Purple is built to do, and Meraki is one of our most common hardware deployments globally. Now, the key architectural point to understand before you touch a single setting is this: on Cisco Meraki, RADIUS authentication for a splash page is not processed locally by the access point. The RADIUS Access-Request is sourced from the Meraki cloud — from the Dashboard infrastructure — not from the AP on your LAN. This is a critical distinction that catches out a lot of engineers on their first Meraki deployment. It means your RADIUS server, in this case Purple's cloud RADIUS endpoint, needs to be reachable from the internet, and your firewall rules need to permit traffic from Meraki's Dashboard IP ranges, not just from your local AP subnet. You'll find the current Dashboard IP ranges under Help, then Firewall Info in your Meraki Dashboard. Right, let's get into the configuration. I'll walk you through this in the order you'd actually do it in a live deployment. Step one: SSID configuration. In the Meraki Dashboard, navigate to Wireless, then Configure, then SSIDs. Select the SSID slot you want to use for guest access. Give it a clear name — something like GuestWiFi or VenueName underscore Guest. Under the Association requirements, set Security to Open, no encryption. This is correct and intentional — the security layer for guests is handled by the captive portal and the RADIUS authentication, not by WPA encryption. If you're deploying in a PCI DSS environment, you'll want to ensure guest traffic is isolated on its own VLAN, which we'll cover shortly. Step two: Splash page and authentication. Still on the Access Control page for your SSID, scroll down to the Splash page section. Set it to Sign-on with, and from the dropdown, select my RADIUS server. This is the critical setting that tells Meraki to authenticate users against an external RADIUS server before granting network access. Below that, you'll see the Captive portal strength option. Set this to Block all access until sign-on is complete. This is what enforces the walled garden — without it, guests could bypass the portal entirely. Step three: RADIUS server configuration. Under the RADIUS section, click Add server. You'll need three pieces of information from your Purple account: the RADIUS server IP address or FQDN, the authentication port which is UDP 1812, and the shared secret. Purple provides these in the venue configuration section of the portal. For redundancy in production deployments, you should add a secondary RADIUS server — Purple provides a failover endpoint. Set the accounting port to UDP 1813 if you want session data fed back into Purple's analytics engine, which I'd strongly recommend for any venue where dwell time and session duration are meaningful metrics. A quick note on RADIUS attributes. Meraki honours the Session-Timeout attribute returned in the RADIUS Access-Accept response. Purple uses this to control how long a guest session lasts before re-authentication is required. For a hotel, you might set this to 86,400 seconds — that's 24 hours. For a coffee shop, something like 3,600 seconds, one hour, is more appropriate. The Idle-Timeout attribute is also honoured, but only if RADIUS accounting is enabled. This disconnects idle sessions, which is important for capacity management in high-density venues. Step four: Splash page URL. Navigate to Wireless, then Configure, then Splash page. Select your guest SSID from the dropdown. Set the Custom splash URL to the Purple portal URL for your venue. This is the URL that Meraki will redirect unauthenticated clients to. Meraki appends query parameters to this URL — including a login_url parameter — which Purple uses to complete the authentication handshake. Do not modify or strip these parameters. Step five: the walled garden. This is where most deployments run into trouble. The walled garden is the list of domains and IP ranges that a guest device can reach before they've authenticated. Without the correct entries, the captive portal page itself won't load, because the browser will be blocked from reaching the Purple CDN and the social login providers. Navigate back to Access Control for your guest SSID. Set Walled garden to Walled garden is enabled. In the Walled garden ranges field, you need to add the following. First, the Purple platform domains: star dot purple dot ai, and star dot venuewifi dot com. Second, the CDN domains that Purple uses to serve portal assets: star dot cloudfront dot net, and star dot akamaihd dot net. Third, the Meraki redirect infrastructure: star dot network-auth dot com. Fourth, if you're offering social login options, you need the relevant OAuth domains. For Google: accounts dot google dot com, star dot googleapis dot com, star dot gstatic dot com. For Facebook: star dot facebook dot com, star dot fbcdn dot net, and connect dot facebook dot net. For Twitter or X: star dot twitter dot com and star dot twimg dot com. One important note on how Meraki handles wildcard domains in the walled garden. Meraki does support wildcard entries using the asterisk prefix, for example star dot cloudfront dot net. However, this is a DNS-based match — Meraki resolves the domain and allows the resulting IP addresses. This means that for CDN providers like CloudFront or Akamai, where the resolved IPs can change frequently, you should use the domain wildcard rather than static IP ranges. Static IP entries are fine for Purple's RADIUS endpoints, which are stable, but not for CDN traffic. Now let's talk about two real-world scenarios I've worked on directly. The first is a 350-room hotel in the UK. The client was running Meraki MR46 access points across three buildings, with about 400 concurrent guest devices at peak. The initial deployment used a click-through splash page — no RADIUS, just terms acceptance. The problem was they had zero insight into who was connecting, no email capture, and no way to run post-stay marketing campaigns. We migrated them to Purple with RADIUS-based sign-on. The configuration was straightforward, but the gotcha was that their upstream firewall was blocking outbound UDP on port 1812 to anything outside the local subnet. Once we added the Meraki Dashboard IP ranges to the firewall allow-list, authentication worked immediately. Post-deployment, the hotel captured email addresses from approximately 68 percent of connecting guests in the first month, and their marketing team ran a re-engagement campaign that drove a measurable uplift in direct bookings. The second scenario is a retail chain with 45 stores, each running Meraki MR33 access points. The challenge here was scale and consistency. Manually configuring 45 SSIDs with the correct RADIUS settings and walled garden lists would be error-prone and time-consuming. The solution was to use Meraki's template-based configuration. We built a single network template with the correct SSID, RADIUS, and walled garden settings, then bound all 45 store networks to that template. Any change — say, adding a new social login provider to the walled garden — is made once in the template and propagates to all stores automatically. Purple's analytics then aggregated footfall and dwell time data across all stores, giving the retail operations team a single dashboard view of guest behaviour by store, by region, and by time of day. Let me give you three rules of thumb that will save you time on every Meraki captive portal deployment. Rule one: Always check the Meraki Dashboard IP ranges before you configure RADIUS. The ranges change occasionally, and if your firewall is blocking them, authentication will fail silently from the user's perspective — they'll just see the portal page hang. Use the built-in RADIUS test tool in the Dashboard under Access Control to verify connectivity before you go live. Rule two: Use domain wildcards in the walled garden, not IP ranges, for any CDN-hosted content. CDN IP ranges are large and change frequently. A wildcard domain entry is more maintainable and more reliable. Rule three: Enable RADIUS accounting on port 1813 even if you think you don't need it yet. Session data is valuable for troubleshooting disconnection issues and for feeding accurate dwell time metrics into your analytics platform. It costs nothing to enable and is very hard to retrofit after the fact. Now, a few rapid-fire questions I get asked regularly. Can I use Meraki's built-in splash page instead of Purple? Yes, but you lose the data capture, the analytics, the marketing automation, and the GDPR-compliant consent management. The built-in splash is fine for a basic click-through, but it's not a guest intelligence platform. Does this configuration work on Meraki MX firewalls as well as MR access points? The RADIUS splash page configuration is supported on MR access points. MX appliances handle client VPN authentication differently. For guest WiFi specifically, you're configuring the MR SSIDs. What about WPA3? Meraki MR access points support WPA3 on enterprise SSIDs. For guest captive portal deployments, the SSID is typically Open, so WPA3 doesn't apply directly. However, if you're deploying a Passpoint or OpenRoaming SSID alongside your captive portal SSID — which Purple supports — that SSID uses WPA3-Enterprise with 802.1X, and that's where WPA3 becomes relevant. To wrap up: the Cisco Meraki and Purple integration is well-tested and reliable, but it requires attention to three things: RADIUS source IP routing, walled garden completeness, and session timeout configuration. Get those three right and the deployment is straightforward. The business case is clear — venues that deploy a properly configured guest WiFi platform with data capture consistently see measurable returns in marketing engagement and operational insight. If you want to go deeper, check out Purple's guide on implementing 802.1X authentication with cloud RADIUS, and our Cisco Wireless AP deployment guide on the Purple blog. Both are linked in the show notes. Thanks for listening. If you've got a specific deployment scenario you'd like us to cover, get in touch with the Purple technical team. We'll see you in the next episode.

📚 核心系列的一部分:多租戶 WiFi

header_image.png

執行摘要

本權威參考指南提供了一個完整的逐步設定架構,用於將 Cisco Meraki 無線網路與 Purple 的雲端 Captive Portal 進行整合。本文件專為 IT 經理、網路架構師和託管服務供應商 (MSP) 設計,詳細說明了在 Meraki Dashboard 中部署安全、高效能訪客 WiFi 解決方案所需的確切設定 [1]。

透過將訪客智慧層與硬體解耦,企業場域可以利用 Purple 通過認證的 Guest WiFiWiFi Analytics 平台來收集豐富且符合 GDPR 規範的第一方數據,同時確保網路完整性與法規遵循 [2]。本指南解決了關鍵的整合參數,包括 RADIUS 驗證(連接埠 1812/1813)、walled garden 網域排除、CDN 萬用字元解析,以及跨多種實體場域(如 零售醫療保健旅宿餐飲交通運輸 樞紐)的訪客重新導向機制。

技術深度解析

若要成功將 Cisco Meraki MR 存取點 (AP) 與 Purple 等外部 Captive Portal 整合,網路工程師必須了解底層的控制與資料平面架構。與傳統的本地端無線控制器(其 RADIUS 驗證要求源自實體控制器或個別 AP)不同,Cisco Meraki 採用雲端管理架構 [1]。

控制平面與資料平面分離

當訪客用戶端與針對外部 Captive Portal 設定的開放式 SSID 關聯時,Meraki MR AP 會將用戶端置於預先驗證狀態。在此狀態下,除了 DNS 查詢、DHCP 以及目的地為 Walled Garden 中明確定義的 IP 位址或主機名稱的流量外,所有流量都會被阻擋 [3]。

實際的 RADIUS Access-Request 訊息並非由本地 Meraki MR AP 產生。相反地,它們源自 Cisco Meraki Dashboard 雲端基礎架構 [1]。這是一個至關重要的架構差異:

> 「歡迎頁面 (splash page) 的 RADIUS 存取要求訊息將源自 Dashboard,而非本地 Meraki 裝置。因此,在此處無法指定 RADIUS 伺服器的私有區域網路 IP 位址。」[1]

因此,保護您 RADIUS 伺服器的上游防火牆必須允許來自整個 Meraki Dashboard 傳出 IP 範圍區段的傳入流量,這些範圍是動態且因地區而異的 [1]。這些範圍可以透過 Meraki Dashboard 的 Help > Firewall info 動態取得 [1]。

architecture_overview.png

RADIUS 驗證協定 (PAP)

對於登入歡迎頁面 (splash page) 驗證,Meraki 使用密碼驗證協定 (PAP) [1]。雖然 PAP 在歷史上是未加密的,但 Meraki 與 Purple 的整合透過多層加密降低了安全性風險:

  1. 用戶端到雲端加密:訪客用戶端直接與 Purple 託管的 Captive Portal 建立安全的 HTTPS (SSL/TLS) 工作階段。憑證(例如社群登入權杖、電子郵件表單)在從用戶端瀏覽器傳輸到 Purple 伺服器的過程中會進行加密 [1]。
  2. RADIUS 共用金鑰加密:當 Meraki 雲端將 RADIUS Access-Request 傳送到 Purple 的雲端 RADIUS 伺服器時,它會使用設定的 RADIUS 共用金鑰和符合 RFC 2865 的標準 XOR 函式來加密使用者的密碼 [1]。這可確保明文憑證絕不會透過網際網路傳輸。

支援的 RADIUS 屬性

Meraki 雲端和 Purple 雲端 RADIUS 在驗證交握期間會交換幾個關鍵屬性,以執行工作階段參數和原則:

RADIUS 屬性 類型 方向 說明與實際應用情境
User-Name 字串 要求 訪客用戶的識別碼(例如電子郵件地址、MAC 位址)[1]。
User-Password 字串 要求 加密的使用者密碼或工作階段權杖 [1]。
Called-Station-ID 字串 要求 格式為 AP_MAC:SSID_NAME(例如 AA-BB-CC-DD-EE-FF:GuestWiFi)。對於基於位置的原則路由至關重要 [1]。
Calling-Station-ID 字串 要求 用戶端的實體 MAC 位址(例如 11-22-33-44-55-66)。用於裝置追蹤和工作階段恢復 [1]。
Session-Timeout 整數 接受 以秒為單位的最大工作階段持續時間。逾期後,用戶端將被重新導向回 Captive Portal [1]。
Idle-Timeout 整數 接受 以秒為單位的最大閒置時間。如果未傳輸任何資料,工作階段將終止。需要 RADIUS Accounting [1]。
Filter-Id 字串 接受 傳遞要套用於用戶端的特定 Meraki 群組原則名稱(例如限制頻寬或阻擋特定類別)[1]。

實作指南

此逐步設定逐步解說概述了如何將 Cisco Meraki MR 存取點與 Purple 的外部 Captive Portal 進行整合。

步驟 1:設定 SSID 存取控制

在 Meraki Dashboard 中導覽至 Wireless > Configure > Access control [1]。選擇您的目標訪客 SSID 並設定以下參數:

  • Association Requirements:設定為 Open (no encryption) [1]。這可確保順暢的登入體驗。如果您需要加密的訪客傳輸,請考慮實實作 Passpoint / Hotspot 2.0 with Cloud RADIUS [4]。
  • Splash Page:選擇 Sign-on with,並從下拉式選單中選擇 my RADIUS server [1]。
  • RADIUS Servers:按一下 Add server 並輸入 Purple 的 Cloud RADIUS 主要與次要端點 [1]:
    • Host IP116.203.120.121(主要)與 195.201.123.149(次要)
    • Port1812(驗證)[1]
    • Secret[您的 Purple 共用金鑰]
  • RADIUS Accounting:設定為 RADIUS accounting is enabled 並新增計費伺服器:
    • Host IP116.203.120.121(主要)與 195.201.123.149(次要)
    • Port1813(計費)
    • Secret[您的 Purple 共用金鑰]
  • Captive Portal Strength:選擇 Block all access until sign-on is complete [1]。這會嚴格強制用戶端在通過 splash page 之前無法存取網際網路。

步驟 2:設定自訂 Splash Page URL

導覽至 Wireless > Configure > Splash page [1]。選擇您的訪客 SSID 並進行設定:

  • Custom Splash URL:選擇 Or point to a custom URL 並輸入 Purple 的重定向 URL:
    • https://login.venuewifi.com/ip/v2/meraki
  • Splash Page Redirect:設定為 The URL they were trying to fetch,或將其重定向至特定的到達網頁(例如:您場域的首頁) [3]。

步驟 3:設定 Walled Garden 網域名稱例外

為確保訪客用戶端可以載入 Captive Portal、從內容傳遞網路 (CDN) 下載資源,並完成社群驗證(例如:Google 或 Facebook OAuth),您必須啟用並設定 Walled Garden [3]。

返回導覽至 Wireless > Configure > Access control,並找到 Walled Garden 區段 [1]。

  1. Walled Garden 設定為 Walled garden is enabled [1]。
  2. Walled garden ranges 欄位中,輸入必要的 FQDN 和萬用字元網域 [1]。

walled_garden_infographic.png

Meraki 如何處理萬用字元與 CDN 流量

Cisco Meraki MR 存取點支援在 walled garden 中使用星號前綴(例如:*.purple.ai)來代表萬用字元網域 [1]。然而,了解其背後的運作機制至關重要:

  • 基於 DNS 的白名單:Meraki AP 會攔截用戶端的 DNS 請求。當用戶端請求與 walled garden 中項目相符的網域時,AP 會將該網域解析為其目前的 IP 地址,並暫時允許用戶端與該 IP 進行通訊 [3]。
  • 動態 CDN IP:像 Amazon CloudFront (*.cloudfront.net) 和 Akamai (*.akamaihd.net) 這類的 CDN 會解析為高度動態、地理分佈且頻繁變動的 IP 地址。Meraki 基於 DNS 的白名單機制透過即時解析網域來無縫處理此問題。切勿在您的 walled garden 中為 CDN 資源使用靜態 IP 地址,因為這會導致入口網站資源出現間歇性的載入失敗。

最佳做法

為確保高可用性、安全性與最佳使用者體驗,請遵循以下業界標準的部署最佳做法:

1. 網路分割與 VLAN 隔離

切勿將訪客流量直接橋接至您的企業區域網路 (LAN)。請設定您的 Meraki MR AP,使用專用的 Guest VLAN(例如:VLAN 30)來標記訪客流量 [4]。確保此 VLAN 終止於上游防火牆上的 DMZ 或獨立的虛擬路由及轉發 (VRF) 執行個體。這能降低橫向移動風險,並確保符合 PCI DSS 和 GDPR 等安全性標準 [2] [4]。

2. 設定容錯移轉與工作階段恢復能力

網路連線可能會中斷。為了防止訪客在驗證伺服器故障期間無法連線至網際網路,請在 Meraki Dashboard 中設定 RADIUS Failover Policy

  • Failover Policy:設定為 Deny access 以獲得最高安全性,或者如果與在故障期間收集數據相比,維持訪客連線能力更為重要,則設定為 Allow access
  • Secondary Servers:務必同時設定主要與次要 RADIUS 伺服器,以分流負載並提供自動容錯移轉 [1]。

3. 實作工作階段與閒置逾時

透過設定適當的逾時參數來管理您的無線頻譜與 DHCP 整合配置租約 [1]:

  • Session Timeout:針對旅宿環境設定為 1440 分鐘(24 小時),允許訪客在入住期間保持連線,而無需不斷重新驗證 [1]。針對零售或大眾運輸,請將此時間縮短至 120 分鐘(2 小時),以鼓勵新的互動並釋放 DHCP 租約。
  • Idle Timeout:設定為 15 分鐘。如果用戶端裝置進入睡眠狀態或離開場域,AP 將終止工作階段並收回網路資源 [1]。

疑難排解與風險緩解

在 Cisco Meraki 上部署外部 Captive Portal 時,工程師通常會遇到三種主要的故障模式。請使用此診斷矩陣快速隔離並解決問題:

症狀 根本原因 診斷步驟 解決方法
Splash page 無法載入;瀏覽器顯示「連線逾時」。 上游防火牆正在阻擋前往 Purple 的 CDN 的輸出 DNS 或 HTTP/HTTPS 流量 [1]。 嘗試從相同 VLAN 上的有線裝置解析 login.venuewifi.com 確保訪客 VLAN 具有對公用 DNS (UDP 53) 和 HTTP/HTTPS (TCP 80/443) 的輸出存取權限。
Splash page 已載入,但使用者認證無法通過驗證。 上游防火牆正在阻擋源自 Meraki 雲端的 RADIUS 流量 [1]。 使用 Meraki Dashboard 中 Access Control 下的 RADIUS Test 工具 [1]。 將 Meraki Dashboard 的輸出 IP 範圍(可在 Help > Firewall info 下找到)新增至您防火牆的 UDP 連接埠 1812 和 1813 的輸出允許清單中 [1]。
社群登入(例如:Google OAuth)失敗並出現重定向錯誤。 缺少必要的 OAuth 輔助網域Meraki Walled Garden 中的設定 [1]。 檢查用戶端裝置上的瀏覽器主控台,確認是否有被阻擋的資源載入。 將必要的 OAuth 網域(例如 *.googleapis.com*.gstatic.com)新增至 Walled Garden 清單中 [1]。

投資報酬率與商業影響

將 Cisco Meraki 與 Purple 整合,能將訪客 WiFi 從成本中心轉變為策略性商業資產。透過結合企業級硬體與進階分析,企業組織可在多個維度上獲得可衡量的回報:

  • 數據變現與行銷觸及:透過收集經驗證的電子郵件地址和社群個人檔案,場域能建立一個乾淨且合規的第一方客戶數據庫 [2]。這會直接匯入客戶關係管理 (CRM) 和行銷自動化系統,從而實現高度精準、在地化的行銷活動。
  • 營運效率:透過 Purple 進行的自動化引導,能減輕前台和 IT 支援人員的負擔。在旅宿業環境中,這意味著更少關於 WiFi 連線的訪客投訴,以及更低的營運開銷。
  • 進階人流量分析:透過將 Meraki 的位置 API 與 Purple 的分析引擎相結合,場域營運商能深入洞察訪客行為,包括人流量、停留時間、回訪率和尖峰忙碌時段 [2]。這些數據有助於在人員配置、店面佈局和房地產估值方面做出明智的決策。

參考資料

關鍵定義

Captive Portal

A web page that is displayed to newly connected users of a Wi-Fi network before they are granted broader access to network resources.

Used by venues to enforce terms of service, collect user data, and authenticate guests via RADIUS before allowing internet access.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

Meraki APs query Purple's Cloud RADIUS servers to verify guest credentials and authorize network access.

Walled Garden

A restricted set of IP addresses or domain names that unauthenticated guest clients are permitted to access before completing the captive portal sign-on process.

Crucial for allowing clients to reach the hosted splash page, download CSS/JS assets from CDNs, and communicate with social login OAuth endpoints.

Session-Timeout

An RFC 2865 RADIUS attribute that specifies the maximum number of seconds a user session can remain active before requiring re-authentication.

Returned by Purple RADIUS in the Access-Accept packet to control how long a guest remains logged in (e.g., 24 hours for hotel guests).

Idle-Timeout

A RADIUS attribute that defines the maximum period of inactivity (no data transferred) allowed before the user's session is terminated.

Used to disconnect stale devices and reclaim IP addresses in high-density environments like stadiums or retail stores.

PAP (Password Authentication Protocol)

A simple, unencrypted authentication protocol used by RADIUS to validate user credentials.

Required by Cisco Meraki for external splash page RADIUS authentication. Security is maintained by encrypting the client-to-portal transit via HTTPS and encrypting the RADIUS packet password field using the shared secret.

Passpoint (Hotspot 2.0)

An industry standard developed by the Wi-Fi Alliance that enables cellular-like automatic roaming and secure connection to Wi-Fi networks.

Supported by Meraki MR access points and Purple to enable seamless, certificate-based guest onboarding without captive portals.

CMX (Cisco Meraki Location APIs)

An API framework that allows Meraki access points to export real-time location and presence data (probe requests) to third-party analytics platforms.

Integrated with Purple to provide detailed footfall, dwell time, and return rate analytics for physical venues.

範例

A luxury 350-room hotel running Cisco Meraki MR46 access points needs to deploy a secure guest WiFi network. They want to capture guest emails, restrict bandwidth to 5 Mbps per guest, and ensure that guests only need to log in once every 7 days. How should the network architect configure the Meraki Dashboard and RADIUS settings?

  1. SSID Setup: Configure an open SSID named 'Hotel_Guest' with the splash page set to 'Sign-on with' and 'my RADIUS server'.\n2. RADIUS Configuration: Enter Purple's primary (116.203.120.121) and secondary (195.201.123.149) RADIUS IPs. Set the authentication port to 1812 and the accounting port to 1813. Configure the shared secret.\n3. Timeout Parameters: In the RADIUS server profile or Purple dashboard, set the Session-Timeout attribute to 604800 seconds (7 days) and Idle-Timeout to 1800 seconds (30 minutes) to reclaim inactive DHCP leases.\n4. Traffic Shaping: In the Meraki Dashboard under Wireless > Configure > Firewall & traffic shaping, select the SSID, enable traffic shaping, and set a per-client limit to 5 Mbps downstream and 2 Mbps upstream.\n5. Walled Garden: Enable the walled garden and add *.purple.ai, *.venuewifi.com, and necessary CDN wildcards like *.cloudfront.net to allow the splash page to render pre-authentication.
考官評語: This solution successfully balances user experience with network performance. Using a 7-day Session-Timeout prevents login fatigue for long-stay guests, while the 30-minute Idle-Timeout prevents IP address exhaustion in the DHCP pool. Configuring traffic shaping directly on the Meraki APs rather than relying on RADIUS attributes (like Maximum-Data-Rate-Downstream) is preferred as it reduces processing overhead on the APs and provides a more consistent enforcement mechanism.

A national retail chain with 45 stores wants to deploy guest WiFi across all locations using Meraki MR33 APs. They need to ensure consistent configuration, block corporate network access, and collect footfall analytics. How should this be implemented at scale?

  1. Configuration Templates: Create a single Network Configuration Template in the Meraki Dashboard. Configure the guest SSID with Purple's RADIUS settings, walled garden domains, and the custom splash URL: https://login.venuewifi.com/ip/v2/meraki. Bind all 45 store networks to this template.\n2. VLAN Segmentation: On each store's local switch and firewall, configure a dedicated Guest VLAN (e.g., VLAN 50). In the Meraki SSID settings, set Client IP Assignment to 'External DHCP server' and specify VLAN 50. Ensure the firewall blocks all routing from VLAN 50 to corporate subnets.\n3. Location Analytics: Enable Meraki Scanning API (CMX) in the Meraki Dashboard under Network-wide > Configure > General. Enter the Purple Post URL and secret validator. This allows Meraki APs to stream real-time probe request data to Purple's analytics engine for footfall and dwell time reporting.
考官評語: Deploying at scale requires automation and template-based management. By binding all networks to a single template, any future walled garden updates (such as adding a new social login provider) can be pushed to all 45 stores instantly, eliminating manual configuration errors. Enabling the Meraki Scanning API alongside RADIUS accounting ensures that the retailer captures both active guest session analytics and passive visitor footfall metrics, maximizing the business value of the deployment.

練習題

Q1. A network engineer deploys a new Meraki guest SSID with a Purple captive portal. Unauthenticated clients are successfully redirected to the login page, but when they attempt to use 'Log in with Google', the page spins and eventually fails with a DNS or timeout error. Other login methods (like email form) work perfectly. What is the most likely cause of this issue, and how should it be resolved?

提示:Consider what external domains the client's browser must reach to complete the Google OAuth handshake before the RADIUS authentication is completed.

查看標準答案

The most likely cause is that the Google OAuth helper domains are missing from the Meraki SSID's Walled Garden configuration. While the core Purple domains and CDN domains are allowed (which is why the splash page loads), the Google authentication servers are being blocked by the AP's pre-authentication firewall rules. To resolve this, navigate to Wireless > Configure > Access control, select the guest SSID, and append the following Google OAuth domains to the Walled Garden list: accounts.google.com, *.googleapis.com, *.gstatic.com, and *.googleusercontent.com. Once saved, the AP will permit the client to complete the Google authentication handshake and redirect back to Purple to complete the RADIUS login.

Q2. During a post-deployment audit of a high-density stadium WiFi network, the IT team notices that the DHCP pool for the guest VLAN (a /21 subnet with 2048 IPs) is completely exhausted within the first 2 hours of an event, even though active concurrent connections never exceed 800. RADIUS accounting is enabled. How can the network architect adjust the Meraki and RADIUS settings to mitigate this issue?

提示:Analyze the relationship between client session timeouts, idle timeouts, and DHCP lease times in high-density transient environments.

查看標準答案

The DHCP pool exhaustion is caused by transient clients (users walking past or entering the stadium briefly) connecting, obtaining an IP address, and then leaving the venue. Because the default Meraki Session-Timeout or DHCP lease time is too long, those IP addresses remain reserved even though the physical devices are no longer present. To resolve this, the architect should implement three coordinated changes: 1) Reduce DHCP Lease Time: On the DHCP server (or Meraki security appliance handling DHCP), reduce the lease time to 10 or 15 minutes. 2) Configure Idle Timeout: Ensure RADIUS accounting is enabled on port 1813 and configure an Idle-Timeout of 10 minutes (600 seconds) in the RADIUS Access-Accept profile. This tells the Meraki AP to terminate the session of any client inactive for 10 minutes. 3) Shorten Session Timeout: Reduce the global Session-Timeout for the stadium profile to 120 minutes (7200 seconds) to force periodic re-evaluation of active devices.

Q3. An MSP is configuring a Meraki guest SSID with a Purple captive portal. They have entered the correct Purple RADIUS server IPs and ports (1812/1813) in the Meraki Dashboard, but when testing with the built-in RADIUS 'Test' tool, all access points fail to reach the server. The MSP verifies that the RADIUS shared secret is correct and that the Purple cloud is online. What routing or firewall configuration did the MSP likely overlook?

提示:Recall where RADIUS authentication requests are sourced from in a Cisco Meraki cloud-managed architecture.

查看標準答案

The MSP likely configured their local network firewalls to allow outbound RADIUS traffic from the local AP subnets, but forgot that in a Meraki splash page deployment, RADIUS Access-Requests are sourced directly from the Cisco Meraki Dashboard Cloud Infrastructure, not from the local APs. To resolve this, the MSP must obtain the outbound IP ranges of the Meraki Dashboard (found in the Meraki Dashboard under Help > Firewall info) and configure their upstream corporate firewall to allow inbound and outbound UDP traffic on ports 1812 (Authentication) and 1813 (Accounting) between those Meraki Dashboard IP ranges and Purple's Cloud RADIUS servers. Additionally, they must ensure that the Meraki Dashboard IPs are added as valid RADIUS clients in the Purple portal configuration.

繼續閱讀本系列

CommScope Ruckus 與 Purple WiFi 整合:安裝與設定指南

本技術參考指南為 CommScope Ruckus 架構與 Purple WiFi 的整合提供了權威的設定指南。其中詳細介紹了使用 Guest WiFi Captive Portal、透過 802.1X 的安全員工 WiFi,以及使用 Ruckus Dynamic PSK 的多租戶網路隔離的逐步部署步驟。

閱讀指南 →

Allied Telesis Access Points Integration with Purple WiFi

本指南提供將 Allied Telesis TQ 系列無線基地台與 Purple WiFi 整合的完整設定指南。內容涵蓋外部 Captive Portal 重新導向、802.1X RADIUS 驗證,以及使用私有預共用金鑰 (PPSK) 進行動態 VLAN 導向,以實現安全的多租戶部署。

閱讀指南 →

Grandstream GWN Access Points Integration with Purple WiFi

本權威技術參考指南詳細說明如何將 Grandstream GWN 基地台與 Purple 的 Guest WiFi 及分析平台進行整合。內容涵蓋 Grandstream Captive Portal 設定、RADIUS AAA 設定、Walled Garden(圍牆花園)設定、支援動態 VLAN 導向的安全員工 802.1X 驗證,以及多租戶 PPSK 分割,為大規模部署訪客與員工 WiFi 的 MSP 和 IT 團隊提供具體可行的逐步指引。

閱讀指南 →