Hi,
I am asked to design a Guest Wifi architecture for spokes with some basic requirements:
- Guest Wifi user should have access to Internet only
- A single Guest Wifi subnet should be used for all 600+ sites
However, the splash page should be stored in an internal server which is located in the Data Center / hub. This splash page will not be reachable via Internet.
From my understanding, if the splash page is only reachable from AutoVPN tunnel, I guess that the Guest Wifi VLAN / subnet of each spoke should be advertise to the hub => so we cannot use single Guest Wifi subnet but we should have 1 subnet per spoke and things get more complicated.
Am I correct? Is there any way to meet the requirement? Thanks for your advice.
Can the splash page be replicated in the native splash function of dashboard? That would greatly simplify your design, provide resiliency, and require no VPN tunnel.
Hi @Ryan_Miles, the client has their captive portal Ucopia which is working well and therfore, they do not want to change anything.
Any solution for that? Thanks.
I don't think this is a good design.
If you want to write a captive portal integration take a look at the EXCAP guide (option 3).
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf
Here is the developer guide:
https://developer.cisco.com/meraki/captive-portal-api/
Otherwise, if you want to pursue the layer 2 strategy, you'll need to deploy an MX in VPN concentrator mode wherever your portal server is. Then configure the SSID to use tunnelling.
Regarding not making it accessible on the internet, I wonder if you could use some Cloudflare rules to handle this at the DNS level?
One unique aspect of the Meraki captive portal is that it passes in a selection of URL parameters with information such as the device MAC/IP.
You could filter based on this, concealing the splash page unless these URL params are present.