Meraki

Community

Entra ID Splash Page Auth - Is it possible to assign users specific VLANs?

iGreggers
New here
Thursday
Thursday

Entra ID Splash Page Auth - Is it possible to assign users specific VLANs?

To give context: my organisation currently has a requirement to provide Wi-Fi to unmanaged devices. 802.1x in general is confusing for users, and deploying certs/passports to them is an additional step of confusion and aggravation. I'm thinking of moving the authentication for that SSID to the Entra ID powered splash page.

We have two core user bases, each user base having a different set of requirements, so we stick them on their own VLANs once authenticated. We are using 802.1x at the moment and we are returning a different Tunnel-Type radius attribute depending on which group the user falls into. This allows us to use one SSID to deliver two networks/vlans effectively. 

 

Is something like this still possible with the Entra ID splash page authentication, or will I need to have two separate SSIDs to make this work?

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Unfortunately, Entra ID splash page authentication does not support dynamic VLAN assignment based on user group or attributes.

 

If you want to retain dynamic VLAN assignment based on Entra ID groups, you’ll need to use Meraki Access Manager with EAP-TTLS/PAP or EAP-TLS authentication.

 

Microsoft Entra ID Integration with Splash Page - Cisco Meraki Documentation

 

Access Manager Username/Password Authentication - EAP-TTLS/PAP with Entra ID Lookup - Cisco Meraki D...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
iGreggers
New here
Friday
Friday

Hey Alemabrahao. Thanks for your reply. Unfortunate to hear Entra ID splash page does not support dynamic VLAN assignment. EAP-TLS is what we're going to run for managed devices, but we're really looking to move away from 802.1x for unmanaged devices so that's unlikely an option going forward. It's my understanding that it's one application per Entra tenant, so it looks like I won't be able to make use of multiple entra applications either.

 

I wonder then - perhaps I can use two separate SSIDs that go back to the same Entra tenant/application, and have each SSID whitelist different allowed domains for authenticating. That all depends on how the domain whitelisting works, and if I can differentiate between parent domains and child domains. Our example would be @School.edu for employees and @students.school.edu for students (our two core userbases). 

0 Kudos
MauroF
Building a reputation
Friday
Friday

 Why dont you fix the mac address for every single device and do a MAB with a Group Policy? 

0 Kudos
In response to MauroF
iGreggers
New here
Friday
Friday

Fixing the mac for unmanaged devices is a nuisance for users. It also then means we have to anticipate every unmanaged device that connects to us before point of connection, which with our student user base is unmanageable unfortunately. Thanks for your input however. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I just remembered that Splash Access can do VLAN assignment, as well as Entra ID authentication.  Maybe look at that third party solution.

 

https://splashaccess.com/azure-entra-directory-authenticated-wi-fi/

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.