Meraki

Community

Entra ID splash page - Wireless with multiple SSID's

sys-admin
Conversationalist
2 weeks ago
2 weeks ago

Entra ID splash page - Wireless with multiple SSID's

Microsoft Entra ID Integration with Splash Page - Cisco Meraki Documentation

 

We have setup two test SSID's using the above documented authentication procedure. This works well. However, I additionally need to limit access to both SSID's to specific Entra User groups. On the Entra ID side, I can limit who can use the Cisco Meraki Network Access enterprise app, but since both SSID's appear to use the same app, this won't work. Meraki does not appear to be passing SSID info over to Entra ID.

 

Is there any way to scope Entra users to different SSID's? Or is this not supported, yet? Without this functionality, this authentication process is limited in usefulness.

Labels:
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The only way I see to do what you want is to use Meraki Access Manager with EAP-TTLS/PAP or EAP-TLS authentication.

 

Access Manager Username/Password Authentication - EAP-TTLS/PAP with Entra ID Lookup - Cisco Meraki D...

 

Meraki supports Entra ID authentication via splash pages and Access Manager, but all SSIDs using Entra ID authentication rely on the same Cisco Meraki Network Access enterprise app and SSID context is not passed to Entra ID, so Entra cannot differentiate which SSID a user is trying to access.

 

Microsoft Entra ID Integration with Splash Page - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
sys-admin
Conversationalist
2 weeks ago
2 weeks ago

Does the EAP-TTLS/PAP require a certificate to be installed on the endpoint? These will be unmanaged devices so that would present a challenge for us.

0 Kudos
In response to sys-admin
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Yes, it's required.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

I believe EAP-TTLS/PAP only works for tennancies that have not been migrated to modern authentication policy.  Every tenancy is being forced to do this by Microsoft.

 

The only safe option is to use EAP-TLS.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.