https://community.cisco.com/t5/wireless/authentication-method/m-p/5481648#M295315 <P>Can we take a step back - what are you trying to achieve?</P><P>The end result (from above) is that both corporate and personal devices will have access to the same network.</P><P>What do you gain by making people enter two passwords from a personal device?</P> Sun, 23 Feb 2025 18:55:00 GMT Philip D'Ath 2025-02-23T18:55:00Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481645#M295312 <P>Hi all <BR />I'm new to cisco Meraki and I'm using MR55 device <BR />The thing is I have my network called Corporate and I want my staff to use the network normally with their laptop,<BR />but if they managed to know the password and try to use it with their phone, I want them to authenticate in a splash page for example with different password. <BR /><BR />Can someone guide me on this </P><P>Thanks </P> Sat, 22 Feb 2025 15:36:34 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481645#M295312 Ahmed900 2025-02-22T15:36:34Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481646#M295313 <P>I assume you won't achive this reliably with the build in tools.</P><P>One option worth a test is to have two group policies in the WLAN, one default without splash page and one with a splash page. The later gets assigned based on the end device:</P><P><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KarstenI_0-1740241915098.jpeg" style="width: 400px;"><span class="lia-inline-image-display-wrapper" image-alt="image.jpeg"><img src="https://community.cisco.com/t5/image/serverpage/image-id/276110iD3C9084580DB6A5B/image-size/large?v=v2&amp;px=999" role="button" title="image.jpeg" alt="image.jpeg" /></span></SPAN></P><P>For the "<SPAN>if they managed to know the password</SPAN>":</P><P>Normally the users can always find out the passphrase. This is only forbidden when the WLAN profile is pushed with an MDM like Meraki Systems Manager.</P> Sat, 22 Feb 2025 16:33:34 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481646#M295313 Karsten Iwen 2025-02-22T16:33:34Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481647#M295314 <P>Something tells me here no matter which way they authenticate they’re going to end up on your corporate network.</P><P>How is your internal network segmented?</P> Sat, 22 Feb 2025 21:18:53 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481647#M295314 MerakiGnome 2025-02-22T21:18:53Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481648#M295315 <P>Can we take a step back - what are you trying to achieve?</P><P>The end result (from above) is that both corporate and personal devices will have access to the same network.</P><P>What do you gain by making people enter two passwords from a personal device?</P> Sun, 23 Feb 2025 18:55:00 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481648#M295315 Philip D'Ath 2025-02-23T18:55:00Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481649#M295316 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/121148">@Ahmed900</A>,</P><P>I agree with <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/340">@Philip D'Ath</A>, at first its important to understand what you're trying to achieve.</P><P>With this said, I think you can use the setup with PSK and Sign-on splash page, and in the dashboard settings you can put the laptops into a white list manually, and in this case these clients won't need to go through splash authentication. And if users try to enter connect to the SSID from their phone knowing the PSK, they will be met with the splash page. This method, however, don't prevent them from connecting if they know the password for the splash page. Something similar is outlined in <A href="https://documentation.meraki.com/MR/MR_Splash_Page/Using_a_Sign-on_Splash_Page_to_Restrict_Wireless_Access_by_MAC_address" target="_self" rel="nofollow noopener noreferrer">this KB</A>.<BR /><BR />I believe the best way to go here if you want to restrict access from phones would be some sort of MAC address-based, or cert-based authentication.</P> Mon, 24 Feb 2025 11:11:34 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481649#M295316 sinelnyyk1 2025-02-24T11:11:34Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481650#M295317 <P>You would probably be better using 802.1x and applying group policies to the different device types i.e. BYOD and company owned. </P> Mon, 24 Feb 2025 19:47:50 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481650#M295317 BlakeRichardson 2025-02-24T19:47:50Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481651#M295318 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/340">@Philip D'Ath</A> <BR />What I'm trying to achieve is for the network to be accessible for laptops only,</P><P>my point is when a user connects via Organization Laptops it should connect normally,<BR />but if he trying to connect with his phone, it should not connect that's why I'm searching for other solution to forbid Connecting with phone in the splash page configuration </P> Tue, 25 Feb 2025 11:37:39 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481651#M295318 Ahmed900 2025-02-25T11:37:39Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481652#M295319 <P>Then the solution is 802.1X with EAP-TLS as already mentioned. Every company device is enrolled with a certificate that is not exportable on the end device and only these devices are allowed to authenticate. Or, all other devices that don't authenticate through a certificate get the "only-Internet" VLAN assigned.</P> Tue, 25 Feb 2025 11:41:49 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481652#M295319 Karsten Iwen 2025-02-25T11:41:49Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481653#M295320 <P>Hi <A href="https://community.meraki.com/t5/user/viewprofilepage/user-id/105916">@sinelnyyk1</A> <BR />both solutions sound good for me I will read more about it <BR /><BR />Thanks <BR /><BR /><BR /></P> Tue, 25 Feb 2025 11:42:33 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481653#M295320 Ahmed900 2025-02-25T11:42:33Z https://community.cisco.com/t5/wireless/authentication-method/m-p/5481654#M295321 <P>I second this. Configure something like Microsoft Certificate Server (part of Windows Server) and a group policy to deploy a certificate to every AD member, and then use that for authentication.</P><P>Once you have the certificate deployment done, here is a walk through for the NPS configuration required.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication</A></P><P>Except skip the entire first section on "Connection Request Policies.". This section does absolutely nothing. Whoever wrote that didn't know what connection request policies do.</P> Tue, 25 Feb 2025 22:25:02 GMT https://community.cisco.com/t5/wireless/authentication-method/m-p/5481654#M295321 Philip D'Ath 2025-02-25T22:25:02Z