Cisco Meraki
Last updated
Last updated
Cisco Meraki integration is based on the iPSK without RADIUS feature, with support of Wi-Fi Personal Network (WPN) capabilities. It also relies on Group Policies to differentiate Tenant services (such as VLAN and bandwidth).
Cusna relies on iPSK without RADIUS and WPN is supported only on MR devices with 29.4.1+ firmware. However, to benefit form the possibility to manage up to 5,000 iPSK per SSID, you need to use firmware versions MR 30.1 and newer.
All APs in your network must be Wi-Fi 5 Wave 2 (MR20, MR30H, MR33, MR42, MR42E, MR52, MR53, MR53E, MR70, MR74. MR84), Wi-Fi 6 (MR28, MR36, MR36H, MR44, MR46, MR46E, MR56, MR76, MR78, MR86, MR45/55), Wi-Fi 6E (MR57, CW9162I, CW9164I, CW9166I) or newer.
Each Location in Cusna is associated to a Network in the Meraki dashboard.
Create a Network in Meraki as described in the official Meraki documentation.
Next, you need to create an SSID configured to support iPSK. Navigate to Wireless > Configure > SSIDs, enable an SSID from the list and rename it with your desired network name, e.g. "Tenant WiFi". Click Save Changes at the bottom of the page.
On the desired SSID, click "edit settings" link to navigate to the Access Control page for this SSID.
On the Access control Page, Select Identity PSK without RADIUS under Security and click on Add an Identity PSK
Configure a name and passphrase; select a group policy.
Set Wi-Fi Personal Network (WPN) to Enabled
Note: The "Enabled/Disabled WPN" option is only displayed when at least one iPS group is configured.
Click Save changes on the bottom of the page.
If you need to support IoT Devices Authentication via MAC authentication, you need to add an additional dedicated SSID in each of the Networks configured for the service.
Navigate to Wireless > Configure > SSIDs, enable an SSID from the list and rename it with your desired network name, e.g. "IoT Devices". Click Save Changes at the bottom of the page.
On the above SSID, click "edit settings" link to navigate to the Access Control page for this SSID.
Finally, expand the RADIUS section and add Primary and Secondary RADIUS data for both the RADIUS servers and RADIUS Accounting servers sections. The RADIUS data (IP addresses, Ports and Secrets are delivered as part of your onboarding email).
To connect Cusna to your Meraki account, you need to generate an API Key in your Meraki account:
Navigate to Organizations > Settings.
Ensure the option Enable access to the Cisco Meraki Dashboard API is enabled.
Navigate to your profile by clicking your account email address in the upper-right > My profile to generate the API key.
Save this key in a secure location as it represents your admin credentials.
Once the key is generated from the Cisco Meraki dashboard:
Log in to your Cusna account and click Setting.
Expand the WiFi setup card, select Meraki and enter your API Key.
The Organization menu will load the list of Meraki Organizations enabled on your API Kay; select the Organization that you want to link to your Cusna account.
Click Save.
Next, you need to setup at least one Network Policy. Once you have set up the Meraki integration, the Network Policy section appears.
Network PoliciesWhen using Meraki, Cusna does not allwo to manually or automatically set the VLAN on the individual tenant, since the VLAN is handled by the assigned Group Policy.
When you create or edit a Property in the Cusna dashboard, in the WiFi configuration section, you have to pick the Network and SSID related to the Network and the Network Policy you want to assign by default to the new tenant accounts (you can select a custom Network Policy while creating a new Tenant)
Note: when selecting the SSID, Cusna verifies in real-time if the SSID is properly configured with work with iPSK without RADIUS and the other settings required by Cusna. If not compliant, you'll see a notification message. You can still select the SSID and save the Network and fix the SSID configuration later or.
Meraki support Cusna Units management, where each unit can be associated with a Wired access point. Cusna configure the ETH ports to be in the same personal area network as the device connecting with the iPSK of the Account associated to the Unit.
This feature is currently supported only on MR36H
When you create a new Account, a new iPSK user will be created in your Meraki account with a predefined WiFi Passphrase.
In the Account setup page, you need to chose a Network Policy to assign to the user in the related menu. Select "Default" to assign the Network Policy that has been selected as the default one for the Network where you are activating the Account
The Account of type Tenant and Visitors receive an activation email with the default passphrase and QR code, and a link to the Tenant Portal where can change the passphrase.
To avoid synchronization problems, please do not manage manually the iPSKs in the Meraki dashboard.
5,000 iPSK groups per SSID and 2x SSIDs with WPN enabled per dashboard network are supported.
Wireless devices connected to a WPN-enabled SSID cannot communicate with wired devices on the same VLAN (L2 domain) except for the default gateway.
Wireless devices connected to a WPN-enabled SSID can communicate with wired devices on a different VLAN through L3 routing.
Meraki AP assigned (NAT mode) is not supported on an SSID with WPN enabled. External DHCP server assigned mode must be used instead.
Wired AP ports using port profiles do not support WPN.
On the Access Control page, select Identity PSK without RADIUS under Security
Select "None (direct Access)" in the Splash Page section
