Integrating Active Directory with Sign-On Splash Page

Cisco Meraki devices (MR access points and MX security appliances) support the use of a sign-on Splash Page,
requiring network users to authenticate in a web browser before being allowed access to the network. This splash page
can be integrated with an Active Directory server, allowing users to provide their domain credentials to gain access.

This article outlines how to configure a sign-on Splash Page with Active Directory.

Overview
When using Active Directory authentication, your Access Points need to perform a secure LDAP bind using SSL\TLS via
the starttls command. The LDAP bind authenticates the user logging into the splash page as illustrated below:
1. A secure connection is established using TLS. After the handshake, a secure channel is established. LDAP calls
are encrypted preventing outsiders from snooping the portion of the exchange highlighted in beige.
2. The AP binds to the Domain Controller using the Active Directory admin credentials specified in Dashboard.
3. If the bind is successful, the AP searches the directory for the user logging in by their sAMAccountName
attribute. If a match is found, the DN of the user is returned to the AP.
4. The AP then attempts to bind with the DN of the user and password entered in Dashboard. If the credentials are
OK then the user is authenticated.

1
Configuration and Requirements
In order to configure a splash page with Active Directory authentication, configuration steps must be completed on both
Dashboard and Active Directory, outlined below:

Active Directory Configuration

The following requirements must be configured on each AD server being used for authentication:
Every AD server specified in Dashboard must hold the Global Catalog role. Please refer to Microsoft
documentation for specific configuration steps.
Since communication between the MR and AD server will be encrypted using TLS, a valid certificate with the
appropriate parameters must be configured on the server.
If no certificate is present, please refer to our documentation on Installing a Self-Signed Certificate in Windows
Server.
If a certificate already exists, please ensure that it has been configured with the necessary parameters for TLS.

2
 The MR will communicate from its LAN IP with each AD server over TCP port 3268, so ensure that no firewalls or
ACLs on the network or server will block that communication.

When Active Directory authentication is configured, the MR queries the Global Catalog over TCP port 3268. Therefore
the Active Directory server (Domain Controller) specified in Dashboard must also hold the Global Catalog role.

Dashboard Configuration
Once all AD servers have been primed with the configuration requirements outlined above, the following steps outline
how to set up AD authentication with a sign-on splash page:
1. Log into Dashboard
2. Navigate to Wireless > Configure > Access control.
3. Select the desired SSID from the SSID drop-down menu.
4. Navigate to the Splash page section.
5. Using the Authentication Method drop-down menu, select my Active Directory server.
6. Navigate to Active Directory servers and Active Directory admin.
7. Click on Add a server and input the IP address of the domain controller.
Note: Multiple servers may be added. The AP will test against these servers in sequential order, i.e. from top to
bottom.
8. Input a domain admin's credentials in the Active Directory admin section. The account can use the Windows
2000 (admin@domain.local) or Pre-Windows 2000 (Domain\admin) format.
Note: It is advised these user credentials have minimal read-access permissions to the domain database. This
account will only be used for the BIND to Active Directory
9. Click the Save Changes button to save changes.

3
Testing Communication with Active Directory
Once the configuration has been saved, connectivity and functionality can be tested within Dashboard. Under the Active
Directory servers section within Wireless > Configure > Access Control, click the Test button and input a valid
domain user's credentials (the domain should be left out of the username).

The image below shows an example use of the test functionality:

4
This test will then check every AP configured to use the SSID, and where each AP will query the AD server to check if
the test credentials are valid:

If this test fails, it is first recommended to ensure that all of the Active Directory requirements outlined above are met,
and ensure that each "Failed" AP has network connectivity to the server.
For more detailed troubleshooting steps, please refer to our documentation regarding Troubleshooting Active Directory
Authentication with a Sign-on Splash Page.

Microsoft LDAP Test

Once the configuration above has been completed, the Meraki device should be able to communicate with the Active
Directory server using TLS. If this fails, Microsoft offers the Ldp.exe tool to ensure that the LDAP service is running and
compatible with the current certificate.

Please reference Microsoft documentation for error code details and troubleshooting assistance.

5
Additional Resources
For additional information regarding sign-on splash pages and Active Directory integration, please refer to the following
documentation:
Active Directory Integration with Group Policies
Active Directory Integration with Client VPN
Integrating LDAP with a Sign-on Splash Page
Troubleshooting Active Directory Authentication with a Sign-on Splash Page
Splash Page Traffic Flow and Troubleshooting