Cisco Meraki is the leader in cloud controlled Wi-Fi, routing and security. Cisco Meraki provides devices and software to help businesses manage Wi-Fi network access for employees and guests.
Important note: The Cisco Meraki integration is compatible with both our Visitors and Workplace products. During the configuration steps below, be sure to only choose settings related to the Envoy product you are using.
Envoy Visitors + Cisco Meraki
The Envoy + Cisco Meraki app has the ability to provide workplace Visitors temporary Wi-Fi credentials when they are signed-in. Each time a visitor signs in to the workplace, unique credentials are generated and sent out via email or text.
Envoy Workplace (Employees) + Cisco Meraki
Envoy also provides the option to automatically sign-in employees once they connect to your Cisco Meraki powered Wi-Fi network. When an employee's device connects to the Wi-Fi network, Cisco Meraki will validate the device using 802.1x/RADIUS and obtain the username (email) of the employee. Cisco Meraki automatically sends this information to Envoy, and we sign the employee into the workplace!
Getting Started:
PREREQUISITES
Please ensure that the user generating the API key has full global permissions.
If you are restricting access, please ensure the following IPs can access the Meraki API in Organization > Settings:
18.204.164.109
52.6.210.64
52.86.90.108
Step 1: API Access
Navigate to Apps > All Apps.
Search for Cisco Meraki and install the App.
Log into the Cisco Meraki dashboard and navigate to Organization > Settings. Locate the section titled Dashboard API access and select Enable Access, then save your changes.
Go to Organization > API & Webhooks
Click the "Generate new API key" under API Monitoring and management if you have not generated one already. Copy this key and store in a safe place.
In Envoy, paste the Meraki API key.
Select your API Region if this is different from the default.
Step 2: Organization
Select which organization you would like to use with the Envoy + Meraki integration.
Network
Select the Network you will be using for Access.
Envoy Visitors + Cisco Meraki Configuration
**Visitor Configuration is optional**
Visitors Access
When configuring the Visitors portion of this integration, the Visitor sign-in flow must contain a phone number or email. This is how we will send the credentials to the visitor.
Learn more about how to configure your Envoy sign-in fields.
[Visitors SSID]: Select your desired SSID for Visitors from the dropdown.
[Access Duration]: Choose the length of time up to 24 hours for guest wi-fi access
[Optional]: Select Visitor types to block from receiving Wi-Fi credentials.
[Optional]: Send guest Wi-Fi credentials to hosts.
This is useful when visitors do not have easy access to email or text messages or if they are not required to enter their email address or phone number at sign in.
[Optional]: Select delete visitor credentials on sign-out from "User Management Portal" (Network-wide -> Users)
[Security and Splash Page Settings] Select your security and splash page settings
Security and Splash Page Settings in Envoy must correspond with your Meraki SSID settings.
For example, if you select "Open with Meraki Cloud Authentication" in Envoy. Then, on the SSID settings in Meraki, you must have Security set to "Open (no encryption)" and Splash Page set to "Sign-on with Meraki Cloud Authentication"
If you have Security and Splash Page Settings in Envoy set to "Enterprise with Meraki Cloud Auth with Click Through", then in your Meraki SSID settings, you must have Security set to "Enterprise with Meraki Cloud Authentication" and Splash Page set to "Click-through."
What is the visitor experience with the Envoy + Cisco Meraki app?
When a visitor signs in, they will receive an email or SMS with instructions on how to access your Wi-Fi.
When they follow the instructions in the email or SMS, they will be directed to the Wi-Fi network where they can use their credentials to gain access.
To view all the active connections within your access point, you can do the following:
1. Navigate Wireless > Access Points > on the Meraki dashboard.
2. Click into your access point and then scroll down to Clients. The numeric IDs listed under the Clients section will be the Entry IDs for your Envoy Visitors connected to your network.
Envoy Workplace (Employees) + Cisco Meraki Configuration
This feature is still in Beta and may have limited availability. Please reach out to Envoy directly to see if this is available for your account.
Envoy will soon offer the option to automatically sign-in employees to the workplace when they connect to the your workplace's Cisco Meraki Wifi. You can enable this feature within the Employee Access section (Step 4) of the Cisco Meraki app installation within Envoy.
Health check/Registration questions must be disabled. To disable questions, go here, click advanced settings under the Employee reservation flow, and disable the questionnaire.
Auto-sign out must be enabled in Location Settings. If auto-sign out is disabled, then employees will remain signed in to the workplace and will not be signed in the next day with their badge swipes.
Option 1: Identity Authentication
With the Identity verification option, Cisco Meraki validates the device using 802.1x/RADIUS server, obtaining identity information (e.g. email) when the employee signs onto the company Wifi. After a Wifi connection is established, behind the scenes, Cisco Meraki sends the device's identity information and connection data to Envoy which signs the employee into the workplace.
Identity Authentication Configuration:
Please ensure your Meraki employee Wi-FI network is set to our specifications so we can successfully map Wi-Fi connections to Employees in the Envoy Employee Directory
Requirements for Identity Authentication:
The Wi-Fi network must be set up so that employees will login to it with their full email as a username.
If the Wi-Fi is set to have the employee only enter a password with no username, then automatic sign-in will not trigger.
If the employee's username for the Wi-FI does not match their full email as listed in the employee directory, then automatic sign-in will not trigger.
The Wi-Fi network must use the 802.1.X / RADIUS configuration.
Verifying the correct authentication for automatic sign-in
You can verify that the network set up to our specifications by checking the event log in Cisco Meraki:
Open the Cisco Meraki admin portal.
Navigate to Network-wide > Event Log
Search for an 802.1X authentication event type.
Open the details on the far right and you should see a field named "identity". The identity should match the email of the employee in the Envoy Employee Directory.
After the requirements are met, navigate to the Employee Access section at the bottom of step 4 on the app installation.
Select Yes to "Auto sign in employees with Wifi connection data?"
Select the SSID that you would like to use to track employee sign-in.
Option 2 - Device Authentication
Envoy automatically sign-ins employees when their computer or registered device connects to the Cisco Meraki Wifi.
Device Authentication Configuration:
Select the "Device authentication with MAC address" option
Select the network (SSID) that employees sign into when they are at the workplace.
Upload a CSV that contains the email addresses of all employees and their associated device's MAC addresses. The email and mac address should be in two different columns.
Select the name of the column for email addresses.
Select the name of the column for MAC addresses.
Click "Save"
The emails in the CSV must exactly match the emails in the Employee Directory
The IT team can open their mobile device management (MDM) tool and check if they can export a list of the MAC addresses of their corporate devices.
Now, when the network detects the associated MAC address, the employee will be automatically signed into Envoy provided they have approved registration.
Cisco Meraki + Visitors FAQ
When testing, please be sure to test with an email that is not a user already in Meraki.
Options for Client IP and VLAN:
Meraki AP assigned (NAT mode)
(or) External DHCP server assigned
The default session timeout for passwords is configurable during creation. We expire the user when the visitor is signed out.
User creation for guest access is handled through Meraki Cloud Authentication