Subscription note: The Meraki integration was available on our Legacy Workplace Premium plan. Our current Workplace plan requires an Enterprise platform for access to Presence.
Overview
Cisco Meraki is the leader in cloud-controlled Wi-Fi, routing, and security. Cisco Meraki provides devices and software to help businesses manage Wi-Fi network access for employees and guests.
Important note: The Cisco Meraki integration is compatible with both our Visitors and Workplace products. During the configuration steps below, be sure to only choose settings related to the Envoy product you are using.
Visitors + Cisco Meraki
The Envoy + Cisco Meraki integration has the ability to provide workplace Visitors temporary Wi-Fi credentials when they are signed-in. Each time a visitor signs in to the workplace, unique credentials are generated and sent out via email or text.
Employees + Cisco Meraki
Envoy also lets you automatically sign in employees when they connect to your Cisco Meraki-powered Wi-Fi network. When an employee's device connects to the Wi-Fi network, Cisco Meraki will authenticate the device using 802.1x/RADIUS and retrieve the employee's username (email). Cisco Meraki automatically sends this information to Envoy, and we sign the employee into the workplace!
PREREQUISITES
Please ensure that the user generating the API key has full global permissions.
If you are restricting access, please ensure the following IPs can access the Meraki API in Organization > Settings:
18.204.164.109
52.6.210.64
52.86.90.108
Configuration
Step 1: API Access
Navigate to Integrations > All Integrations.
Search for Cisco Meraki and install the Integration.
Log into the Cisco Meraki dashboard and navigate to Organization > Settings. Locate the section titled Dashboard API access and select Enable Access, then save your changes.
Go to Organization > API & Webhooks
Click the "Generate new API key" under API Monitoring and management if you have not generated one already. Copy this key and store in a safe place.
If you have already generated one and no longer have the key, you can choose to generate another in API keys and access
In Envoy, paste the Meraki API key.
Select your API Region if it differs from the default.
Click Next Step to continue.
Step 2: Organization
Select which organization you would like to use with the Envoy + Meraki integration.
Click Next Step to save and continue.
Step 3: Network
Select the Network you will be using for Visitor access and Employee presence detection.
Click Next Step to save and continue.
Step 4: Workplace (Employee presence)
Not using Workplace? Click Skip to continue to Visitor setup.
Envoy will automatically sign in employees to the workplace when they connect to your workplace's Cisco Meraki Wifi. You can enable this feature within the Employee Access section (Step 4) of the Cisco Meraki integration installation within Envoy. There are two different methods you can use to detect the presence of employees.
Health check/Registration questions must be disabled. To disable questions, go here, click Advanced Settings under Employee reservation flow, and disable the questionnaire.
Auto-sign out must be enabled in Location Settings. If auto-sign out is disabled, then employees will remain signed in to the workplace and will not be signed in the next day with their badge swipes.
Option 1: Identity authentication with user email
With the Identity verification option, Cisco Meraki validates the device using 802.1x/RADIUS server, obtaining identity information (e.g. email) when the employee signs onto the company Wifi. After a Wifi connection is established, behind the scenes, Cisco Meraki sends the device's identity information and connection data to Envoy which signs the employee into the workplace.
Identity Authentication Configuration:
Please ensure your Meraki employee Wi-Fi network is set to our specifications so we can successfully map Wi-Fi connections to Employees in the Envoy Employee Directory.
Requirements for Identity Authentication:
The Wi-Fi network must be set up so that employees will login to it with their full email as a username.
If Wi-Fi is set to require the employee to enter only a password, without a username, automatic sign-in will not trigger.
If the employee's Wi-Fi username does not match their full email address as listed in the employee directory, automatic sign-in will not trigger.
The Wi-Fi network must use the 802.1.X / RADIUS configuration.
This type of authentication allows Envoy to pull the username (employee's email) and match it to the employee in the directory.
Verifying the correct authentication for automatic sign-in
You can verify that the network set up to our specifications by checking the event log in Cisco Meraki:
Open the Cisco Meraki admin portal.
Navigate to Network-wide > Event Log
Search for an 802.1X authentication event type.
Open the details on the far right, and you should see a field named "identity". The identity should match the email of the employee in the Envoy Employee Directory.
After the requirements are met, begin step 4.
Select Identity authentication with user email.
Under What is the WiFi network name (SSID), select the network employees connect to.
Select your Product type.
Select the Event types to use for detection. 802.1X is standard.
Click Next Step to save and continue.
Option 2 - Device authentication with MAC address
Envoy automatically signs in employees when their computer or registered device connects to the Cisco Meraki Wifi. You can manage this manually via CSV upload or set up automatic sync via Merkai (Step 6) or Jamf.
When the network detects the associated MAC address, the employee will be automatically signed into Envoy provided they have approved registration.
Device Authentication Configuration:
Select the Device authentication with MAC address option.
Select the Wi-Fi network (SSID) that employees sign into when they are at the workplace.
Select the Product type.
Set the Event types to use for detection. 802.1X is standard.
To manually manage your MAC address mappings, upload a CSV file containing the email addresses of all employees and the MAC addresses of their associated devices. The email and MAC address should be in two different columns.
Select the name of the column for email addresses.
Select the name of the column for MAC addresses.
Click Next Step.
The emails in the CSV must exactly match the emails in the Employee Directory
The IT team can open their mobile device management (MDM) tool and check if they can export a list of the MAC addresses of their corporate devices.
Step 5: Visitors
Not using Visitors? Click Skip to continue to MAC address sync.
When configuring the Visitors portion of this integration, the Visitor sign-in flow must include an email address, as this is how guest WiFi credentials are provisioned and delivered.
If a phone number is included in the invite, credentials can also be sent via SMS; however, an email address is still required.
Learn more about how to configure your Envoy sign-in fields.
Visitors SSID: Select your desired SSID for Visitors from the dropdown.
Access Duration: Choose the length of time (up to 24 hours) for guest wi-fi access.
(Optional) Blocked Flows: Select Visitor types to block from receiving Wi-Fi credentials.
Check the box next to Send Wifi Credentials to Host to send a copy of a visitor's access to their host.
This is useful when visitors do not have easy access to email or text messages, or if they are not required to enter their email address or phone number at sign-in.
Check the box next to Delete Visitor Credentials On Sign Out to remove 802.1X users from your Meraki instance upon their sign-out.
Security and Splash Page Settings: Select your security and splash page settings.
Click Next Step.
Security and Splash Page Settings in Envoy must correspond with your Meraki SSID settings.
For example, if you select "Open with Meraki Cloud Authentication" in Envoy. Then, on the SSID settings in Meraki, you must have Security set to "Open (no encryption)" and Splash Page set to "Sign-on with Meraki Cloud Authentication"
If you have Security and Splash Page Settings in Envoy set to "Enterprise with Meraki Cloud Auth with Click Through", then in your Meraki SSID settings, you must have Security set to "Enterprise with Meraki Cloud Authentication" and Splash Page set to "Click-through."
Step 6: MAC Address Sync (Optional)
To automate updating your employee MAC addresses, click the checkbox next to Sync MAC Addresses. Click Complete Setup to save and finish.
Note: MAC address sync only works for employees whose email address and MAC address are both available through the Cisco Meraki integration. Employees missing either field will not be synced.
How does MAC address syncing work?
Envoy's Wi-Fi presence detection uses device MAC addresses to associate Cisco Meraki signals with employees. Cisco Meraki maintains a record of employee devices connected to your network along with their MAC addresses. By integrating directly with Meraki, Envoy can automatically sync this data, eliminating the need for manual CSV uploads and improving the accuracy and reliability of presence detection.
Note: See how to view MAC addresses.
Visitor Experience
When a visitor signs in, they will receive an email or SMS with instructions on how to access your Wi-Fi.
When they follow the instructions in the email or SMS, they will be directed to the Wi-Fi network where they can use their credentials to gain access.
To view all the active connections within your access point, you can do the following: Navigate to Wireless > Access Points > on the Meraki dashboard.
Click your access point, then scroll down to Clients. The numeric IDs listed under the Clients section will be the Entry IDs for your Envoy Visitors connected to your network.
Cisco Meraki + Visitors FAQ
When testing, please be sure to test with an email that is not a user already in Meraki.
Options for Client IP and VLAN:
Meraki AP assigned (NAT mode)
(or) External DHCP server assigned
The default session timeout for passwords is configurable during creation. We expire the user when the visitor is signed out.
User creation for guest access is handled through Meraki Cloud Authentication