Owner: Network Engineering · Platform: Cisco Meraki · Review Cycle: Annual
Enterprise wireless is delivered via Cisco Meraki access points managed through the Meraki Dashboard cloud controller. The platform covers all corporate sites (HQ and branches), providing a consistent SSID experience, centralised policy enforcement, and full visibility into client behaviour and RF performance.
| Component | Product | Management |
|---|---|---|
| Access Points (HQ) | Meraki MR57 (Wi-Fi 6E) | Meraki Dashboard |
| Access Points (Branch Large) | Meraki MR46 (Wi-Fi 6) | Meraki Dashboard |
| Access Points (Branch Small) | Meraki MR36 (Wi-Fi 5) | Meraki Dashboard |
| Outdoor / Warehouse | Meraki MR86 (Wi-Fi 6, IP67) | Meraki Dashboard |
| Dashboard | Meraki Cloud | SaaS |
| SSID | Authentication | VLAN | Access | Notes |
|---|---|---|---|---|
CORP |
802.1X / Entra ID | VLAN 10 (Staff) | Full corporate | Primary staff SSID |
CORP-MGMT |
802.1X / machine cert | VLAN 20 (Mgmt) | IT management | Endpoints only |
VOIP |
802.1X | VLAN 30 | Voice QoS | Softphone, IP handsets |
GUEST |
Splash portal (email) | VLAN 50 | Internet only | 10Mbps throttle, 8hr limit |
IOT |
Pre-shared key (per-site) | VLAN 60 | Internet + IoT hub | No corp access |
No open (unauthenticated) SSIDs are permitted on any corporate-managed infrastructure.
Corporate SSIDs use 802.1X authenticated against Microsoft Entra ID via a cloud RADIUS proxy (Cisco ISE). The authentication flow:
Client → [EAP-TLS / PEAP] → Meraki AP
│
▼
Cisco ISE (RADIUS)
│
┌─────────────▼─────────────┐
│ Entra ID (AAD) via LDAP │
│ Certificate validation │
└────────────────────────────┘
│
RADIUS Accept + VLAN tag
│
Meraki AP assigns VLAN
| Band | Protocol | Use Case | Channel Width |
|---|---|---|---|
| 2.4 GHz | 802.11n | Legacy, IoT | 20 MHz only |
| 5 GHz | 802.11ac/ax | Primary staff | 80 MHz (40 MHz in congested areas) |
| 6 GHz | 802.11ax (Wi-Fi 6E) | High-density, low latency | 80/160 MHz |
Meraki auto-RF manages dynamic channel assignment. Overrides require Network Engineering approval and must be documented in the Meraki Dashboard notes.
| Control | Configuration |
|---|---|
| Management Frame Protection (MFP) | Enabled (802.11w) |
| PMKID attacks | Disabled by disabling fast roaming fast BSS transition pre-shared keys |
| Rogue AP detection | Enabled — alerts to NOC via Meraki Dashboard webhook |
| WPA3 | Enabled (WPA2/WPA3 transition mode for corporate SSIDs) |
| Minimum RSSI | -75 dBm (clients below threshold are disconnected) |
| Minimum data rate | 12 Mbps (lower rates disabled to improve airtime efficiency) |
| Client isolation | Enabled on GUEST and IOT SSIDs |
Guest access is provided via a Meraki Splash Page with the following controls:
Meraki Dashboard provides built-in analytics. Key monitoring outputs:
| Report | Frequency | Audience |
|---|---|---|
| AP health summary | Real-time | NOC |
| Client count per SSID | Daily (auto-export) | Capacity planning |
| RF interference report | Weekly | Network Engineering |
| Rogue AP detections | Real-time alert | Security & NOC |
| Top clients by data usage | Monthly | Network Architecture |
Integration with Datadog via Meraki Dashboard webhooks provides unified alerting for AP-down events alongside wired infrastructure alerts.
https://dashboard.meraki.com (SSO via Entra ID)