TTechclick All lessons
Cisco Meraki · Wireless (MR) · SSID & SecurityInteractive · L1 / L2

Meraki SSID Security — WPA3, iPSK & Splash Pages, the Visual Way

WPA3 transition mode. Identity PSK without RADIUS. Click-through and sign-on splash pages. Skip the wall of text — pick a security mode below, watch a real Wi-Fi client get authenticated stage by stage, ask the in-page AI tutor anything, and you're done in 11 minutes.

📅 2026-05-31 · ⏱ 11 min · 3 animated demos · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Cisco Meraki SSID design the AI-era way — pick a security mode, watch a wireless client get authenticated live, and master WPA3 transition mode, iPSK without RADIUS (WPN) and splash pages in 11 minutes instead of an hour. Real Dashboard labels, default values, and production gotchas baked in.

By the end of this lesson you will be able to

Explain it like I'm:

Pick a topic — jump straight to it

1

WPA3 & Transition

SAE vs WPA2-PSK, transition mode, and the 802.11w PMF setting that makes or breaks it.

 2

iPSK & WPN

Per-device pre-shared keys on ONE SSID, with or without RADIUS, plus Wi-Fi Personal Network isolation.

 3

Splash Pages

Click-through vs sign-on captive portals — the Layer-3 redirect, walled gardens, and guest flow.

 4

Troubleshoot

"SSID not working" → symptom-first playbook: silent splash, PMF lock-out, iPSK errors.

Before any SSID — the one idea that confuses everyone

A wireless client joins a Meraki SSID in two distinct steps, and mixing them up is the root of 80% of "Wi-Fi is broken" tickets. Step one is Layer-2 association: Open, WPA2-PSK, WPA3-SAE, OWE or iPSK — this happens on the radio before the client has any IP. Step two is the optional splash page, a Layer-3 gate the client only hits after it already holds an IP.

One sentence to memorise: "Encryption is Layer 2, the splash page is Layer 3." Get an IP but no internet? That's a Layer-3 / splash problem. Can't even join the SSID? That's a Layer-2 / security problem. This single distinction is a top-asked ECMS 500-220 concept.

ELI5: Joining Wi-Fi is like getting into a building. The door lock (WPA2/WPA3 password) is Layer 2 — you need the right key to even open the door. The reception desk sign-in sheet (splash page) is Layer 3 — you're already inside the lobby, but you can't go anywhere until you sign in.

Practitioner: All of this lives in Wireless > Configure > Access Control, per-SSID. The Security radio buttons choose Layer-2 auth (Open, WPA2/3, iPSK, Enterprise). The Splash page dropdown chooses the Layer-3 captive portal. They are independent — you can run WPA3 and a splash page on the same SSID.

Architect: Separate the planes when you design. Layer-2 (SAE/PSK/802.1X) protects the air and gives encryption + key management. Layer-3 (splash / captive portal) is for acceptable-use, billing, identity capture or guest onboarding — never treat it as encryption. A click-through splash on an Open SSID leaves the air fully unencrypted.

A wireless client moves through Layer-2 association (Open, WPA2, WPA3, iPSK) on the Meraki MR access point, then receives DHCP/DNS, then passes the optional Layer-3 splash page before reaching the internet. How a client actually joins a Meraki SSID Phone / Laptop 10.10.20.55 ① LAYER 2 Association + Encryption Open / WPA2-PSK WPA3-SAE / iPSK 802.1X Enterprise No IP yet DHCP + DNS gets IP ② LAYER 3 Splash / Captive Portal DHCP+DNS+walled garden only 🌐 Internet — only after sign-on
Figure 1 — Layer-2 association and encryption come first; the Layer-3 splash page is a separate, optional gate after the client has an IP.
🔐
WPA3-SAE
tap to flip

Simultaneous Authentication of Equals replaces the WPA2 4-way handshake. Offline dictionary attacks no longer work — but SAE allows only ONE passphrase per SSID.

🪪
iPSK
tap to flip

Identity PSK — many pre-shared keys on one SSID. Each device gets its own key, mapped to a group policy. Needs WPA2 (SAE can't do multi-PSK).

🛡
802.11w PMF
tap to flip

Protected Management Frames stop deauth / disassoc spoofing. WPA3 needs it Required; transition mode uses Enabled; WPA2-only can be Disabled.

🚪
Splash page
tap to flip

A Layer-3 captive portal. Click-through = just accept terms; sign-on = real login. No encryption — it's only an acceptance / identity gate.

Predict first: if you put a click-through splash page on an Open SSID, is the over-the-air traffic encrypted?

No. The splash page is Layer 3 — it only blocks routing until you accept the terms. The air itself is unencrypted exactly like Open Wi-Fi. Anyone nearby with a sniffer reads the frames. For any real data, encrypt at Layer 2 with WPA3-Personal, iPSK or Enterprise.

① WPA3 & Transition Mode — stronger lock, one sharp edge

WPA3-Personal swaps the crackable WPA2 4-way handshake for SAE. The catch: most fleets still have a few WPA2-only devices. Meraki's answer is WPA3 Transition Mode, where one SSID advertises both WPA2-PSK and WPA3-SAE so old and new clients share the network.

War story · Priya at a Noida enterprise Priya flips a busy office SSID to WPA3 Transition Mode to satisfy an audit. A week later a pen-tester captures the handshake and cracks the passphrase anyway. Cause: transition mode still offers WPA2-PSK in the same beacon, so the attacker simply joins via the weak path. The "WPA3" label gave false comfort.

▶ Watch a client associate to a WPA3-transition SSID

Click Play. Each stage lights up as the client moves through Layer-2 association.

① BEACON MR access point beacons SSID Corp-WiFi advertising WPA2-PSK + WPA3-SAE
Transition mode = both RSN suites in one beacon.
② CLIENT PICK Modern phone chooses WPA3-SAE; legacy scanner falls back to WPA2-PSK
③ PMF CHECK 802.11w = Enabled → PMF-capable clients use it, legacy clients without PMF still associate
④ HANDSHAKE SAE dragonfly for WPA3 · 4-way handshake for WPA2 — keys derived
⑤ DHCP Client gets 10.10.20.55 from the VLAN. Encrypted link is up.
⑥ EXPOSURE ⚠ The WPA2 path is still crackable — once all clients are WPA3, disable transition mode.
Press Play to step through the association. Each press of Next advances one stage.
A decision tree mapping each Meraki SSID security mode to the correct 802.11w Protected Management Frames setting: WPA3 only requires PMF Required, transition mode uses PMF Enabled, WPA2 only allows PMF Disabled. Which 802.11w (PMF) setting do I pick? What clients must this SSID support? Modern only → WPA3-SAE PMF = Required Mixed → Transition PMF = Enabled Legacy IoT → WPA2-PSK PMF = Disabled Strongest No downgrade path. Drops non-PMF clients. Compatible WPA2 path still crackable — temporary only. Weakest Use a separate isolated SSID + tight VLAN.
Figure 2 — Match the 802.11w PMF setting to the SSID's client mix. PMF Required on a mixed fleet silently drops legacy gear.
The #1 WPA3 trap

Symptom you see: the audit ticks "WPA3 enabled" but a red-team still cracks the passphrase. Cause: transition mode keeps WPA2-PSK live in the same beacon, so an attacker joins via the weak path and the offline handshake attack still works. Transition mode is a migration stepping-stone, not a destination. Once every client supports SAE, disable transition mode so only WPA3-SAE is advertised.

Quick check · Q1 of 10

On a Meraki MR network you enable WPA3 in Transition Mode so old WPA2 laptops keep working. A pen-tester reports the SSID is still crackable. Why?

Correct: b. Transition mode advertises BOTH WPA2-PSK and WPA3-SAE in the same beacon. An attacker simply joins via the weaker WPA2-PSK path and the offline dictionary attack on the 4-way handshake still works. Once all clients support SAE, disable transition mode so only WPA3-SAE is offered.

② Identity PSK (iPSK) & Wi-Fi Personal Network

Standard WPA2-PSK gives everyone the same password — change one device, you re-key the whole fleet. Identity PSK (iPSK) fixes this: many pre-shared keys on ONE SSID. Each printer, camera or IoT sensor gets its own passphrase, mapped to a group policy with its own VLAN and firewall rules.

Daily-life analogy · the apartment building Think of iPSK + WPN like an apartment building with one front gate but a unique key per flat. Everyone uses the same gate (one SSID), but your key only opens your flat (your VLAN/group), and you can't wander into your neighbour's flat. That's per-device keys plus Layer-2 isolation on a single broadcast SSID.

Meraki offers iPSK without RADIUS (keys stored in the Dashboard, paired with WPN) and iPSK with RADIUS (keys returned by a RADIUS server as the Airespace-PSK attribute). On the Access Control page you select Identity PSK without RADIUS, then Add an Identity PSK — name, passphrase, group policy.

Dashboard path — Wireless > Configure > Access Control (Apartments-WiFi SSID) 
Security:        Identity PSK without RADIUS
WPA encryption:  WPA2 only          # SAE can't do multi-PSK yet
802.11w (PMF):   Enabled
Add Identity PSK
  Name:       Flat-204-IoT
  Passphrase: aZ7q-Kel2-9rPv
  Group:      VLAN-204-Isolated  (WPN enabled)
Expected result on the Dashboard 
Identity PSK 'Flat-204-IoT' created.
  → 1 key  ·  Group policy VLAN-204-Isolated
  → WPN: clients on this key see only their own devices
  → SSID remains a single broadcast: 'Apartments-WiFi'
A three-column comparison showing one shared key in WPA2-PSK, many per-device keys in Identity PSK with WPN isolation, and certificate or credential based keys in WPA-Enterprise with RADIUS. One SSID — three ways to hand out keys WPA2-PSK One shared password key = "Office123" Leak it once → re-key everyone Easiest, weakest Guest / small office Identity PSK + WPN Many keys, no RADIUS keyA keyB keyC Per-device key → own VLAN + isolation Balanced — WPA2 only Dorms, IoT, apartments WPA-Enterprise 802.1X + RADIUS user/cert identity No shared secret; works with WPA3 Strongest, most setup Corporate, zero-trust
Figure 3 — iPSK + WPN sits between a single shared password and full 802.1X Enterprise: per-device keys without standing up a RADIUS server.

Predict: you tick WPA3 only on an iPSK SSID and devices report "wrong password" even though the key is correct. What broke?

WPA3-SAE supports only one passphrase per SSID. iPSK needs many keys, so it cannot ride pure SAE — this is an industry-wide limit, not a Meraki bug. Run iPSK on WPA2 (or transition mode) for now, or use WPA-Enterprise / Meraki Access Manager for per-device identity with WPA3.
Choosing iPSK without vs with RADIUS

Without RADIUS — keys live in the Dashboard, simplest to run, pairs with WPN for isolation. Best for IoT, dorms, apartment Wi-Fi. With RADIUS — keys are returned by your RADIUS server (Airespace-PSK attribute) keyed on the client MAC, so you centralise key management and logging. Use it when you already run RADIUS / ISE and want one source of truth. Either way the SSID stays a single broadcast.

Quick check · Q2 of 10

You configured Identity PSK (iPSK) without RADIUS on a Meraki SSID and ticked WPA3 only. Devices fail to join with a wrong-password error even though the passphrase is right. Why?

Correct: a. iPSK relies on multiple pre-shared keys per SSID, but WPA3-SAE only supports ONE passphrase per SSID. This is an industry-wide limitation, not a Meraki bug. Run iPSK on WPA2 (or WPA3 transition mode) until SAE multi-PSK matures, or move to WPA-Enterprise / Access Manager for per-device keys.
Quick check · Q3 of 10

Identity PSK without RADIUS is paired with Wi-Fi Personal Network (WPN). What does WPN add on top of plain iPSK?

Correct: c. WPN ties each Identity PSK to its own private VLAN-like group so devices sharing one SSID but holding different keys cannot see each other at Layer 2, while a user's own devices on the same key can. Perfect for student dorms / apartment Wi-Fi on a single SSID.

③ Splash Pages — the Layer-3 captive portal

A splash page is the web page a client must view before it can route traffic. Two common flavours: Click-through (just accept terms) and Sign-on (real credentials, Meraki-hosted or external). Remember Figure 1: the client already has an IP at this point. Before sign-on, only DHCP, DNS and walled-garden hosts are reachable; everything else is blocked.

War story · Rahul at a TCS-style guest network Rahul rolls out a guest SSID with a click-through splash. Half the visitors phone in saying "Wi-Fi connected but no internet, no page appeared." Cause: their first request was HTTPS, which the AP can't read or rewrite, so the redirect never fired. The fix is OS captive-portal detection (which hits a plain HTTP probe) plus telling users to open a simple http:// site to trigger the page.

▶ Splash-page redirect — watch the Layer-3 flow

A guest joins an Open SSID with a Click-through splash. Follow why the page does (or doesn't) appear.

① ASSOCIATE Client joins SSID Guest-WiFi (Open) — Layer-2 done, no auth yet
② DHCP / DNS Client gets 172.16.30.88; DNS resolves but routing is blocked (splash not done)
③ HTTP GET Client opens http://example.com → AP intercepts the plaintext request
⚠ If the first request is HTTPS, the AP can't read it → no redirect → "no page" complaint.
④ REDIRECT AP returns HTTP 302 → splash.meraki.com (the captive portal)
⑤ ACCEPT User clicks "I agree" → AP records (MAC + cookie) and authorizes the client
⑥ INTERNET Routing opens for 172.16.30.88 until the splash timeout expires.
Note where the IP is assigned (stage 2) vs where authorization actually opens routing (stage 5).
A left-to-right timeline of a guest joining a Meraki SSID: associate, get an IP, hit the splash redirect, accept terms, then reach the internet, with walled garden and captive portal strength noted. Guest onboarding — what's reachable, when 1 2 3 4 5 Associate Get IP Splash 302 Accept Internet Layer 2 — no IP DHCP + DNS only walled garden + portal reachable MAC + cookie stored until timeout Captive-portal strength = "Block all access until sign-on" keeps stages 1–4 locked down
Figure 4 — Until the guest accepts at stage 4, only DHCP, DNS and walled-garden hosts are reachable. Everything else waits for sign-on.
Walled garden + captive-portal strength

If your splash uses an external portal (or loads logos / scripts from a CDN), add every one of those domains and IPs to the walled garden — otherwise the AP blocks them and the page never finishes loading. Set Captive portal strength = "Block all access until sign-on is complete" so clients can't sneak traffic through before accepting. Tell users to keep browser cookies enabled, or the splash reappears far more often than the timeout.

Quick check · Q4 of 10

A guest connects to a Meraki SSID with a Click-through splash page. The phone joins Wi-Fi but the splash page never appears, and the user has no internet. What is the most likely cause?

Correct: c. The redirect only fires on plaintext HTTP. The client's first request was HTTPS, which the AP cannot read or rewrite, so no redirect happens. Browsing to a plain http:// page (or letting the OS captive-portal detector run) triggers the splash. Splash is Layer-3 — the client already has an IP and DHCP/DNS work; only the redirect is missing.

④ Troubleshoot — "SSID not working" playbook

SSID misbehaving? Start with the symptom, not the config. This symptom-first ladder runs in under a minute.

Can't even join
tap

Layer-2 problem. Check PMF (Required drops legacy gear), wrong passphrase, or iPSK-on-WPA3. Dashboard → Network-wide > Clients shows the failed association reason.

IP but no internet
tap

Layer-3 / splash problem. Splash not accepted, HTTPS-first redirect miss, or a missing walled-garden entry. The client is authorized only after sign-on.

Splash loops
tap

Re-prompts every few minutes. Cause: cookies blocked, or MAC randomization presents a new MAC each reconnect → looks like a new device. Allow cookies; account for random MAC.

Dashboard tools
tap

Use Wireless > Monitor > Connection log for per-stage failures (Assoc / Auth / DHCP / DNS), and the per-client Ping / Throughput live tools to isolate L2 vs L3.

▶ Read the connection log like an L2 engineer

Sneha's laptop won't get online. Step through the Meraki connection-log stages to find where it dies.

① ASSOC aa:bb:cc:11:22:33 associated to SSID Corp-WiFi — radio OK
② AUTH 802.11w PMF negotiated · WPA3-SAE key handshake SUCCESS
③ DHCP Offer + Ack → client holds 10.10.20.55. Layer-2 + addressing are fine.
④ DNS Resolves www.example.com via 10.10.0.53 — DNS works
⑤ SPLASH Client status = "Pending" — splash never accepted. HTTPS-first request → no redirect.
⚠ This is the failure point. L2 was never the problem.
⑥ FIX Open http://neverssl.com to trigger the portal, or check walled garden / captive-portal strength.
The log proves Assoc → Auth → DHCP → DNS all pass; only the splash is stuck. That's a Layer-3 fix, not a passphrase change.
The #1 PMF lock-out

Symptom you see: right after you tighten an SSID, a group of barcode scanners or IoT sensors silently drop off Wi-Fi and won't rejoin. Cause: you set 802.11w (PMF) to Required, and those legacy devices don't support management-frame protection, so they can no longer associate. Set PMF to Enabled (capable / optional) so PMF-aware clients still use it while legacy gear connects — or move the old devices to their own WPA2 SSID.

Predict: users say the guest splash re-appears every few minutes on their phones. Before reading on — what's the usual culprit?

Cookies blocked or MAC randomization. Splash state is tracked per (MAC + cookie). A phone using per-network random MAC presents a new MAC on each reconnect, so it looks like a brand-new device and re-triggers the splash. Allow cookies and account for the OS MAC-randomization behaviour; raise the splash timeout if appropriate.
Verify before you close the ticket

Open Wireless > Monitor > Connection log and confirm the client shows green at Assoc, Auth, DHCP and DNS. If all four are green but status is "Pending", it's a splash/Layer-3 issue — never a passphrase change. Then run the per-client Ping tool from the Dashboard to prove routing opens after sign-on.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Cisco Meraki docs + community Q&A. For complex prod issues, paste your connection-log export + SSID Access-Control screenshot into chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Apply

On a Meraki SSID you set 802.11w (PMF) to Required and a group of older IoT sensors immediately drop off the Wi-Fi. What happened and what is the fix?

Correct: d. PMF Required forces every client to support 802.11w management-frame protection. Legacy IoT devices that lack PMF can no longer associate. Set PMF to Enabled (capable/optional) so PMF-aware clients use it while legacy clients still join, or move the IoT devices to a separate WPA2 SSID.
Q6 · Remember

In Cisco Meraki, splash-page authentication operates at which layer of the connection process?

Correct: b — Layer 3. Open / WPA2 / WPA3 / OWE / iPSK are Layer-2 association events that happen before any IP. A splash page is Layer-3: the client already holds an IP and can reach DHCP, DNS and the walled garden, but all other traffic is blocked until sign-on completes.
Q7 · Analyze

Your guest SSID uses a Sign-on splash page hosted by an external captive portal. Clients reach the Meraki-hosted login fine but the external portal page times out. Which configuration is most likely missing?

Correct: a — walled garden entries. Before sign-on, only DHCP, DNS and explicitly walled-garden-listed hosts are reachable. The external portal's domain/IP (and any CDN it loads from) must be added to the walled garden, otherwise the AP blocks it and the page never loads.
Q8 · Analyze

On a high-density Meraki SSID, splash pages reappear far more often than the configured timeout. Users complain they must sign in again every few minutes. What is the most likely root cause?

Correct: d. Splash-page state is tracked per client using a cookie plus the device MAC. Browsers that block cookies, or phones using MAC randomization that present a new random MAC on each reconnect, look like a brand-new device every time and re-trigger the splash. Allow cookies and account for per-SSID MAC randomization behaviour.
Q9 · Evaluate

A retail chain wants ONE SSID that supports both ancient WPA2 handheld scanners and modern WPA3 phones, with the strongest security each device can manage. Which Meraki design is correct?

Correct: b — WPA3 transition mode with PMF Enabled. Transition mode lets WPA2 and WPA3 clients share one SSID; PMF set to Enabled (not Required) lets PMF-capable clients protect management frames while legacy scanners still associate. Accept the known transition-mode downgrade exposure as a temporary trade-off and plan a migration to a WPA3-only SSID. (d) fails because SAE can't do multi-PSK.
Q10 · Evaluate

An auditor proposes "just use one open SSID with a click-through splash page for the whole corporate office to keep it simple". Is this sound for corporate data?

Correct: b. A click-through splash performs NO encryption — it is Layer-3 acceptance only, and the air traffic is unencrypted like Open Wi-Fi. Corporate data needs Layer-2 encryption (WPA3-Enterprise / WPA2-Enterprise, or at minimum WPA3-Personal / iPSK). Reserve open + click-through splash for guest internet, never for corporate resources.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Make it stick — explain it back

Self-explanation: in one or two lines, write why a splash page can't protect corporate data the way WPA3 can. Typing it in your own words is what moves it to long-term memory.

Teach a friend: message one teammate the single sentence — "Encryption is Layer 2, the splash page is Layer 3." If they get it in 20 seconds, you've understood it too.

Spaced recall: want a 3-question refresher emailed in 3 days? Drop your email — no spam, just this lesson's recall set.

📖 Glossary

SAE (Simultaneous Authentication of Equals)
The WPA3 handshake that replaces the WPA2 4-way handshake and resists offline password-guessing. Supports one passphrase per SSID.
iPSK (Identity PSK)
Many pre-shared keys on one SSID, each mapped to a group policy. Runs on WPA2; "without RADIUS" stores keys in the Dashboard.
WPN (Wi-Fi Personal Network)
Per-key Layer-2 isolation layered on iPSK so devices on different keys can't see each other on the same SSID.
802.11w / PMF
Protected Management Frames — stops deauth/disassoc spoofing. Required for WPA3, Enabled for transition, optional for WPA2.
Splash page / Captive portal
A Layer-3 web gate. Click-through = accept terms; sign-on = real login. Performs no encryption.
Walled garden
The allow-list of hosts a client can reach before sign-on (portal, CDN, payment provider).

📚 Sources

  1. Cisco Meraki Documentation — WPA3 Encryption and Configuration Guide. documentation.meraki.com
  2. Cisco Meraki Documentation — 802.11w Management Frame Protection (MFP) & Access Control. documentation.meraki.com
  3. Cisco Meraki Documentation — Wi-Fi Personal Network (WPN) & IPSK with RADIUS Authentication. documentation.meraki.com
  4. Cisco Meraki Documentation — Splash Page Overview, Traffic Flow & Troubleshooting. documentation.meraki.com
  5. The Meraki Community — "Customer having problems with splash page not showing" & "Splash page not showing automatically". community.meraki.com
  6. TrustedSec — The Dangers of Transition Mode; The Networking Nerds — The iPSK Challenge (WPA3 / 6 GHz / Wi-Fi 7).
  7. Cisco — 500-220 ECMS Exam Topics (Design 15% / Implement 30% / Operate 25% / Troubleshoot 30%); Cisco Security Advisory CVE-2025-20212 (Meraki MX AnyConnect VPN).

What's next?

You've locked down the air with WPA3, iPSK and splash pages. Next we move from "what key" to "who are you" — 802.1X with RADIUS / ISE, and how Meraki Adaptive Policy carries Security Group Tags (SGT) for identity-based segmentation.

Next · Meraki Access Control — 802.1X, RADIUS, ISE & Adaptive Policy (SGT) → ← All lessons