The pace at which new security threats are being introduced and propagated online has reached exponential levels, gaining speed with each passing year. Organizations have more locations and devices to protect, and threats are using many different ports to try to gain access or exfiltrate data. Security teams are often understaffed and struggle with complex, siloed systems that do not integrate or share intelligence in a programmatic way. These teams need solutions that are easy to deploy, simple to manage, can scale exponentially, and can integrate with other tools.
Securing your wireless users from malicious attacks — particularly these “DNS blind spots” that exist in many networks and are exploited by 97% of advanced malware — is of paramount importance. Unfortunately, recent surveys indicate that 75% of organizations do not actively monitor and apply security for DNS.
It is within this context that we are excited to announce support for integration between Meraki MR wireless access points (APs) and Cisco Umbrella (formerly OpenDNS).
Umbrella is the industry’s first secure internet gateway, a cloud-delivered first line of defense against threats like malware, ransomware, and phishing. Umbrella enforces security at the DNS layer by identifying requested web domains hosting nasty stuff — malware, phishing, etc. — and block end user access to them. Umbrella also enables more secure DNS querying through a tool called DNSCrypt, which automatically encrypts DNS queries between your network and Umbrella’s servers, effectively eliminating the chance that your queries will be the victim of eavesdropping or man-in-the-middle (MITM) attacks. This secures the “last mile” of a client’s internet connection, which is often left exposed and vulnerable.
There is no additional cost or charge for taking advantage of this integration (which is available to all Meraki wireless customers who have upgraded to our latest MR26.x firmware), but Meraki wireless customers who wish to integrate with Umbrella will need a separate Umbrella license and account with that service.
Enabling Umbrella integration
So, what does this mean for admins of Meraki wireless networks? This integration with Umbrella enables Meraki admins who obtain Umbrella licenses (WLAN, Professional, Insights, or Platform) to seamlessly assign DNS filtering via Meraki group policy or SSID to specific subsets of wireless clients, or to them all.
Enabling Umbrella integration takes only a few steps. First, the Meraki and Umbrella dashboards must be linked via the Umbrella Network Devices API key. Once this API key is generated from within the Umbrella dashboard, it needs to be copied into the Meraki dashboard by navigating to Network-wide > General.
Enabling Meraki + Umbrella integration within the Meraki dashboard.
Once the Meraki and Umbrella dashboards have been configured, linking a Meraki SSID or group policy to an Umbrella security policy is easy (note: Meraki group policies must be set to use ‘Custom SSID Firewall & Shaping Rules’ to link an Umbrella policy to them). After this initial setup, a unique identifier is generated behind the scenes for the specified Meraki SSID or group policy and is used by Umbrella to determine how to evaluate traffic from that Meraki network moving forward.
To link a Meraki SSID to an Umbrella policy, navigate to the Wireless > Configure > Firewall & Traffic Shaping section of the Meraki dashboard. There, you will find a button to link Umbrella policies.
Linking an Umbrella policy to a Meraki SSID.
By default, the last policy physically listed in the Umbrella dashboard’s ordered policy list will be inherited by a Meraki SSID unless a different policy is selected from the dropdown list.
To link a Meraki group policy to an Umbrella security policy, navigate to the Network > Configure > Group policies page in the Meraki dashboard and choose the specific Meraki group policy that you want to link. Under the ‘Layer 7 firewall rules’ section of that policy, you’ll be able to choose which Umbrella policy you’d like to apply.
Applying an Umbrella DNS policy to the Meraki ‘VIP Umbrella Clients’ group policy.
Once a Meraki SSID or group policy has been successfully linked to an Umbrella security policy, clients connecting to that SSID or who have been applied that group policy will have their DNS queries encrypted (if the AP supports 802.11ac) and verified against the corresponding Umbrella policy. Encrypting DNS queries between Meraki APs and Umbrella DNS endpoints helps secure the ‘last mile’ of client web browsing and protects against devastating MITM attacks or packet snooping that can reveal which websites client devices are browsing.
An example Umbrella policy may prohibit access to known malicious web domains or websites that host specific types of content, like gambling or peer-to-peer domains. If the client’s request for access to a given website is allowed, Umbrella will return an encrypted DNS response with the appropriate IP address. If the request is denied, then an encrypted DNS response pointing to the Umbrella block page will be returned instead.
Taken together, Meraki wireless and Umbrella integration provide a significantly more robust security framework for IT admins looking to protect clients from web threats in a more proactive way. Instead of waiting for a malicious site to infect a machine and then using tools like antivirus to detect and remediate, Meraki MR customers can rest easy knowing that they are protected from ever reaching harmful sites in the first place.
Interested customers should contact Meraki Support to have this feature enabled. This feature requires an early-release MR firmware version that can be enabled with Meraki support assistance.
For many retailers, providing free guest Wi-Fi is no longer a perk; it’s a basic cost of doing business. Customers expect to be able to log on to free in-store Wi-Fi to surf on their smartphones and make video calls to their friends while they’re shopping. By now, most retailers have acquiesced to customer demand and installed high-speed wireless networks in their stores.
Although most retailers provide free Wi-Fi to their guests, many stores may not be leveraging this infrastructure to its fullest potential. Retailers should be taking advantage of the wireless infrastructure they’ve already invested in to learn more about their customers, modernize their stores, and provide first-class customer experiences.
1. Learn more about customers through location analytics
Today, nearly all shoppers are carrying smartphones while they roam around stores. In fact, a 2017 Deliotte report noted that 93% of U.S. smartphone owners use their phone while out shopping. This technology gives customers an unprecedented ability to look up anything and communicate with anyone. It can also help retailers with advanced wireless setups track how customers navigate within a store, and use this knowledge to merchandise as needed.
When a phone’s Wi-Fi radio is turned on, it sends out probes to wireless access points. This occurs whether the phone is actually connected to a Wi-Fi network or not, since smartphones are constantly hunting for new Wi-Fi networks to populate the list of available networks nearby. Using these probes as data points, wireless systems can triangulate shoppers’ locations within a few meters. Bluetooth Low Energy (BLE) beacons — popularized as iBeacons by Apple — can take this even further and track shoppers to within inches of their locations. For instance, a home improvement retailer could know whether a customer is looking at sinks or at toilets based on their location.
Advanced systems, like Cisco Meraki Location Analytics, can present this precise location data in a number of ways benefitting retailers. For example, retailers can use location heat maps to see where their customers are walking within the store and appropriately arrange displays or staff certain areas based on actual customer engagement. Learn more about the possibilities of Location Analytics by reading this blog post.
2. Support more modern infrastructure
An upgraded wireless experience can serve as the catalyst for greater infrastructure updates that reduce cost and improve the customer experience. Two areas of technology that have seen rapid evolution in the last decade, and that matter a great deal in the retail space, are security cameras and mPOS (mobile point-of-sale). Incidentally, both IP cameras and mPOS rely on robust wireless deployments in the store.
Security cameras have gone from recording limited, grainy footage onto analog video management systems to recording high-definition video that can be streamed online from anywhere. As a result of these rapid technological advancements, retailers are increasingly adopting the newest camera models, which come fully equipped with wireless connectivity, to monitor in-store activity. These cameras, often deployed in places where Ethernet cords can’t easily reach, require a wireless network connection to send captured video to the server.
Similarly, most mPOS devices today don’t use Ethernet for connectivity, necessitating the use of a fast wireless network to process and complete transactions quickly. mPOS has burgeoned recently in large part thanks to the explosion of smartphones: companies like Square have modernized — and for some retailers, eradicated the need for — traditional cash registers.
Retailers with up-to-date, fully secure wireless networks are ready to support these technologies to the fullest extent.
3. Enable exceptional omnichannel experiences
As Amazon has shaken up the retail world over the last decade, omnichannel shopping experiences — experiences that are consistent whether a shopper is buying in-store or online — have become part of the retail zeitgeist. Delivering a comprehensive omnichannel experience requires retailers to collect and combine information about customers’ in-store and online shopping habits.
Retailers with robust wireless deployments are in a prime position to build a sophisticated system that helps them learn more about their customers’ shopping activities. Once a shopper logs on to a store’s Wi-Fi network, a whole host of possibilities opens up, especially if they’re already known (a repeat visitor) or their identity becomes known thanks to a splash page integration, like Facebook Login. From that point onward, customer activities that integrate with the network can be tracked and their experiences personalized.
For example, when a shopper who buys a pair of heels on a retailer’s website then wanders into that store’s dress aisle, she can be presented with an ad on her smartphone for a dress that matches the shoes. Additionally, based on the network bandwidth consumed by different mPOS terminals, stores can determine which checkout counters are the least or most popular and make staffing adjustments accordingly. Solutions that bring APIs into the mix can take this one step further by integrating activity on the network with retail loyalty programs or CRM systems. The possibilities are endless for IT administrators looking to build custom solutions that help retailers ensure consistent shopping experiences across channels.
To learn more about why Meraki is a great fit for retail, check out our retail webpage, read a customer case study, or sign up for our upcoming Meraki for Retail webinar on January 24, 2018 at 11 AM PT.
Update: Cisco Meraki WiFi with Facebook Login is now part of Cisco Meraki CMX. Learn more about CMX here.
A quick show of hands, please: how many of you are running guest WiFi for your organization? Free WiFi is now available in coffee shops, hotel lobbies, hospital waiting rooms, and retail locations across the country. These days, customers check for — and expect — wireless access.
Cisco Meraki already provides an intuitive, easy-to-configure solution for secure guest WiFi that many customers have deployed. But what if you want to provide a more seamless sign-on experience, or increase brand exposure via your guest access deployment?
Now you can do all of this, thanks to Cisco Meraki Presence, a suite of cloud-based location analytics and engagement features which includes Cisco Meraki WiFi with Facebook Login. This feature lets your customers connect to WiFi by checking in on Facebook, using your organization’s Facebook Page as a splash page.
Update: Cisco Meraki Presence is now known as CMX (Connected Mobile Experiences), a comprehensive location analytics and engagement platform ideal for both cloud-managed or on-premise solutions. Click here to learn more.
Why this is awesome
Here are some benefits: first, you get access to aggregate and anonymous demographic data Facebook provides about your Page and on check-ins — statistics like the age and gender of those groups of people connecting. This helps you understand more about your audience, which can help you tailor customer experience and advertisements. For example, what if you’re a coffee shop and discover that the majority of your customers are women in their 30s? Maybe you make some changes to your coffee and food menu, or tune the type of music playing in your shops, or update the content of your Facebook Page to better suit their tastes.
When guests check in on Facebook, a story may post to their News Feed, viewable by their Facebook friends. People can see that their friend visited your location and “like” this story, thereby promoting your organization with virtual word-of-mouth recognition. And if friends of your guest are close by, they now know about your business and may decide to visit as well.
Facebook News Feed event generated by WiFi with Facebook login.
Finally, you can provide an intuitive, convenient experience for guests trying to access WiFi — a smoother process than having guests ask a barista, lobby clerk, or employee for an access code and typing that into a splash page.
Configure in two clicks
Deploying guest access using WiFi with Facebook login takes two clicks in Cisco Meraki’s dashboard: first elect to use a splash page for guest SSID sign-on, then select “Facebook Wi-Fi” as the method for sign-on.
It’s that simple.
Just follow the link in Cisco Meraki’s dashboard to configure your Facebook Page and pair your Cisco Meraki network with your Facebook Page:
We’ve already begun a full-scale, staged release of this feature to our wireless customers, but if you prefer, you can get this new feature today by contacting Cisco Meraki tech support. Otherwise, keep your eyes peeled for Cisco Meraki updates soon!
Adding to our built-in splash page capabilities, Meraki APs now feature SMS-based splash authentication. It’s quite straightforward. Users connect to the wireless network and enter a mobile phone number. Then they receive an authorization code via SMS, and once they enter the code into the splash page, they’re granted access to the network. With SMS authentication, a business can provide self-service connection to guest wireless without having to manually verify that only real people are trying to connect. We’ve done the heavy lifting of integrating WiFi access with SMS, and every user should be quite familiar with receiving a simple text message. A mobile phone has never been so handy.
Naturally, configuring an SSID for SMS auth is done with a single click (or radio button in this case).
Access control setting for SMS authentication
Users connecting to the network will see a splash page that asks for a mobile phone number.
SMS splash: mobile phone number input
Meraki’s system then sends a verification code via text message to the mobile number, and the user enters the code into the splash page to get access to the network.
SMS splash: verification code
Client details, including the phone number used for the SMS authentication, are displayed on the client details page.
Client details including SMS authentication status
25 free text messages are included so you can try splash pages with SMS authentication. After that, just configure your Twilio account information in the Network-wide settings page, and your Twilio account will be billed for the text messages sent to users using the SMS-based splash.
We’re excited to kick off the new year with a new webinar series. Over the next eight weeks, we will be discussing a variety of wireless topics – from enabling guest access to debugging client connectivity issues and more. We are particularly looking forward to giving each attendee a FREE Meraki Indoor access point with a 3-year Enterprise Cloud Controller license (a $450 value!).
We’ll have sessions every two weeks, covering the following subjects:
Deploying Guest Wireless Access
Multi-site Wireless Management and Remote Help Desk
Upgrading to 802.11n
Our first session – on deploying guest wireless access – kicks off next Wednesday, January 13. Guests increasingly expect wireless Internet access when they visit your organization, be it an office, campus or other facility. Learn how to get set up painlessly and inexpensively, as we discuss the requirements and options for guest wireless systems, including tips for deployment with minimal expense and complexity.
Sign up for next Wednesday’s webinar here (Update: if you want to sign up for upcoming webinars, go here), and check out the complete schedule below: