Meraki

BTee · ‎Apr 17 2020

How to block Psiphon which can bypass Meraki authentication. How to block it using Layer 7 firewall rules?

Even "Block all access until sign-on is complete" does not work with blocking Psiphon.

Current hack to bypass Meraki Authenication

- Connect to the SSID

- Launch the app called Psiphon

- Start the Psiphon VPN

ConnorL · ‎Apr 17 2020

"Block all access until sign-on is complete" should block *all* traffic until the splash page has been authenticated against. If you run a packet capture on the MR's LAN, do you definitely see this VPN traffic on the wire?

PhilipDAth · ‎Apr 17 2020

As I understand it @ConnorL , Psiphon is able to run its VPN service entirely using standard DNS queries (it sends the payload inside of actual normal and standard DNS queries).

As such, it won't be able to be blocked on Meraki kit at this point in time.

About the only thing that might work was if an IPS signature was released that could match it.

Doug100 · ‎Apr 19 2020

Just a thought, connect the AP to Cisco Umbrella and route all dns traffic to it.

BTee · ‎Apr 21 2020

@PhilipDAth How about Cisco Umbrella? Will it work on blocking Psiphon?

PhilipDAth · ‎Apr 21 2020

>@PhilipDAth How about Cisco Umbrella? Will it work on blocking Psiphon?

I don't know the answer to that question.

BTee · ‎Apr 21 2020

Psiphon is able to run its VPN service without being blocked by Meraki.

ConnorL · ‎Apr 21 2020

If I get some free time tomorrow I'll try and lab this at home. If it's causing an issue, i.e. guests are able to traverse traffic without authenticating with your splash page then you can raise a support ticket.

The engineer will then be able to look at your actual configuration as it may be something as simple as a config issue like walled garden etc.

Kind regards,

--

Connor Loughlin
Network Support Engineer

.:|:.:|:. Cisco Meraki EMEAR 🇬🇧

For reference, many questions can be easily answered by searching our online documentation: http://documentation.meraki.com

ConnorL · ‎Apr 28 2020

Just tried it on a test SSID, and yeah, to my amazement it tunnels everything over DNS and worked perfectly. Windows still alerts than DNS isn't working, but web browsing etc works fine.

You'll need to block all DNS, except for Google / OpenDNS / ISP DNS server in order to prevent this. My test network was:

Client ( ( ( ( ) ) ) ) MR <===> MX

Blocking DNS on the MR won't work as until the splash is passed all DNS is allowed, you'll need to block it upstream device (MX / Router). I blocked all DNS by blocking port 53 on both TCP and UDP but added an explicit allow for 8.8.8.8 and 8.8.4.4 which prevented Psiphon from connecting.

BTee · ‎Apr 28 2020

Thank you @ConnorL how about using Cisco Umbrella?

ConnorL · ‎Apr 28 2020

I haven't had a chance to try it with the current situation. It's a bit of an overkill just to block this VPN tool so blocking all DNS except your upstream/preferred DNS server is probably easiest there.