Meraki

Community

Radius SSID Splash page with Duo MFA

Solved
bacjac38
Conversationalist
‎Jul 12 2023 9:22 AM
‎Jul 12 2023 9:22 AM

Radius SSID Splash page with Duo MFA

I've configured the Meraki SSID with a splash page (walled garden; blocking access till sign-on is completed) using an internal NPS server. The NPS server configured in the SSID successfully and responds when testing it in the Access Control screen. On the Duo side, I have the Radius SSID application in the Duo authconfig file correctly as per Duo support but when testing it, after entering the users un/(email address) & pw on the splash screen, the auth attempt never hits the Duo proxy server.

 

The goal is for the user to get the Duo MFA prompt after the user is authenticated at the Meraki splash screen. 

 

All the configurations are correct according to this article but I'm unable to capture the Temporary Redirect HTTP packet after the GET that returns to allow the user access to the internet and connect to the SSID. 

 

I've made wireshark captures for both Duo and Meraki support cases with no resolution to this matter from both sides. Any guidance would be appreciated - thank you in advance

Labels:
0 Kudos
1 Accepted Solution
In response to bacjac38
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2023 1:07 PM
‎Jul 12 2023 1:07 PM

It is defined when you add your Radius server on the SSID configuration.

 

alemabrahao_0-1689191891901.png

 

You server must have public IP (you can create a NAT).

 

alemabrahao_1-1689192406359.png

 

Make sure to take note of the Source IP ranges listed under Help > Firewall info and make adjustments to network firewalls if necessary.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2023 9:55 AM
‎Jul 12 2023 9:55 AM

Have you configured the Duo URLs on walled garden?

 

*.duo.com
*.duosecurity.com
*.duomobile.s3-us-west-1.amazonaws.com
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bacjac38
Conversationalist
‎Jul 12 2023 10:27 AM
‎Jul 12 2023 10:27 AM

They are yes and did not make any difference. The issue is, is that even though the testing of the NPS Radius server is successful in the Access Control screen and it's reflected in the NPS Radius logs, when testing it from the laptop (the actual test) there are NO logs reflected on the Radius server. If I select the Failover policy to Deny access it denies access. If it's set to allow - I access the SSID successfully and again there is no logs reflected on the Radius server that authenticated the user

0 Kudos
In response to bacjac38
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2023 10:59 AM
‎Jul 12 2023 10:59 AM

Just remember.

 

For Splash page RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_RADIUS_Au...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
bacjac38
Conversationalist
‎Jul 12 2023 11:46 AM
‎Jul 12 2023 11:46 AM

Thank you. In step 5:

 

  • IP address: The IP ranges used by the dashboard (gathered in step 9 of the dashboard configuration)
  • Shared secret: Secret configured in the RADIUS server value in the dashboard (used in step 8 of the dashboard configuration). This needs to be the same for each RADIUS client you add.

Where exactly are these 2 items located in the Meraki dashboard?

 

Additionally, my NPS Radius server is on my private LAN and is not accessible externally:


"Note: RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here."

0 Kudos
In response to bacjac38
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 12 2023 1:07 PM
‎Jul 12 2023 1:07 PM

It is defined when you add your Radius server on the SSID configuration.

 

alemabrahao_0-1689191891901.png

 

You server must have public IP (you can create a NAT).

 

alemabrahao_1-1689192406359.png

 

Make sure to take note of the Source IP ranges listed under Help > Firewall info and make adjustments to network firewalls if necessary.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bacjac38
Conversationalist
‎Jul 13 2023 7:46 AM
‎Jul 13 2023 7:46 AM

We'll be configuring an Azure VM for this and test it. I opened 2 tickets with Meraki support they both never identified the NPS server was internal was an issue.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.