I've configured the Meraki SSID with a splash page (walled garden; blocking access till sign-on is completed) using an internal NPS server. The NPS server configured in the SSID successfully and responds when testing it in the Access Control screen. On the Duo side, I have the Radius SSID application in the Duo authconfig file correctly as per Duo support but when testing it, after entering the users un/(email address) & pw on the splash screen, the auth attempt never hits the Duo proxy server.
The goal is for the user to get the Duo MFA prompt after the user is authenticated at the Meraki splash screen.
All the configurations are correct according to this article but I'm unable to capture the Temporary Redirect HTTP packet after the GET that returns to allow the user access to the internet and connect to the SSID.
I've made wireshark captures for both Duo and Meraki support cases with no resolution to this matter from both sides. Any guidance would be appreciated - thank you in advance
Solved! Go to solution.
It is defined when you add your Radius server on the SSID configuration.
You server must have public IP (you can create a NAT).
Make sure to take note of the Source IP ranges listed under Help > Firewall info and make adjustments to network firewalls if necessary.
Have you configured the Duo URLs on walled garden?
*.duo.com *.duosecurity.com *.duomobile.s3-us-west-1.amazonaws.com
They are yes and did not make any difference. The issue is, is that even though the testing of the NPS Radius server is successful in the Access Control screen and it's reflected in the NPS Radius logs, when testing it from the laptop (the actual test) there are NO logs reflected on the Radius server. If I select the Failover policy to Deny access it denies access. If it's set to allow - I access the SSID successfully and again there is no logs reflected on the Radius server that authenticated the user
Just remember.
For Splash page RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here.
Thank you. In step 5:
Where exactly are these 2 items located in the Meraki dashboard?
Additionally, my NPS Radius server is on my private LAN and is not accessible externally:
"Note: RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here."
It is defined when you add your Radius server on the SSID configuration.
You server must have public IP (you can create a NAT).
Make sure to take note of the Source IP ranges listed under Help > Firewall info and make adjustments to network firewalls if necessary.
We'll be configuring an Azure VM for this and test it. I opened 2 tickets with Meraki support they both never identified the NPS server was internal was an issue.