Radius SSID Splash page with Duo MFA

Solved
bacjac38
Here to help

Radius SSID Splash page with Duo MFA

I've configured the Meraki SSID with a splash page (walled garden; blocking access till sign-on is completed) using an internal NPS server. The NPS server configured in the SSID successfully and responds when testing it in the Access Control screen. On the Duo side, I have the Radius SSID application in the Duo authconfig file correctly as per Duo support but when testing it, after entering the users un/(email address) & pw on the splash screen, the auth attempt never hits the Duo proxy server.

 

The goal is for the user to get the Duo MFA prompt after the user is authenticated at the Meraki splash screen. 

 

All the configurations are correct according to this article but I'm unable to capture the Temporary Redirect HTTP packet after the GET that returns to allow the user access to the internet and connect to the SSID. 

 

I've made wireshark captures for both Duo and Meraki support cases with no resolution to this matter from both sides. Any guidance would be appreciated - thank you in advance

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

It is defined when you add your Radius server on the SSID configuration.

 

alemabrahao_0-1689191891901.png

 

You server must have public IP (you can create a NAT).

 

alemabrahao_1-1689192406359.png

 

Make sure to take note of the Source IP ranges listed under Help > Firewall info and make adjustments to network firewalls if necessary.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

Have you configured the Duo URLs on walled garden?

 

*.duo.com
*.duosecurity.com
*.duomobile.s3-us-west-1.amazonaws.com
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bacjac38
Here to help

They are yes and did not make any difference. The issue is, is that even though the testing of the NPS Radius server is successful in the Access Control screen and it's reflected in the NPS Radius logs, when testing it from the laptop (the actual test) there are NO logs reflected on the Radius server. If I select the Failover policy to Deny access it denies access. If it's set to allow - I access the SSID successfully and again there is no logs reflected on the Radius server that authenticated the user

alemabrahao
Kind of a big deal
Kind of a big deal

Just remember.

 

For Splash page RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_RADIUS_Au...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bacjac38
Here to help

Thank you. In step 5:

 

  • IP address: The IP ranges used by the dashboard (gathered in step 9 of the dashboard configuration)
  • Shared secret: Secret configured in the RADIUS server value in the dashboard (used in step 8 of the dashboard configuration). This needs to be the same for each RADIUS client you add.

Where exactly are these 2 items located in the Meraki dashboard?

 

Additionally, my NPS Radius server is on my private LAN and is not accessible externally:


"Note: RADIUS access request messages for a splash page will be sourced from the dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here."

alemabrahao
Kind of a big deal
Kind of a big deal

It is defined when you add your Radius server on the SSID configuration.

 

alemabrahao_0-1689191891901.png

 

You server must have public IP (you can create a NAT).

 

alemabrahao_1-1689192406359.png

 

Make sure to take note of the Source IP ranges listed under Help > Firewall info and make adjustments to network firewalls if necessary.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bacjac38
Here to help

We'll be configuring an Azure VM for this and test it. I opened 2 tickets with Meraki support they both never identified the NPS server was internal was an issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels