Revoke splash page access

mmzzaq
Here to help

Revoke splash page access

Hardware: MX64

 

I'm working on a project to restrict access with help of a splash page and I'm still in the testing phase. Therefor I have configured a splash page on a specific VLAN in:

Security & SD-WAN > Access control > Sign-on with my RADIUS server

and this seems to work so far but I need to take it further and for testing purposes I need to undo access given to a account/IP address that signed in through the splash page. How do I this? I've tried disabling/re-enabling the splash page for that VLAN but that doesn't make a difference because when I access that particular VLAN now, I'm always granted access now because I successfully signed in earlier.

 

edit:

According to the official documentation, revocation should be available on Network-wide > Monitor > Clients but my setup is a bit different than most of the documentation I read. I'm requesting a web page from a PC on the internet from a web server residing on the local lan of the MX64 through port forwarding with a reverse proxy in between. The route is followed:

PC on internet > MX64 port forward to > reverse proxy with splash page on its vlan > web server with its own vlan.

 

Since the PC is not on the local MX64 LAN and thus not on the client list, I'm unable to revoke and I was wondering if the PC not being on the local posed a problem, but I later found out the proxy is the splash page client and not the PC. However, the revoke button wasn't there on the Meraki client page of the proxy (see screenshot). I've called support and they said that they've seen this before and it's a known issue. Support asked me to disable VLANS temporarily to see if the revoke button still not shows. If that's the case, than they'll escalate it to the dev. team. I now need to find a good moment to disable VLANS (obviously not during production hours).

tmp.jpg

4 REPLIES 4
PhilipDAth
Kind of a big deal

If the RADIUS server has authorised the user then only the RADIUS server can revoke that.

 

It is not common to revoke authorisation of a users session mid-duration.  Usually, the account is disabled and the next connection is then denied.

 

I don't know if this would work in this specific case (with a splash page), but you would need to get your RADIUS server to send a  Change-of-Authorization (usually just called COA for short) packet with a request to disconnect.

An example of this with FreeRadius is:

https://wiki.freeradius.org/protocol/disconnect-messages 

 

Here is the info on the Meraki side:

https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU... 

Hello PhilipDAth, this is some very useful information and not anything support brought up or thought off. I quickly looked around to see if such a mechanism is supported by Windows Network Policy Server (my radius server) but haven't found it yet (quick search though). I will definitely look into this. Thank you for your reply.

PhilipDAth
Kind of a big deal

NPS does not support COA.  It doesn't even allow you to do simple things like see who is currently logged on.

I'm pretty sure that MX doesn't support CoA either - it would be different with an MS switch port...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels