Meraki

Community

Users Bypassing Meraki Splash Page

CDCollins
Here to help
‎Jun 25 2024 9:03 AM
‎Jun 25 2024 9:03 AM

Users Bypassing Meraki Splash Page

Users are able to bypass the splash page using a VPN. I messed around with the VPN myself and managed to get by and have zero restrictions. I have a testing SSID where I created a firewall blocking every IP besides the ones necessary, yet the VPN still managed to bypass the splash page and pull an IP that was denied. Just wanted to see if anyone had a similar issue or any ideas on how to resolve such a massive security problem.

 

Any help would be much appreciated. Thank you.

Labels:
0 Kudos
15 Replies 15
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 25 2024 9:10 AM
‎Jun 25 2024 9:10 AM

Are you sure that the Controller disconnection behavior is not set to Open?

alemabrahao_0-1719331841814.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CDCollins
Here to help
‎Jun 25 2024 9:35 AM
‎Jun 25 2024 9:35 AM

@alemabrahao Thanks for the reply. But the Controller disconnection behavior is set to "Restricted."

0 Kudos
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 25 2024 9:49 AM
‎Jun 25 2024 9:49 AM

Can you share your SSID configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
CDCollins
Here to help
‎Jun 25 2024 10:10 AM
‎Jun 25 2024 10:10 AM

CDCollins_0-1719335350070.png

 

CDCollins_1-1719335394946.png

 

 

0 Kudos
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 25 2024 10:13 AM
‎Jun 25 2024 10:13 AM

Try enabling the Walled Garden.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
CDCollins
Here to help
‎Jun 25 2024 10:28 AM
‎Jun 25 2024 10:28 AM

Sadly, that didn't work.

0 Kudos
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 25 2024 10:30 AM
‎Jun 25 2024 10:30 AM

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
CDCollins
Here to help
‎Jun 25 2024 10:38 AM
‎Jun 25 2024 10:38 AM

Sweet I'll work on that. I appreciate your quick responses.

0 Kudos
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 25 2024 10:41 AM
‎Jun 25 2024 10:41 AM

This could be a possible workaround.

 

Workaround: Apply a traffic shaping rule to limit bandwidth on port 53 and other ports that might be used by a VPN. Users attempting to bypass splash pages to access the internet over VPN will not likely use your network if they only get 100 Kbps.

Real Solution: Use an upstream MX or other firewall to block VPN attempts on port 53. Make sure not to block your DNS server such as 8.8.8.8.

Root Cause:
When client devices connect to the MR they are placed in a captive portal policy and the MR firewall rules (L3 and L7) do not get applied to the client devices until after they authenticate with the captive portal. However the traffic shaping rules are indeed applied to clients, and you can limit the throughput of VPN traffic.

 

https://community.meraki.com/t5/Wireless/Bypass-Meraki-Splash-pages-in-10-secs-to-gain-unrestricted/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
CDCollins
Here to help
‎Jun 25 2024 3:21 PM
‎Jun 25 2024 3:21 PM

For the workaround, is there a way to slow down the bandwidth for specific ports rather than the entire network?

0 Kudos
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 26 2024 3:02 AM
‎Jun 26 2024 3:02 AM

Yes, it is.

 

alemabrahao_0-1719396134940.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ecejhe
Here to help
‎Sep 25 2024 12:18 AM
‎Sep 25 2024 12:18 AM

Thanks mate! It works!

These users were using 3rd party VPN to bypass the guest wireless authentication are now blocked.

0 Kudos
In response to CDCollins
ww
Kind of a big deal
Kind of a big deal
‎Jun 25 2024 9:51 AM
‎Jun 25 2024 9:51 AM

Capative portal strength also set to block all access?

In response to ww
CDCollins
Here to help
‎Jun 25 2024 10:07 AM
‎Jun 25 2024 10:07 AM

Yes it is.

0 Kudos
WalterBajana
Conversationalist
‎Jul 21 2024 2:28 AM
‎Jul 21 2024 2:28 AM

Unfortunately Splash page is not secure.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.