Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Users Bypassing Meraki Splash Page

CDCollins
Here to help
Tuesday
Tuesday

Users Bypassing Meraki Splash Page

Users are able to bypass the splash page using a VPN. I messed around with the VPN myself and managed to get by and have zero restrictions. I have a testing SSID where I created a firewall blocking every IP besides the ones necessary, yet the VPN still managed to bypass the splash page and pull an IP that was denied. Just wanted to see if anyone had a similar issue or any ideas on how to resolve such a massive security problem.

 

Any help would be much appreciated. Thank you.

Labels:
0 Kudos
Subscribe
13 Replies 13
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Are you sure that the Controller disconnection behavior is not set to Open?

alemabrahao_0-1719331841814.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
CDCollins
Here to help
Tuesday
Tuesday

@alemabrahao Thanks for the reply. But the Controller disconnection behavior is set to "Restricted."

0 Kudos
Subscribe
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Can you share your SSID configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
CDCollins
Here to help
Tuesday
Tuesday

CDCollins_0-1719335350070.png

 

CDCollins_1-1719335394946.png

 

 

0 Kudos
Subscribe
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Try enabling the Walled Garden.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
CDCollins
Here to help
Tuesday
Tuesday

Sadly, that didn't work.

0 Kudos
Subscribe
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
CDCollins
Here to help
Tuesday
Tuesday

Sweet I'll work on that. I appreciate your quick responses.

0 Kudos
Subscribe
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

This could be a possible workaround.

 

Workaround: Apply a traffic shaping rule to limit bandwidth on port 53 and other ports that might be used by a VPN. Users attempting to bypass splash pages to access the internet over VPN will not likely use your network if they only get 100 Kbps.

Real Solution: Use an upstream MX or other firewall to block VPN attempts on port 53. Make sure not to block your DNS server such as 8.8.8.8.

Root Cause:
When client devices connect to the MR they are placed in a captive portal policy and the MR firewall rules (L3 and L7) do not get applied to the client devices until after they authenticate with the captive portal. However the traffic shaping rules are indeed applied to clients, and you can limit the throughput of VPN traffic.

 

https://community.meraki.com/t5/Wireless/Bypass-Meraki-Splash-pages-in-10-secs-to-gain-unrestricted/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
CDCollins
Here to help
Tuesday
Tuesday

For the workaround, is there a way to slow down the bandwidth for specific ports rather than the entire network?

0 Kudos
Subscribe
In response to CDCollins
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Yes, it is.

 

alemabrahao_0-1719396134940.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to CDCollins
ww
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Capative portal strength also set to block all access?

Subscribe
In response to ww
CDCollins
Here to help
Tuesday
Tuesday

Yes it is.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.