Users Bypassing Meraki Splash Page

CDCollins
Here to help

Users Bypassing Meraki Splash Page

Users are able to bypass the splash page using a VPN. I messed around with the VPN myself and managed to get by and have zero restrictions. I have a testing SSID where I created a firewall blocking every IP besides the ones necessary, yet the VPN still managed to bypass the splash page and pull an IP that was denied. Just wanted to see if anyone had a similar issue or any ideas on how to resolve such a massive security problem.

 

Any help would be much appreciated. Thank you.

15 Replies 15
alemabrahao
Kind of a big deal
Kind of a big deal

Are you sure that the Controller disconnection behavior is not set to Open?

alemabrahao_0-1719331841814.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CDCollins
Here to help

@alemabrahao Thanks for the reply. But the Controller disconnection behavior is set to "Restricted."

alemabrahao
Kind of a big deal
Kind of a big deal

Can you share your SSID configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CDCollins
Here to help

CDCollins_0-1719335350070.png

 

CDCollins_1-1719335394946.png

 

 

alemabrahao
Kind of a big deal
Kind of a big deal

Try enabling the Walled Garden.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CDCollins
Here to help

Sadly, that didn't work.

alemabrahao
Kind of a big deal
Kind of a big deal

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CDCollins
Here to help

Sweet I'll work on that. I appreciate your quick responses.

alemabrahao
Kind of a big deal
Kind of a big deal

This could be a possible workaround.

 

Workaround: Apply a traffic shaping rule to limit bandwidth on port 53 and other ports that might be used by a VPN. Users attempting to bypass splash pages to access the internet over VPN will not likely use your network if they only get 100 Kbps.

Real Solution: Use an upstream MX or other firewall to block VPN attempts on port 53. Make sure not to block your DNS server such as 8.8.8.8.

Root Cause:
When client devices connect to the MR they are placed in a captive portal policy and the MR firewall rules (L3 and L7) do not get applied to the client devices until after they authenticate with the captive portal. However the traffic shaping rules are indeed applied to clients, and you can limit the throughput of VPN traffic.

 

https://community.meraki.com/t5/Wireless/Bypass-Meraki-Splash-pages-in-10-secs-to-gain-unrestricted/...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
CDCollins
Here to help

For the workaround, is there a way to slow down the bandwidth for specific ports rather than the entire network?

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, it is.

 

alemabrahao_0-1719396134940.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ecejhe
Here to help

Thanks mate! It works!

These users were using 3rd party VPN to bypass the guest wireless authentication are now blocked.

ww
Kind of a big deal
Kind of a big deal

Capative portal strength also set to block all access?

CDCollins
Here to help

Yes it is.

WalterBajana
Conversationalist

Unfortunately Splash page is not secure.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels