Configure a splash (EXCAP) with with sign-on in Azure AD

SOLVED
Johan
Here to help

Configure a splash (EXCAP) with with sign-on in Azure AD

Dear all,

 

I'd like to create a EXCAP splash page that will authenticate my users on our Microsoft Azure AD. From the Microsoft point of view, I can create the authentication page, but on the Meraki side, I don't really understand how to authorize the user on the wifi or not.

 

I found those links here under but I don't really under, do you have any idea of how this achieve this?

 

Thx,

Johan

1 ACCEPTED SOLUTION

Actually I found a solution that works for us.

I created a click through web page that is stored on MS Azure service app and this app is protected by an authentication and only the users from my tenant have access to that app.

 

The result is the same as the one I wanted to achieve: A splash page that accessible using Azure's users authentication.

 

The only point remaining is how to provide Meraki with the user name of the users so Meraki can store it in his database to know the link between the devices and the authenticated user...

View solution in original post

21 REPLIES 21
PhilipDAth
Kind of a big deal
Kind of a big deal

Hello,

 

from what i've seen in that document, it's talking of Radius / Active Directory authentication, not Azure Active Directory. Those two are not the same. The last one (the one I need) is using OAuth protocol and can been seen as a third party authentication authority (like google).

 

regards,

jo

PhilipDAth
Kind of a big deal
Kind of a big deal

You need to deploy a RADIUS server in Azure to make it work.

Actually I found a solution that works for us.

I created a click through web page that is stored on MS Azure service app and this app is protected by an authentication and only the users from my tenant have access to that app.

 

The result is the same as the one I wanted to achieve: A splash page that accessible using Azure's users authentication.

 

The only point remaining is how to provide Meraki with the user name of the users so Meraki can store it in his database to know the link between the devices and the authenticated user...

Sounds like a great idea.  

 

I was looking at perhaps a landing page, that redirects has a nice splash page, asks for email, then redirects your to Azure SSO for authorization.  I found theses examples:

 

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scen...

 

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-roleclaims/

 

https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims

 

Has anyone else done this?

 

Palo Alto has a marketplace app that integrates into Azure.  Meraki this would be an awesome addition,

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-paloaltonetworks-capti...

 

 

Actually, I can easily retrieve the userID of the connected user from my splash page using microsoft graph (https://developer.microsoft.com/en-us/graph/graph-explorer ), it's not the real problem.

The problem is providing this information to Meraki so it can be associated with the connected client.

 

Using "authenticated user splash page" is not an option since merakai will wait for a Radius command to Refuse or Accept the authentication. In my case I don't have a radius so I don't have any way to provide Meraki with a userID for them to store it.

I think for this to work, Meraki needs to support natively the OAuth with Azure AD (as they are already doing with google).

 

 

 

 

 

We've developed a click-thru webapp that uses graph API to seamlessly login the user (SSO to O365), authorize to the meraki, and then redirect the user to their original page.  

 

By setting the duration of the authorization in the Meraki dashboard you can have it re-authorize every 90 days for example or revoke the authorization manually.

 

If there is enough interest, we'll polish the solution up and provide it as either source code or a possible service if there is enough interest. Let me know. Thanks!

 

-Ingram

Hello,

 

It sounds very interesting... I would indeed be very interested by the source code.

By hosting this page on the Meraki servers, are you able to pass the connected users information to Meraki for log purpose?

 

Regards,

Johan

 

>are you able to pass the connected users information to Meraki for log purpose?

 

We have the all the user information that is the O365 profile available to pass to Meraki, but the Meraki EXCAP API doesn't have a mechanism to input it.    

It does register the login as it would on Ethernet with the computer's machine name.

 

 

splash.PNG

Hello,
Would it be possible to have your code? I'm very keen to learn about it.

Regards,
jo

I'm in a cloud only environment project and very interested about your solution. Woud you share your solution?

 

Thanks

-teemu

Hi, would you bewilling to show us the code on how you did this ?

 

We are looking for a solution to use 365/AzureAD to authenticate our users for access to the wifi without someting like RADIUS.

 

It would be greatly apreciated,

 

Regards Mark

Hello,

 

I unfortunately don't have code for you … But  I can explain the steps. The principle is the following: Create a "click-through splash page that is stored on Microsoft Azure web app and that is protected by an authentication access..

 

The steps are:

- Access Control,

* in your SSID, you need to a "click through" splash page.

* In the wallet garden, you need to define all Microsoft (O365) connection links.

 

- in the splash page section,

* You need to define a "Custom splash URL" that correspond to your Microsoft Azure web app hosting your splash page.

 

I hope this is clear. Let me know if it's not.

 

 

 

 

 

webbexpert
Conversationalist

* In the wallet garden, you need to define all Microsoft (O365) connection links.

 

This is where we are stuck. In order to push the user to Azure AD to sign-in, the walled garden needs to allow requests to the Azure IDP. These are seemingly random IP addresses that are GEO distributed. Is there a way to whitelist by domain name to Azure AD's IDP? This would simplify having to keep tabs on the ever-changing IP address list from Azure.

..

Unstuck! It appears that under the walled garden ranges, it also supports domains, and wildcards. This should allow us to proceed with creating an application that challenges the user but allows access to the Azure IDP. Thanks for the outline above! Helpful!

I realize this post is a bit old now but - would you (or anybody that has this working) be able to share what domains you put in your "Walled Garden" to get Azure AD Sign On working?  We're implementing a SM Sentry SSID that we want to use Azure AD sign-on to enroll our user's devices, and we get to the point in the enrollment process where the Meraki page says "Login with Azure AD" but when we click that and we're redirected to the URI's we setup in our Azure AD integration, we just get a white screen.  Right now my walled garden is permitting:

*.microsoft.com

*.microsoftonline.com

*.live.com

 

If I connect to another network (or if I put a wildcard permit all in the walled garden) it works fine, but locking it down to these 3 above doesn't seem to work so I am missing *something* here.

Disregard.  After playing around with this and using Chrome Developer tools I was able to determine that the following domains need to be whitelisted in our Walled Garden config for the SSID in order to permit enrollment authentication using Azure AD:

 

*.msauth.net
*.msftauth.net
*.microsoftazuread-sso.com
*.microsoftonline.com
*.login.microsoftonline.com
*.microsoft.com

We want to do the same. Would you be willing to share your source code?

danderson
Conversationalist

is there a more detailed explanation of this solution?  would love to get this working

Mathis
Here to help

Hello,

 

For the futur users reading this, the solution (click splash with custom link) is not secure at all.

 

cf: https://community.meraki.com/t5/Wireless-LAN/Splash-page-vulnerability-when-hosting-a-custom-one/m-p...

 

You can bypass the page with a simple link.

 

Thanks.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels