Direct access despite SMS authentication

SOLVED
Dominik
Here to help

Direct access despite SMS authentication

Hi all

 

We have a guest with the following settings:
- Network access: open
- Splashe page: Sign-on with SMS Authentication

We noticed that clients can log in without sms authentication even though it is enabled.
There is also no splash page. At the details of the client it is written:
Splash: Not authorized

Why does this suddenly stop working?

1 ACCEPTED SOLUTION

With Meraki Support we have found the solution.


There were 2 "problems".
1. the access point could not connect to the splash page servers. (185.17.255.128/25, 209.206.57.0/24, 209.206.58.0/24 on TCP 80 and TCP 443)
2. set "Access control" ->"Controller disconnection behavior" to "Restricted".

That solved our problem.

View solution in original post

9 REPLIES 9
Dominik
Here to help

Addition:
Even with another SSID with encryption and SMS authentication, there is no splash page and therefore no SMS authentication.

PhilipDAth
Kind of a big deal
Kind of a big deal

Make sure you set "Captive portal strength" to "Block all access until sign-on is complete".

 

Screenshot from 2018-04-06 07-24-15.png

Hi Philip
Thanks for your input. I have already set this option. I apologize for not having included this in my description.

I recall that there is an option for the setting of the splash page frequency, so quite possibly if the IP lease is long enough, a specific, previously authorised user does not have to re-authenticate if the DHCP lease is still valid.

 

I do recall a situation at a village pub where the guest network handed out long IP leases and the regulars would keep the same IP pretty well indefinitely. Which made for some interesting analysis, particularly when it came to unnoticed coincidences. The management were usually weeks ahead of the village gossips.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Thanks for your input!
I have created a new SSID with the following settings:

 

Network access Open
Splash page Billig
Captive portal strength Block all access until sign-on is complete

Splash frequency Every half hour

 

The client (new one) can still connect to this SSID and browsing to http and https sites.

For the test I was able to download an iso file (2GB) from a website without any problems.Client_SB011725.jpgClient_SB011725_traffic.jpg

And the DHCP lease duration  . . . 

 

In case the system still "sees" a validated user returning

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

We use bridge mode with VLAN tagging. The lease is 8 hours.
The client i uesed for the test was a new one and hasn't had a IP-adress.

looks like you eliminated that possibility
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

With Meraki Support we have found the solution.


There were 2 "problems".
1. the access point could not connect to the splash page servers. (185.17.255.128/25, 209.206.57.0/24, 209.206.58.0/24 on TCP 80 and TCP 443)
2. set "Access control" ->"Controller disconnection behavior" to "Restricted".

That solved our problem.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels