In the UI, you can select:
Association: MAC-based access control
Splash page: Click through
It accepts this and all is okay (I know you can't use sign on with RADIUS and MAC-based access control together)
However, how does this work in practice?
I would expect, that is the RADIUS server replies with an Access-Reject, the end user will then be redirected to the configured click through splash URL, and if Access-Accept, the end user will be straight online without any splash authentication required.
But, it seems to not work like this. If you do Access-Reject, it doesn't allow the device even to associate. If you do Access-Accept, the user is connected with no click through splash redirect and has full Internet. So, how do you actually get it to redirect someone to the splash page?
You have to use the "radius guest vlan" on that page.
Or use the "radius override" so the radius can send the unknown client to a vlan
Thanks, can you elaborate any further?
Do we need to set up a new SSID in Meraki and use the same VLAN ID, or can it use the same SSID? What SSID should we configure the splash page settings/RADIUs for in case of the MAC authentication being rejected?
It seems a strange way of doing it...
Hi there, so if you receive in L2 auth (mac based in this case) an access reject the authentication will fail and it will stop at that point.
If you get an access accept then it will move forward to L3 authentication (captive portal), at least i think this will happen i have not tested this in a while.
For what I remember you cannot have right now a splash page if authentication fails as a backup method. I will dig into this and update soon.
Thanks Rodrigo. This is how most vendors work - if MAC authentication fails (Access-Reject), the user will be redirected to the captive portal page for authentication. If MAC authentication succeeds (Access-Accept) the user is straight online, no captive portal redirect.
I understand Meraki do it slightly differently, in that you must always send an Access-Accept else the client will not be able to even join the WLAN, but we still need some way to redirect them to the captive portal so they can register/login etc
Yes, captive portal failover on WLCs i think.
We do not support that behavior yet, it is on our roadmap to do it that way but not yet.
What it can be done right now, is the group policy to bypass the captive portal for the clients you desired, and keep the regular behavior (captive portal) for everything else.
You can create a rule on your radius if the mac auth is found, accept and send the bypass group policy, if it is not on your mac valid clients, accept and get to the captive portal without a group policy.
It is adding an attribute for the group policy result. Let me know if this helps
So kind of got this working with the mac based control and click through, but unfortunately it doesn't send Accounting Interim packets (only Start and Stop) so that's not great for what we need. When using "Sign on with my RADIUS server" it does send Interim updates as it has for many years. Hmm...