We're testing out the following:
Association requirements: MAC-based access control
Splash page: Cisco Identity Services Engine (ISE) Authentication
We run a cloud RADIUS server which acts as the ISE in terms of the RADIUS handling.
So the flow currently works like this:
Client associates to SSID
Local AP sends Access-Request to configured RADIUS cloud server IP
Our RADIUS replies with an Access-Accept and a Cisco-AVPair redirect url
Client is redirected to our splash page URL and registers etc
All good up until this point, but the problem is that to get the user online, we have to send a CoA request back to the local AP from our cloud RADIUS. Whilst we can open the firewall and perform a port forward to the AP, this only works if there is a single AP. More than one AP, and the solution falls over because you can't externally access all the different AP's using a single port forward.
Why can't Meraki allow the RADIUS proxy option to work with this setup? For true captive portal authentications we can send a CoA back to the Meraki cloud which in turn authenticates the user on the local AP. But for ISE, it disables the RADIUS proxy option.
Not everyone runs a local RADIUS server!
Does anyone know an alternative way of achieving MAC authentication AND external captive portal fall-back?