Meraki click-trough EXCAP - complete form workaround

LaBaguette
New here

Meraki click-trough EXCAP - complete form workaround

Hello Meraki peeps,

I have an issue with the click-trough captive portal.

I wanted to setup a page where I can ask the user to enter a voucher code.

This code is generated on my web-server in a small voucher management system.

Once the user inserts this code and submits the form, the DB is checked for the voucher validity and then

authenticates the user/client on the AP, granting network/internet access.

 

This works beautifully, BUT I've just found out that you can completely bypass the form by editing the url a bit.

Here is how:


- Once connected to the AP the following appears in the browser url:
http://myexcapwebsite.com/voucher.php?base_grant_
url=https%3A%2F%2FnXXX.network-auth.com%2Fsplash%2Fgrant&user_continue_
url=http%3A%2F%2Fgoogle.com%2F&node_mac=00:18:0a:xx:xx:xx&client_
ip=10.128.128.120&client_mac=xx:xx:xx:xx:xx:xx

- here is where the voucher form appears

- And now here's the magic, by modifying the base_grant_url and decoding the special chars we get the following url:
https://nXXX.network-auth.com/splash/grant?continue_url=http://google.com

- Entering this (using the XXX written in the real url) into the url will grant you immediate access no password, voucher or form input needed!

 

Has anyone ever comme across this issue? I looked into using sign-on, but none of the options are as flexible as I need it to be. I've already started developing my voucher management system.

 

I'm losing my mind over this please help!

 

 

 

 

2 REPLIES 2
HodyCrouch
Building a reputation

I think Sign-on Splash is going to be your best solution.  You can configure Sign-on Splash to use your radius server for authentication.

 

This approach provides the same level of flexibility as click-through splash and you can do whatever voucher validation you want.  You then send the user to the login url with pre-filled username/password.  These values can be one-time use, if you need.

 

Meraki then sends an access-request to your radius server, so you can confirm that the login is valid.

Hmm that would work, but my issue is the radius server in this case.

 

As in my situation I can't simply add one to the server where I'm running my external captive portal. 

I'll have to get a different server that does only that.

 

I just wish I could do the sign-on using php.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels