Hello,
I'm opening this post to let you know about a flaw that has existed for some time in Meraki's custom splash page system.
First, for context, our need is to use a splash page hosted on our servers that queries a login system of our own and then authorizes or not the user with Meraki.
My system was working perfectly until I realized something quite crazy when I looked a little deeper into how Meraki works with authorization.
When a client connects, it is redirected to the splash page, and Meraki provides a "base_grant_url" which is simply used to validate the connection.
So when my system has validated that the user is authorized to connect, it redirects the user to the "base_grant_url" provided by meraki, and here he is in my network.
Except that this "base grant url" has no token, no system to protect the validation request, it's simply the following link: "https://nXX.network-auth.com/splash/grant" where the "XX" is simply your meraki sub-domain.
So, to sum up, a random user tries to connect to your network protected by custom splash page, enters the url "https://nXX.network-auth.com/splash/grant" in his browser and is connected to my network and authorized!
If we take a step back on the subject, meraki doesn't hide from it, on the official documentation for the custom splash page they even provide the url, except that because of this, it's impossible to make a custom splash page with an authentication system.
When I see all the companies with meraki that use splash page providers and are able to be bypassed with a simple link, and I see meraki's response is "We're aware of this and have no plans to change it", I feel like I'm dreaming.
I noticed that there had already been posts on the subject exactly 6 years ago, and that nothing has moved since...
I hope this post can potentially give me some ideas to get around this, or even get meraki to add a new type of authorization for its splash pages, who knows?
Thanks !
