Sponsored Guest - returning users auth problem

SOLVED
rajeevm
Comes here often

Sponsored Guest - returning users auth problem

Hello Meraki Community,

      We have been using Sponsored Guest login for quite few weeks and it's pretty cool feature. Received a good feedback from users on the ease of requesting Access. Besides all these I have noticed 2 issues -

 

1. No reporting available. It would be nice if we could see the user's name on the "Clients" page. Also get full details of the requester (name and email) in the approval email.

 

2. I noticed that - If I am a returning user and presented the same name and email address, I am not being presented with a page where we put in approver's email address. I am getting full WIFI access without approval. Admin has no idea that the user is on the network, since there is no approval email. The scary thing is when I check on the client details, it says approved by xxx (since approved by xxx the last time) even though there is no approval.I see this as some security issue (What if the user is terminated | What if the user has to be kept out)

  Have anybody seen this behavior ? Is this normal or is there a way to change this ? What i would like to see is - even though they are returning users, an approver will have to approve their request to gain access to network. 

 

Thanks

1 ACCEPTED SOLUTION
Shane3
Meraki Employee

Hi everyone, 

 

1. The user field is solely for the user ID info pulled from AD when active directory integration is present. The other visibility things mentioned here are good points and ripe for a feature request (make a wish) (-: 

 

2. It is expected behavior that the user can reconnect with the same "credentials" on the splash page within the time duration allotted without another email being sent to the admin. One can imagine the situations where that would be useful. 

 

2.5. If the user can reconnect with the same "credentials" outside of the sponsorship duration, without an auth email being sent to admin, please open a support case. This is not expected behavior. 

 

You can reference the below article for point #2: 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

If you found my post useful, please give it some kudos.

View solution in original post

5 REPLIES 5
jdsilva
Kind of a big deal

For 1, if you add the "user" column to the page that doesn't show the username?

 

image.png

 

For 2, are you saying the setting for duration is not working?

 

image.png

image.png

 

If that's the case it sounds like a bug.

rajeevm
Comes here often

Dsilva thank you for your response. Hopefully I make clear this time.

 

Here is what happens when user wants to connect to wifi - 

  • User connects to SSID
  • User is presented with spalsh page asking Name and Email address and hit ENTER
  • User is then presented with another page asking for Approvers Email (Admin) and accept "terms&conditions"
  • Approver(Admin) gets an email saying "user is requesting wifi access and press the link below to approve access", Once the admin clicks the link the user has wifi access. 

 

Since there is no username involved in the authentication method the "user" field you mentioned has no information in it.

 

For #2  -

  • When the sponsorship duration ends and the user wants to reconnect to WIFI (returning user) , the 3rd step I mentioned above is not happening and more over the user is getting wifi access. 
  • So once the returning user got access, I checked his device on clients tab and saw that the device got authorized by "Admin", which is not true since the 3rd step didn't happen. So my understanding is that Meraki is seeing the returning user and giving him pre-approval since the user was approved last time by "Admin".
    meraki.png

I'm with @jdsilva . That sounds like a bug. That is specifically what the sponsorship duration is there for.

Shane3
Meraki Employee

Hi everyone, 

 

1. The user field is solely for the user ID info pulled from AD when active directory integration is present. The other visibility things mentioned here are good points and ripe for a feature request (make a wish) (-: 

 

2. It is expected behavior that the user can reconnect with the same "credentials" on the splash page within the time duration allotted without another email being sent to the admin. One can imagine the situations where that would be useful. 

 

2.5. If the user can reconnect with the same "credentials" outside of the sponsorship duration, without an auth email being sent to admin, please open a support case. This is not expected behavior. 

 

You can reference the below article for point #2: 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

If you found my post useful, please give it some kudos.
rajeevm
Comes here often

Sorry..late to reply on this but want to give update on this. 

 

Thanks everyone for giving your inputs.  @Shane3  you are right on point#2.5, that's exactly what was happening.  However the problem got resolved on it's own. Don't know how. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels