We recently implemented "Sponsored Guest" splash page. I have noticed some users mobile phones have data usage though they are not authorized. I tried it myself and was able to connect to the network but not go through the portal and it will allow some app usage to pull data as long as it's not through the browser. Any thoughts on how to cut this off?
Here are my access control settings:
Association Requirements - Open
Splash Page - Sponsored Guest Login
Email Domains - Our corporate domain
Duration - 1 day
NAC - Disabled
Group Policies - Disabled
Captive Portal Strength - Block all access until sign-on is complete
Walled Garden is enabled
Walled Garden ranges - Our DHCP/DNS server
Controller Disconnection Behavior - REstricted
IP Assignment - Bridge mode
VLAN tagging - On - Use a vlan that is segmented to only allow Inet traffic and no access to internal networks other than dhcp.
Content filtering - Off
Bonjour off
Solved! Go to Solution.
Are you sure the phone hasn't failed over to 4G?
How do you know the apps are able to pull data? I think I would do a packet capture on the AP of the client to confirm this.
Set this option under the SSID settings.
Thanks for the quick reply. It is already set.
Are you sure the phone hasn't failed over to 4G?
How do you know the apps are able to pull data? I think I would do a packet capture on the AP of the client to confirm this.
Ok, so a packet capture on myself shows outbound traffic captured but nothing is coming back inbound. I guess the usage showing in the Meraki dashboard under clients > show detail while "not authorized" would be previous days usage though they are not authorized for today. I think it was a view issue on my part since the portal lasts for 24 hours and I had client usage view set to 1 week. I thought it odd but didn't have a chance to chase it down. Thanks for the direction!
Hi @zrunner626
I have not seen any of our clients wireless network with this behavior.
As @PhilipDAth suggested "Block all access until sign-on is complete" should do the job.
A piece of information from the below url says
Once a device is authorized this method will not ask for authentication again for the permitted duration.
May be your devices are already authorized. Could you verify this please?
https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest
If a user disconnects and reconnects within the approved time, the device will automatically get internet access. If the user reconnects to the SSID after the approval period is expired the whole process will be repeated again. This function is currently limited to a maximum of 1 day (24 hours) per authorization.
Note: Devices that have been authenticated for a specified duration cannot have their authentication manually revoked, and admins will have to wait for the authorized duration to end for access to expire. Devices are authorized by user accounts, and authorization applies to any device using the approved credentials.