data usage bypassing sponsored guest

SOLVED
zrunner626
Conversationalist

data usage bypassing sponsored guest

We recently implemented "Sponsored Guest" splash page. I have noticed some users mobile phones have data usage though they are not authorized. I tried it myself and was able to connect to the network but not go through the portal and it will allow some app usage to pull data as long as it's not through the browser. Any thoughts on how to cut this off?

 

Here are my access control settings:

 

Association Requirements - Open

Splash Page - Sponsored Guest Login

Email Domains - Our corporate domain

Duration - 1 day

NAC - Disabled

Group Policies - Disabled

Captive Portal Strength - Block all access until sign-on is complete

Walled Garden is enabled

Walled Garden ranges - Our DHCP/DNS server

Controller Disconnection Behavior - REstricted

IP Assignment - Bridge mode

VLAN tagging - On - Use a vlan that is segmented to only allow Inet traffic and no access to internal networks other than dhcp.

Content filtering - Off

Bonjour off

1 ACCEPTED SOLUTION

Are you sure the phone hasn't failed over to 4G?

 

How do you know the apps are able to pull data?  I think I would do a packet capture on the AP of the client to confirm this.

View solution in original post

5 REPLIES 5
PhilipDAth
Kind of a big deal

Set this option under the SSID settings.

 

1.PNG

Thanks for the quick reply.  It is already set.

Are you sure the phone hasn't failed over to 4G?

 

How do you know the apps are able to pull data?  I think I would do a packet capture on the AP of the client to confirm this.

Ok, so a packet capture on myself shows outbound traffic captured but nothing is coming back inbound. I guess the usage showing in the Meraki dashboard under clients > show detail while "not authorized" would be previous days usage though they are not authorized for today. I think it was a view issue on my part since the portal lasts for 24 hours and I had client usage view set to 1 week. I thought it odd but didn't have a chance to chase it down. Thanks for the direction!

AjitKumar
Head in the Cloud

Hi @zrunner626 

 

I have not seen any of our clients wireless network with this behavior.

As @PhilipDAth suggested "Block all access until sign-on is complete" should do the job.

 

A piece of information from the below url says

Once a device is authorized this method will not ask for authentication again for the permitted duration.

 

May be your devices are already authorized. Could you verify this please?

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

 

If a user disconnects and reconnects within the approved time, the device will automatically get internet access. If the user reconnects to the SSID after the approval period is expired the whole process will be repeated again. This function is currently limited to a maximum of 1 day (24 hours) per authorization.

 

Note: Devices that have been authenticated for a specified duration cannot have their authentication manually revoked, and admins will have to wait for the authorized duration to end for access to expire. Devices are authorized by user accounts, and authorization applies to any device using the approved credentials. 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.