Meraki

Community

Clarification on Walled Garden Behavior with Splash Access

MauroF
Building a reputation
‎Jun 11 2025 11:30 PM
‎Jun 11 2025 11:30 PM

Clarification on Walled Garden Behavior with Splash Access

Hi,

I've just created an Guest SSID and integrated it with Splash Access.

While testing the authentication using my @protonmail.com email address, I was able to log in successfully.

 

However, I'm wondering: how is it possible that I can reach the ProtonMail service, even though this domain is not  listed in the Walled Garden settings suggested by Splash Access?

This raises a question: what is the actual role and behavior of the Walled Garden in this setup?

Thanks

M

Labels:
0 Kudos
8 Replies 8
MauroF
Building a reputation
‎Jun 11 2025 11:59 PM
‎Jun 11 2025 11:59 PM

I did set the Captive Portal Strength. Set this to Block all access until sign-on is
complete

0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Jun 12 2025 12:00 AM
‎Jun 12 2025 12:00 AM

Did you access you email web service? Or just insert it as username?

 

If you can access websites prior to authentication. Then you probably havent set the Captive Portal Strength to Block all access until sign-on is
complete

 

0 Kudos
In response to ww
MauroF
Building a reputation
‎Jun 12 2025 12:08 AM
‎Jun 12 2025 12:08 AM

when i connect to the wifi:

-splash page of spash access pops in

-i type, name,surname and email address

-then i check the email to click the link to get connected.

 

The question is: how can i reach protonmail.com if that site is not in the Walled garden?

0 Kudos
MauroF
Building a reputation
‎Jun 12 2025 12:09 AM
‎Jun 12 2025 12:09 AM

Capturew.PNG

 

0 Kudos
JonoM
Meraki Employee
Meraki Employee
‎Jun 12 2025 12:48 AM
‎Jun 12 2025 12:48 AM

Hi @MauroF,

 

I would recommend we look at a packet capture taken from the client when you are logging in to see what kind of traffic it is sending. I am not sure if protonmail.com is in any way related to Proton VPN, but if it is then I have seen some interesting behaviour in the past.

 

In these situations, the application has crafted its packets to look like DNS on port 53. The walled garden setting block all access except for DHCP and DNS (as these are needed to be able to see the login page). I should note that I would only expect this if some kind of VPN was in use, and even then many VPN solutions don't behave this way. In any case, taking a packet capture would be a good first step to see what kind of traffic the AP is allowing through the walled garden 😊

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to JonoM
MauroF
Building a reputation
‎Jun 12 2025 1:47 AM
‎Jun 12 2025 1:47 AM

Thanks for your reply.
The real issue is: how can I allow a guest to authenticate via email if their mail provider is not included in the Walled Garden?

Is there a solution to grant the guest temporary full internet access , for example, for 5 minutes , so they can check their email, regardless of the provider (not just Gmail, Hotmail, etc.)?

 

Cause now im using protonmail as a reference but could be also  John@whatever-mail.com

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 12 2025 6:04 AM
‎Jun 12 2025 6:04 AM

I don't know splash access in depth but I believe that through splash access it must do some kind of bypass, thus allowing the domain.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
SplashAccess
Here to help
a week ago
a week ago

Hi , Yes you can set the option in teh Dashboard for users to have 5 Mins of guest Access then they are able to click the link in the Email , let me know if you need some support to set up . Cheers Tim

Tim Ormrod
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.