Meraki

Community

Direct access despite SMS authentication

Solved
Dominik
Here to help
‎Apr 5 2018 5:40 AM
‎Apr 5 2018 5:40 AM

Direct access despite SMS authentication

Hi all

 

We have a guest with the following settings:
- Network access: open
- Splashe page: Sign-on with SMS Authentication

We noticed that clients can log in without sms authentication even though it is enabled.
There is also no splash page. At the details of the client it is written:
Splash: Not authorized

Why does this suddenly stop working?

0 Kudos
1 Accepted Solution
In response to Uberseehandel
Dominik
Here to help
‎Apr 12 2018 4:40 AM
‎Apr 12 2018 4:40 AM

With Meraki Support we have found the solution.


There were 2 "problems".
1. the access point could not connect to the splash page servers. (185.17.255.128/25, 209.206.57.0/24, 209.206.58.0/24 on TCP 80 and TCP 443)
2. set "Access control" ->"Controller disconnection behavior" to "Restricted".

That solved our problem.

View solution in original post

0 Kudos
9 Replies 9
Dominik
Here to help
‎Apr 5 2018 5:53 AM
‎Apr 5 2018 5:53 AM

Addition:
Even with another SSID with encryption and SMS authentication, there is no splash page and therefore no SMS authentication.

0 Kudos
In response to Dominik
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 5 2018 12:24 PM
‎Apr 5 2018 12:24 PM

Make sure you set "Captive portal strength" to "Block all access until sign-on is complete".

 

Screenshot from 2018-04-06 07-24-15.png

0 Kudos
In response to PhilipDAth
Dominik
Here to help
‎Apr 5 2018 11:42 PM
‎Apr 5 2018 11:42 PM

Hi Philip
Thanks for your input. I have already set this option. I apologize for not having included this in my description.

0 Kudos
In response to Dominik
Uberseehandel
Kind of a big deal
‎Apr 6 2018 12:02 AM
‎Apr 6 2018 12:02 AM

I recall that there is an option for the setting of the splash page frequency, so quite possibly if the IP lease is long enough, a specific, previously authorised user does not have to re-authenticate if the DHCP lease is still valid.

 

I do recall a situation at a village pub where the guest network handed out long IP leases and the regulars would keep the same IP pretty well indefinitely. Which made for some interesting analysis, particularly when it came to unnoticed coincidences. The management were usually weeks ahead of the village gossips.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
Dominik
Here to help
‎Apr 6 2018 12:55 AM
‎Apr 6 2018 12:55 AM

Thanks for your input!
I have created a new SSID with the following settings:

 

Network access Open
Splash page Billig
Captive portal strength Block all access until sign-on is complete

Splash frequency Every half hour

 

The client (new one) can still connect to this SSID and browsing to http and https sites.

For the test I was able to download an iso file (2GB) from a website without any problems.Client_SB011725.jpgClient_SB011725_traffic.jpg

0 Kudos
In response to Dominik
Uberseehandel
Kind of a big deal
‎Apr 6 2018 1:20 AM
‎Apr 6 2018 1:20 AM

And the DHCP lease duration  . . . 

 

In case the system still "sees" a validated user returning

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
Dominik
Here to help
‎Apr 6 2018 1:31 AM
‎Apr 6 2018 1:31 AM

We use bridge mode with VLAN tagging. The lease is 8 hours.
The client i uesed for the test was a new one and hasn't had a IP-adress.

0 Kudos
In response to Dominik
Uberseehandel
Kind of a big deal
‎Apr 6 2018 1:33 AM
‎Apr 6 2018 1:33 AM

looks like you eliminated that possibility
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
In response to Uberseehandel
Dominik
Here to help
‎Apr 12 2018 4:40 AM
‎Apr 12 2018 4:40 AM

With Meraki Support we have found the solution.


There were 2 "problems".
1. the access point could not connect to the splash page servers. (185.17.255.128/25, 209.206.57.0/24, 209.206.58.0/24 on TCP 80 and TCP 443)
2. set "Access control" ->"Controller disconnection behavior" to "Restricted".

That solved our problem.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.