How to use both MAC based authentication *and* Click through/sign on at the same time?

jamesw
Getting noticed

How to use both MAC based authentication *and* Click through/sign on at the same time?

In the UI, you can select:

 

Association: MAC-based access control

Splash page: Click through

 

It accepts this and all is okay (I know you can't use sign on with RADIUS and MAC-based access control together)

 

However, how does this work in practice?

 

I would expect, that is the RADIUS server replies with an Access-Reject, the end user will then be redirected to the configured click through  splash URL, and if Access-Accept, the end user will be straight online without any splash authentication required.

 

But, it seems to not work like this. If you do Access-Reject, it doesn't allow the device even to associate. If you do Access-Accept, the user is connected with no click through splash redirect and has full Internet. So, how do you actually get it to redirect someone to the splash page?

 

Thanks

 

J

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

You have to use the "radius guest vlan"  on that page.

Or use the "radius override" so the radius can send the unknown client to a vlan

jamesw
Getting noticed

Thanks, can you elaborate any further?

 

Do we need to set up a new SSID in Meraki and use the same VLAN ID, or can it use the same SSID? What SSID should we configure the splash page settings/RADIUs for in case of the MAC authentication being rejected?

 

It seems a strange way of doing it...

Rodrigo_
Meraki Employee
Meraki Employee

Hi there, so if you receive in L2 auth (mac based in this case) an access reject the authentication will fail and it will stop at that point.

 

  • If you have configured guest vlan, when the reject happens the client will be placed into the defined vlan there, but no splash auth will be presented.

If you get an access accept then it will move forward to L3 authentication (captive portal), at least i think this will happen i have not tested this in a while.

 

  • In order to bypass the portal you could apply a group policy on the accept for it to not show the splash portal.

For what I remember you cannot have right now a splash page if authentication fails as a backup method. I will dig into this and update soon.

jamesw
Getting noticed

Thanks Rodrigo. This is how most vendors work - if MAC authentication fails (Access-Reject), the user will be redirected to the captive portal page for authentication. If MAC authentication succeeds (Access-Accept) the user is straight online, no captive portal redirect.

 

I understand Meraki do it slightly differently, in that you must always send an Access-Accept else the client will not be able to even join the WLAN, but we still need some way to redirect them to the captive portal so they can register/login etc

Rodrigo_
Meraki Employee
Meraki Employee

Yes, captive portal failover on WLCs i think.

 

We do not support that behavior yet, it is on our roadmap to do it that way but not yet.

 

What it can be done right now, is the group policy to bypass the captive portal for the clients you desired, and keep the regular behavior (captive portal) for everything else.

 

You can create a rule on your radius if the mac auth is found, accept and send the bypass group policy, if it is not on your mac valid clients, accept and get to the captive portal without a group policy.

 

It is adding an attribute for the group policy result. Let me know if this helps

jamesw
Getting noticed

So kind of got this working with the mac based control and click through, but unfortunately it doesn't send Accounting Interim packets (only Start and Stop) so that's not great for what we need. When using "Sign on with my RADIUS server" it does send Interim updates as it has for many years. Hmm...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels