MAC authentication with Captive Portal for Registration

Solved
Lonestarr_12345
New here

MAC authentication with Captive Portal for Registration

I am working on seeing if we can transition from our existing Aruba environment to Meraki for wireless only.  This would be a gradual transition, so Meraki would have to work seamlessly the same as the existing Aruba network.  So while "You could do it this way" replies are appreciated, they're not really going to be useful for me.

 

We have a network which allows users to connect their streaming devices via MAC authentication.  Currently, if a device is not registered in ClearPass, it sends an access-reject and they are connected to a captive portal in a walled garden, which allows them to enter their student information and device MAC but does not allow connection to anything else.  Once they register their device, that device connects to the same SSID via MAC authentication and are good to go.  Essentially it works like this:  A student connects their phone/tablet/laptop to SSID "Stream" and registers their student info and FireStick MAC into ClearPass, then they get off that SSID.  Then they connect their FireStick to SSID "Stream", it MAC authenticates with no further interaction from the student, and they are watching TV.

 

The closest I've been able to figure out with Meraki is directing the Splash page to the registration URL, but once ClearPass sends the access-reject they are never connected.  If a device IS registered and ClearPass sends an access-allow, then Meraki directs them to the Splash page (which is not how we want it to work).  I tried configuring the RADIUS Guest VLAN which sounds like it does what I am wanting, but either I'm not configuring it right or it's not working like I think it's supposed to.

1 Accepted Solution
Purroy
Meraki Employee
Meraki Employee

I have not tried this so I am not telling you this will work.  But I think what you ought to do is send a Access-Accept with a URL redirect when a device MAC is not registered in your Clearness so they can register it.

 

If it is registered then they just need to do a Access-Accept without the URL redirect.

 

However, if this is for dorms or similar I would also recommend you check out the WPN solution based in iPSK.  They can create those iPSK via API and a user portal.

View solution in original post

6 Replies 6
Lonestarr_12345
New here

So I'm partway there.  I was able to get the RADIUS Guest VLAN to work by entering a different previously unused vlan which I can lock down later.  The remaining question now is, how can I (or can I at all) apply the splash page to that guest vlan?  Right now once I'm on the guest vlan it's just wide open, but I want it to take me to the splash page.

PhilipDAth
Kind of a big deal
Kind of a big deal

You could look at passing a group policy once they are registered that bypassed the splash page.

PhilipDAth_0-1715721445551.png

 

Another area you could Google, when using Cisco ISE there is a mechanism where a redirect URL can be sent using CoA.  This is the instructions for setting this up with ISE.  If you can find the RADIUS attribute names you could use a similar approach.

https://documentation.meraki.com/MR/Encryption_and_Authentication/CWA_-_Central_Web_Authentication_w...

 

PhilipDAth
Kind of a big deal
Kind of a big deal

It looks like the attribute is called "url-redirect".

Lonestarr_12345
New here

I did try bypassing the splash page via group policy once they are registered, and that does work.

The issue I am having, is I want that splash page displayed if they fail to register - that is, if the RADIUS server (in my case ClearPass, not ISE) sends an Access-Reject.  They then use that splash page to register their device, then connect their device to the SSID, it gets the Access-Accept, group policy bypasses the splash page, and they're online.  This is how it works on our Aruba Controller, I just don't know HOW or WHY it works that way and how to make Meraki do the same thing.

Purroy
Meraki Employee
Meraki Employee

I have not tried this so I am not telling you this will work.  But I think what you ought to do is send a Access-Accept with a URL redirect when a device MAC is not registered in your Clearness so they can register it.

 

If it is registered then they just need to do a Access-Accept without the URL redirect.

 

However, if this is for dorms or similar I would also recommend you check out the WPN solution based in iPSK.  They can create those iPSK via API and a user portal.

I've accepted this as the solution, with a caveat*

 

I was actually thinking something along these lines last night before I saw your reply.  I ended up doing something similar, with the main configuration change being on the ClearPass side as your reply suggests.  Rather than simply checking against the MAC registration database and passing an accept or reject, I added an enforcement profile which states if the MAC is in the database to simply pass an access-accept, but if the MAC is not in the database then still pass the access-accept but with a user role of Onboarding-Logon.  I then created an Onboarding-Logon group policy in Meraki so I can lock down a device that gets on this way, so it can't just use it as free unauthenticated access to the network.

 

Unfortunately since this would be a mixed environment until all of our Aruba equipment reaches end of life, it has to operate the same for the end user, so WPN will not work for us (yet).

 

Thank you for the suggestion, this is just another reason I like Meraki better than Aruba!

Get notified when there are additional replies to this discussion.