Meraki AP for public access workstation in a Library

Corsani
Here to help

Meraki AP for public access workstation in a Library

Hi, I am the IT manager of a public library. We have new public workastion with windows 10 we would like to integrate with our Meraki AP Captive Portal infrastructure.

 

The problem is: when a user close his windows sessions that user won't be disconnected from cisco meraki and there's no "logoff url" or something like that. The user after him will not be prompted to login in cisco meraki captive portal because the last user is still linked to that workstation! And that is not good for privacy!

 

How can we manage it? Seems that Meraki does not provide a logoff option! I need to logoff user as they close their windows sessions.

 

We tried to changeg randmoly the workstation mac address (it's a windows 10 wifi tool) but it seems not to be enough.

 

Sorry for my poor english, hope you can understand the problem.

Regards.

 

 

12 Replies 12
Corsani
Here to help

I forgot to say that we use our own radius server to authenticate usera and, at the moment we use the meraki standard spash page.

I also foud this whitepaper that describe something interesting at page 10 and 11 but something is not clear to me (urls and auth code)

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf
BrechtSchamp
Kind of a big deal

Hmm is your solution with the RADIUS server clearing the browser's cookies on log-off? The Meraki portal checks the presence of a session cookie. If it is present it skips the login prompt.

Corsani
Here to help

I clean all user data with a restore app, Everything is perfectly cleaned. No coockies problem.
SoCalRacer
Kind of a big deal

I would implement a logoff script on Windows. Possibly release the ip in that script or clear browsing history. I think best would be for the workstation to be in a kiosk mode so on logout it is auto doing the things you need to disconnect properly.

 

Also on page 11 of the whitepaper is does seem like it shows you the logout url and how to get it. Not sure how unique that is and in the example I am guessing that is the example MAC, so if you know the MAC then you would be able to create a link. Use logout script and desktop shortcut to direct there. In general with these things users will forget or not do it because it isn't important to them, that is why I recommended forcing this action yourself with a logout script or kiosk mode that will allow you to perform proper disconnection.

jdsilva
Kind of a big deal

I like @SoCalRacer 's logoff script idea... But if I understand the problem correctly what you need is to deauthorize the client from the Meraki network. If you created a logoff script that used the Meraki API to deauth itself that might work?

 

This looks like the API endpoint you want:

 

https://api.meraki.com/api_docs#update-a-clients-splash-authorization

 

So as the person logs off the machine would actually deauth itself from the WiFi. 

Corsani
Here to help

YES! That is what I need: the user will suicide himself calling an url. I saw the API but I can't understand where to find data:

- [networkId] - is the ssid? or my network? where to find it? I think this should be fixed and i can hard plug into my logoff script;
- [clientId] - watching the html in the deautorize dashboard page I found a cliendId like that: "radius_736338539075241100". Where to find it on user side?
BrechtSchamp
Kind of a big deal

networkId is the id of your network as known by the API. You can find out what the ID of your network is by calling the getOrganizationNetworks endpoint. For that call you'll need your organizationId which you can get by calling getOrganizations. Of course you'll need to enable API access for your account first.

 

Perhaps you'll have to play around with the API a bit first if your new to it. Try out this tutorial:

https://developer.cisco.com/meraki/build/meraki-postman-collection-getting-started/

 

The clientId is the MAC-address of the client (unless you turned on track by IP in which case it's the IP address). The clientId you found is something else.

Corsani
Here to help

Many thanks ... I've got every information I need. The problem seems to be my raiud auth method because trying to kill a user by mac address I got this:

 

the simple user status:

 

curl -L -H "X-Cisco-Meraki-API-Key: my-key" -H "Content-Type: application/json" -X GET "https://api.meraki.com/api/v0/networks/my-network-id/clients/08:71:90:30:xx:yy"

 

answer:


{"id":"kxxxxxx","mac":"08:71:90:30:xx:xx","ip":"10.89.54.xx","ip6":"","description":"DESKTOP-XXXXX","firstSeen":1578396644,"lastSeen":1578569384,"manufacturer":"Intel","os":"Windows 10","user":"user-id","vlan":"","ssid":"my-ssid","wirelessCapabilities":"802.11ac - 2.4 and 5 GHz","smInstalled":false,"recentDeviceMac":"e0:cb:bc:8b:4a:2f","clientVpnConnections":null,"lldp":null,"cdp":null,"status":"Offline"}

then the splash auth:

 

curl -L -H "X-Cisco-Meraki-API-Key: my-key" -H "Content-Type: application/json" -X GET "https://api.meraki.com/api/v0/networks/my_network-id/clients/08:71:90:30:xx:yy/splashAuthorizationSt..."

 

answer:

 

{"ssids":{}}

 

No ssid? Why? So I ask API wht id has my-ssid and I got "0" and I am connected to it, but then, when I try to kill my self I get:

 

curl -L -H "X-Cisco-Meraki-API-Key: my_key" -H "Content-Type: application/json" --data-raw "{\"ssids\": { \"0\": {\"isAuthorized\": false}}}" -X PUT "https://api.meraki.com/api/v0/networks/my_network_id/clients/08:71:90:30:xx:yy/splashAuthorizationSt..."

 

answer:

 

{"errors":["SSIDs 0 do not have Click-through splash enabled. No changes were made."]}

 

What does it means? "de-auth" works only on click-through splash? I have a radius splash, in fact, if I try to de-auth a user from dashboard going in to Wireless/splash logins and taking a user and then click on de-auth button the user can still use the network! I can't understand

Corsani
Here to help

Ok, reading carefully the documentationthis self-kill API can be used only on click-through splash. Not radius.

Solved with a logon script that changes mac address in the right way (shell script, not windows tool) that force the user to login. is not clean but works.

Many thanks to all.
Regards
jdsilva
Kind of a big deal


@Corsani wrote:
Ok, reading carefully the documentationthis self-kill API can be used only on click-through splash. Not radius.

Ahh, I missed that part. Thanks for the feedback. Glad you got something working.

 

Corsani
Here to help

No coockies problem because i clean all the machine on logout forcing a reboot/restore.

I agree with the logoff page consideration. Users don't mind and close. I need to find a way to disconnect user/device at logoff but meraki does not supply an url os something to call to force user/device disconnect on client side. That's crazy because you can't use such system on public workstation. We have some room that are not wired because we are an ancent library so we nedd to pass trough wifi anyway.
SoCalRacer
Kind of a big deal

The API may work here, but something to consider. The API changes and in all honesty breaks certain times. My trust level with that in this situation would be kind of low. You are looking for more of a set it and forget it solution. In that case I would use the logoff url from the whitepaper to test. Then in a windows logoff script have it visit that page or on a scheduled interval (60mins)

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels