Meraki Sponsored Guest Access - Auth not working (it lets everyone in with no sponsor approval)

Solved
VT-Freddy
Conversationalist

Meraki Sponsored Guest Access - Auth not working (it lets everyone in with no sponsor approval)

We configured Sponsored Guest access on a guess ssid and it works - great - but it just lets everyone on in spite of the fact that the sponsor has not yet approved the access.  The emails between requestor and sponsor seem to be working, but when the sponsor clicks "Click here to approve access" the portal says "UserXYZ has already been approved" which is not true.  

 

Huh ?

1 Accepted Solution
AutomationDude
Building a reputation

Hey Freddy, did you check out this article?

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

 

Goes into detail about the sponsored access.

 

Also check out this post as it might be helpful: 

 

https://community.meraki.com/t5/Wireless-LAN/Sponsored-Guest-returning-users-auth-problem/td-p/56013

 

If it isn't a returning user problem then it would make sense to open a support ticket

 

 

 

View solution in original post

5 Replies 5
AutomationDude
Building a reputation

Hey Freddy, did you check out this article?

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Sponsored_Guest

 

Goes into detail about the sponsored access.

 

Also check out this post as it might be helpful: 

 

https://community.meraki.com/t5/Wireless-LAN/Sponsored-Guest-returning-users-auth-problem/td-p/56013

 

If it isn't a returning user problem then it would make sense to open a support ticket

 

 

 

VT-Freddy
Conversationalist

Thanks to both for your replies.  Indeed good links and that other case was resolved by TAC in the end. 

 

@AutomationDude 

@Inderdeep 

VT-Freddy
Conversationalist

A Update to the accepted solution:

 

This was, in fact, fixed by a call to TAC.  In the end, it turns out that since we use Barracuda Mail Filtering with Cloud Protection Layer (CPL), the emails to the sponsor with the link to approve the requestor were being 'detonated' in the URL sandbox at the protection layer.  All inbound emails with these services actually explode any URL to inspect it to see if it is safe before passing the email to the recipient.  In effect, CPL was "clicking the approval link," seeing that it was an ok website, and then passing the email to the sponsor.  This, in effect, approved the access via the click.

 

Hope that save someone else some trouble. 

 

Mark

NewNothing
Conversationalist

Thank you, @VT-Freddy! We were experiencing the same issue. After adjusting our mail filter settings, it persisted. Continued on this path and found the issue was being caused by Microsoft security settings.

 

Tested the Meraki settings and isolated the problem to our internal mail by creating a copy of the SSID with an external email as the authorizing domain. For others finding this in a search, take a look at all of the filter/security/inspection systems that are touching your mail. 

 

Additionally, there is a Captive portal strength setting under Wireless > Access control > Splash page > Advanced splash settings to select a radio button to either Block all access until sign-on is complete or Allow non-HTTP traffic prior to sign-on.

PhilipDAth
Kind of a big deal
Kind of a big deal

If it says the user is already approved, then more than likely someone has approved them on a prior visit.

Get notified when there are additional replies to this discussion.