Hi,
I am looking for help with integrating our external captive portal with Meraki Cloud controller.
Of course, I did some search before to see if anyone already asked for the same question and found lot of responses, but all of them are referring to “Sign-on Splash” solution which I think is not quire suitable for our case.
So, here is my scenario that I need to achieve.
Guest’s Flow
Administrator’s capabilities (from our backend side)
Thanks in advance for any help.
Yes, the splash page is the only option that you have.
Look at this article.
But this option has many inconsistencies with our scenario.
Like redirect URL has only MAC and no VLAN, authentication performed by POSTing request to Meraki and requires User/password of the Guest, while we want to talk to our backend and then iteract with Meraki via NB interface…
I cannot believe that Ruckus has all these capabilities, Aruba has them as well, but Meraki not?
First of all this is not a vendor feature, dynamic VLAN is something sent by Radius Server via Radius attribute. See the last link for attributes supported for Slapsh Page with Radius authentication.
There is an example.
FreeRadius Integration with OpenLDAP and Dynamic Vlan Assignment with Meraki (CentOS v7)
One more thing, for Spalsh page with custom radius the Meraki cloud must be able to communicate with your RADIUS servers via the Internet.
Oh, that's not a problem. We already do such integration with other vendors and they are talking to us via internet.
I just noticed that the Radius Override is only possible using 802.1x (WPA2 enterprise)
Theoretically we do not need to override VLAN. We just need to assign VLAN to SSID during the configuration process, and then simply receive that info during the authentication...
I presume we can encode that info in NAS-identifier filed and parse it on our RADIUS side. it should be fine.
The only issue, is that we need to receive the VLAN info also in Login Page (and then pass it to out backend), but i presume i can include it as well as part of the base URL, so each SSID will have a unique Captive portal URL (i hope we can do it per SSID)
The only problem that I see so far is how our backend can talk back to Merak to let it know that user completed the authentication process on our side and ask Meraki to talk to our RADIUS server again to re-authenticate the user without posting any data to Meraki from Login page
I see some info about "splashAuthorizationStatus" API. is this something that i can use to do that?
Sorry buddy, I'm not a developer so I don't have that information.
oh, np, all good, I probably need to get the real device and play with the config to see what I can and cannot do.
but anyways, thanks 🙂
But if I understand correctly the "RADIUS Authentication with a Sign-On Splash Page" option cannot use external Login page? Am I right?
Yes, you can.
Oh, then that's good. Unfortunately I do not have access to Meraki HW right now and cannot experiment with it, this is just my initial research regarding how we are going to connect it (if we can),
and in docs I do not see examples of how to configure external login page in "RADIUS Authentication with a Sign-On Splash Page" mode and how to talk back to Meraki to force the re-authentication process after user post the data to our backend, so this is why I am asking silly questions...
And also check this one.