Splash Page AD Auth SSID AD Scoping Issue

bsantomauro
Comes here often

Splash Page AD Auth SSID AD Scoping Issue

Hello everyone. I am an IT Engineer who works for a school district that just put in Meraki Switching and is currently putting in the Wireless APs and MX Firewalls. I am trying to create a Splash Page Sign-On Wireless SSID that authenticates against my Active Directory Infrastructure. This SSID is a guest style network that is for the Staff to connect their personal devices. We do not want the students being able to connect to this. Students do have AD accounts. Setting up the SSID with the AD auth was easy but it’s the scoping I am having trouble with getting to work. For reference, I am following the official Meraki Documentation here (scoping part at the bottom). The AP’s we have are MR46’s.

 

Now after reviewing that documentation, I have denied the service account being used on this SSID read access to the OU’s where my student accounts are located. The OU structure looks like below:

 

Building OU -> Users OU -> Students OU (This is where I denied the service account access) -> Grad Year OU (this is where the actual accounts reside)

 

I made sure the security permissions apply to the Students OU object and all descendent objects. I have been able to confirm this account has no read access to the Students OU or anything under it by using the Sysinternals tool Active Directory Explorer. However, every time I test this, I am still able to connect as a student. I can connect as a staff account as well, but I don’t want the student accounts to be able to connect to this SSID. I have been scouring Google, Reddit, Meraki Community, etc. and I can’t figure out what I am doing wrong here. Based on everything I read, it should work the way I have it configured. Is there anyone who has set this up successfully who can offer some advice?

 

I ran out of time on Friday, so I couldn’t submit a ticket with Meraki. I am going to try to do that this week. I am also looking at trying to setup RADIUS via the Splash Page via this Meraki documentation, but it requires Firewall rules to allow the Cloud Controller to reach my RADIUS server via the Internet. I’d prefer not to poke holes in my Firewall if I don’t have to. On our current Wi-Fi setup, we do WPA2 Enterprise RADIUS with NPS Policies, but I like the splash page option more because it is more user friendly. It is device agnostic and doesn’t matter which device you connect from. This SSID has all kinds of devices connecting to it and they are all personal devices so MDM is not an option here.

 

I appreciate your time and help. Thank you.

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

If you are going to use splash page with your Radius server, it is a requirement that it be internet accessible.

Have you thought about using Slash access?

 

https://www.splashaccess.com/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
bsantomauro
Comes here often

Thank you for your response alemabrahao. I will definitely look into this but since it looks like its a paid option this would have to wait as it would have to be budgeted for the next school year. For now, I am trying to get it working with what Meraki offers natively.

PhilipDAth
Kind of a big deal
Kind of a big deal
bsantomauro
Comes here often

Thank you for your response Philip. I double checked and I do have that option set. Currently trying to do LDAP instead of AD but that doesn't seem to be working either.

bsantomauro
Comes here often

So I spoke with Meraki support and they helped me figure out the issue. Just wanted to post it here in case anyone else runs into this. The issue is that the deny permissions have to be on the OU that have the accounts directly under it. It is not able to read nested OUs properly. I removed the permissions from the Students OU and then placed them on the Grad Year OU directly and that made it work as expected.

ElliotFrench
New here

Thanks for sharing this solution! I ran into this problem too, when I was trying to set up my Meraki network. I didn't know what to do until I saw your post. You helped me a lot!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels