Hello guys,
we have a requirement wherein we are integrating Meraki with an app, so the login is going to happen via app, is there any way we can log in users via API so that the user doesn't have to put credentials or values in captive portal and the app-server and middleware between app-server and Meraki can trigger a login for the users on the fly, authentication can be done via RADIUS or any other way by which this is possible.
All suggestions are welcome
regards
hey jdsilva,
Thanks for quick reply,
I am not aware of SAML, but prima-facie looks like something that will make user install some kind of certificate on their phones/laptops
Is that the case
FYI, this is public type of deployment like a mall and not a closed-environment kind of installment like in an office and all.
regards
MKS
Actually, sorry. SAML might not be the best answer for you. If you're building your own app that you want to interact with the dashboard you simply need to use an API key. Apps using an API key don't need to login.
hey jdsilva,
So the solution I am looking for is not for dashboard login but for wireless access for the guest users in a public place
regards
MKS
I'm sorry @MKS , I totally misunderstood your question.
I can't think of any way off the top of my head that you can log wifi users in using an app.
You can use the "Walled Garden" to allow traffic between your mobile application and a back-end system that you control prior to any type of login. Your application would authenticate the user using your back-end system, which would then use Meraki's API to either set the splash authorization for the client or apply a group policy. Note that obtaining the client mac address may be challenging with this approach.
You could also provide a special SSID for your application-based connections, use WPA2-Enterprise with RADIUS, and code your application to programmatically connect to the SSID. You would need a custom RADIUS server to authenticate your mobile app users correctly.
Generating a user-specific WiFi profile might be another viable option, although I haven't thought through all of the details.
@HodyCrouch Thanks for the reply
I understand the art of wall-garden of the app and external servers we are doing this with other vendors right now. We are able to get MAC ID of the device Android/iPhone via APP. I am not able to understand how to trigger authorization via splash without user input from our backend as Meraki sends an attribute mauth which cannot be made again at our end. Or am I missing something?
Your second option is good but right now the company is not interested in going that route I had already suggested OSU and EAP-TLS based authentication but the company is looking for APP based login as they are interested in pushing ads and collecting user data on wifi for analytical purposes.
regards
MKS
You probably already know... Meraki supports both "Click-thru Splash" and "Login Splash" for captive portal. The click-thru doesn't include mauth and doesn't use RADIUS to verify the credentials. Login splash provides a destination URL to authorize the client.
With your mobile app and proper walled garden, you don't need to show the captive portal page at all.
Instead, have your back-end server call the appropriate Meraki Dashboard API.
PUT/networks/[id]/clients/[mac]/splashAuthorizationStatus
or
PUT/networks/[networkId]/clients/[mac]/policy
To use the second option, you would create a group policy that allows the client device to skip the captive portal page. With the first option, the authorization automatically expires. Group policies remain until you remove or change them.
@HodyCrouch Thanks a lot this helped
But I am stuck in
PUT/networks/[id]/clients/[mac]/splashAuthorizationStatus
I am trying via POSTMAN, getting error:
{
"errors": [
"invalid SSIDs param"
]
}
my SSID details are :
{
"number": 0,
"name": "Network WiFi",
"enabled": true,
"splashPage": "Click-through splash page",
"ssidAdminAccessible": false,
"authMode": "open",
"ipAssignmentMode": "NAT mode",
"walledGardenEnabled": true,
"walledGardenRanges": "103.46.xx.xx/32",
"minBitrate": 11,
"bandSelection": "Dual band operation",
"perClientBandwidthLimitUp": 0,
"perClientBandwidthLimitDown": 0
},
while sending the PUT/networks/[id]/clients/[mac]/splashAuthorizationStatus i am sending 2 parameters:
ssids: 0
isAuthorized: true
can you assist in what may be wrong in this
cheers
It sounds to me like you are trying to integrate with a captive guest portal rather than the dashboard. In that case, go with RADIUS - but the users will need to authenticate twice - it wont be SSO.
You can use the Excap API instead if you want it to be seamless.
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf
@PhilipDAth Thanks for your reply.
Captive Portal is one of the options that I could think of but not the only option. We can look for other alternatives but want the authentication to happen via API, without user input
looking at this API for excap I feel that replicating mauth token at our end is going to be challenging/impossible. If you have some solution for this please do share
regards
MKS