login user by API

MKS
Comes here often

login user by API

Hello guys,

 

we have a requirement wherein we are integrating Meraki with an app, so the login is going to happen via app, is there any way we can log in users via API so that the user doesn't have to put credentials or values in captive portal and the app-server and middleware between app-server and Meraki can trigger a login for the users on the fly, authentication can be done via RADIUS or any other way by which this is possible.

 

All suggestions are welcome

 

regards

 

12 Replies 12
jdsilva
Kind of a big deal
MKS
Comes here often

hey jdsilva,

 

Thanks for quick reply, 

I am not aware of SAML, but prima-facie looks like something that will make user install some kind of certificate on their phones/laptops 

Is that the case 

 

FYI, this is public type of deployment like a mall and not a closed-environment kind of installment like in an office and all.

 

regards

MKS

 

jdsilva
Kind of a big deal

Actually, sorry. SAML might not be the best answer for you. If you're building your own app that you want to interact with the dashboard you simply need to use an API key. Apps using an API key don't need to login.

 

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/The_Cisco_Meraki_Dashboard_API...

 

 

MKS
Comes here often

hey jdsilva, 

 

So the solution I am looking for is not for dashboard login but for wireless access for the guest users in a public place 

 

 

regards

MKS

jdsilva
Kind of a big deal

I'm sorry @MKS , I totally misunderstood your question. 

 

I can't think of any way off the top of my head that you can log wifi users in using an app. 

HodyCrouch
Building a reputation

You can use the "Walled Garden" to allow traffic between your mobile application and a back-end system that you control prior to any type of login.  Your application would authenticate the user using your back-end system, which would then use Meraki's API to either set the splash authorization for the client or apply a group policy.  Note that obtaining the client mac address may be challenging with this approach.

 

You could also provide a special SSID for your application-based connections, use WPA2-Enterprise with RADIUS, and code your application to programmatically connect to the SSID.  You would need a custom RADIUS server to authenticate your mobile app users correctly.

 

Generating a user-specific WiFi profile might be another viable option, although I haven't thought through all of the details.

MKS
Comes here often

@HodyCrouch Thanks for the reply

I understand the art of wall-garden of the app and external servers we are doing this with other vendors right now. We are able to get MAC ID of the device Android/iPhone via APP. I am not able to understand how to trigger authorization via splash without user input from our backend as Meraki sends an attribute mauth which cannot be made again at our end. Or am I missing something?

 

Your second option is good but right now the company is not interested in going that route I had already suggested OSU and EAP-TLS based authentication but the company is looking for APP based login as they are interested in pushing ads and collecting user data on wifi for analytical purposes.

 

regards

MKS 

HodyCrouch
Building a reputation

You probably already know... Meraki supports both "Click-thru Splash" and "Login Splash" for captive portal.  The click-thru doesn't include mauth and doesn't use RADIUS to verify the credentials.  Login splash provides a destination URL to authorize the client.

 

With your mobile app and proper walled garden, you don't need to show the captive portal page at all.

 

Instead, have your back-end server call the appropriate Meraki Dashboard API.

 

PUT/networks/[id]/clients/[mac]/splashAuthorizationStatus

 

or

 

PUT/networks/[networkId]/clients/[mac]/policy

 

To use the second option, you would create a group policy that allows the client device to skip the captive portal page.  With the first option, the authorization automatically expires.  Group policies remain until you remove or change them.

MKS
Comes here often

@HodyCrouch Thanks a lot this helped 

But I am stuck in 

PUT/networks/[id]/clients/[mac]/splashAuthorizationStatus

 

I am trying via POSTMAN, getting error:

{
"errors": [
"invalid SSIDs param"
]
}

 

my SSID details are : 

{
"number": 0,
"name": "Network WiFi",
"enabled": true,
"splashPage": "Click-through splash page",
"ssidAdminAccessible": false,
"authMode": "open",
"ipAssignmentMode": "NAT mode",
"walledGardenEnabled": true,
"walledGardenRanges": "103.46.xx.xx/32",
"minBitrate": 11,
"bandSelection": "Dual band operation",
"perClientBandwidthLimitUp": 0,
"perClientBandwidthLimitDown": 0
},

 

while sending the PUT/networks/[id]/clients/[mac]/splashAuthorizationStatus i am sending 2 parameters: 

ssids: 0 

isAuthorized: true

 

can you assist in what may be wrong in this 

cheers

NolanHerring
Kind of a big deal

I use SAML+OKTA, so I log into OKTA and I can see the Meraki icon and click it and it takes me into my dashboard.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

It sounds to me like you are trying to integrate with a captive guest portal rather than the dashboard.  In that case, go with RADIUS - but the users will need to authenticate twice - it wont be SSO.

 

You can use the Excap API instead if you want it to be seamless.

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf

 

MKS
Comes here often

@PhilipDAth Thanks for your reply.

Captive Portal is one of the options that I could think of but not the only option. We can look for other alternatives but want the authentication to happen via API, without user input 

 

looking at this API for excap I feel that replicating mauth token at our end is going to be challenging/impossible. If you have some solution for this please do share 

 

regards

 

MKS 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels