topic Re: Direct access despite SMS authentication in Wireless

Direct access despite SMS authentication

Dominik1 — Thu, 05 Apr 2018 12:40:41 GMT

Hi all

We have a guest with the following settings:
- Network access: open
- Splashe page: Sign-on with SMS Authentication

We noticed that clients can log in without sms authentication even though it is enabled.
There is also no splash page. At the details of the client it is written:
Splash: Not authorized

Why does this suddenly stop working?

Re: Direct access despite SMS authentication

Dominik1 — Thu, 05 Apr 2018 12:53:28 GMT

Addition:
Even with another SSID with encryption and SMS authentication, there is no splash page and therefore no SMS authentication.

Re: Direct access despite SMS authentication

Philip D'Ath — Thu, 05 Apr 2018 19:24:34 GMT

Make sure you set "Captive portal strength" to "Block all access until sign-on is complete".

Re: Direct access despite SMS authentication

Dominik1 — Fri, 06 Apr 2018 06:42:51 GMT

Hi Philip
Thanks for your input. I have already set this option. I apologize for not having included this in my description.

Re: Direct access despite SMS authentication

Uberseehandel — Fri, 06 Apr 2018 07:02:58 GMT

I recall that there is an option for the setting of the splash page frequency, so quite possibly if the IP lease is long enough, a specific, previously authorised user does not have to re-authenticate if the DHCP lease is still valid.

I do recall a situation at a village pub where the guest network handed out long IP leases and the regulars would keep the same IP pretty well indefinitely. Which made for some interesting analysis, particularly when it came to unnoticed coincidences. The management were usually weeks ahead of the village gossips.

Re: Direct access despite SMS authentication

Dominik1 — Fri, 06 Apr 2018 07:55:13 GMT

Thanks for your input!
I have created a new SSID with the following settings:

Network access Open
Splash page Billig
Captive portal strength Block all access until sign-on is complete

Splash frequency Every half hour

The client (new one) can still connect to this SSID and browsing to http and https sites.

For the test I was able to download an iso file (2GB) from a website without any problems.

Re: Direct access despite SMS authentication

Uberseehandel — Fri, 06 Apr 2018 08:20:47 GMT

And the DHCP lease duration . . .

In case the system still "sees" a validated user returning

Re: Direct access despite SMS authentication

Dominik1 — Fri, 06 Apr 2018 08:31:49 GMT

We use bridge mode with VLAN tagging. The lease is 8 hours.
The client i uesed for the test was a new one and hasn't had a IP-adress.

Re: Direct access despite SMS authentication

Uberseehandel — Fri, 06 Apr 2018 08:33:01 GMT

looks like you eliminated that possibility

Re: Direct access despite SMS authentication

Dominik1 — Thu, 12 Apr 2018 11:40:05 GMT

With Meraki Support we have found the solution.

There were 2 "problems".
1. the access point could not connect to the splash page servers. (185.17.255.128/25, 209.206.57.0/24, 209.206.58.0/24 on TCP 80 and TCP 443)
2. set "Access control" ->"Controller disconnection behavior" to "Restricted".

That solved our problem.