Solved: Custom API Authentication

horizonuser2003 · ‎10-03-2016

Hello,

I am wondering if it is possible to utilise the Meraki API to allow a custom login page. I specifically do not want to utilise RADIUS, LDAP or any existing authentication method. What I would hope to achieve is something like:

User associates with SSID and get redirected to public, custom splash page.
User has to enter username and password into custom page
Custom service side connects to non-Meraki, bespoke authentication server.
Non-Merakie, bespoke auth server returns "is_valid" response to form POST
Server side now recognises this user as valid and, given their parameters (ap, mac, ssid) provided at the splash screen redirect, sends this back to the Meraki cloud controller, using customer API key.
The Meraki cloud controller allows the users device onto the network

Any information I can find seems to ALMOST do this except it appears we need to interact with a RADIUS server at some stage. Is this an absolute requirement or does the API allow requests to simply allow devices like this psuedo API call

"https://merikia.cloud.com?api_key=123445345&action=allow&mac=MYMAC&SSID=SSID"

Any suggestions would be great.

colo · ‎10-22-2016

Yes, this is a very common authentication scheme. You can handle all authentication on your splash page's server or connect to any type of auth server. You still need to pass back either a granturl for Click-through splash or a RADIUS authentication to the Meraki cloud.

Click-through splash is the easiest for your use case.

RADIUS authentication will require you to run a RADIUS server. The RADIUS auth can be anonymous and you could use anonymous@yourserver.com as the username. The benefit of using RADIUS Sign On for your captive portal is that the Meraki network will apply a group policy based on the RADIUS Accept message.

More here:

developers.meraki.com/splash

View solution in original post

colo · ‎10-22-2016

Yes, this is a very common authentication scheme. You can handle all authentication on your splash page's server or connect to any type of auth server. You still need to pass back either a granturl for Click-through splash or a RADIUS authentication to the Meraki cloud.

Click-through splash is the easiest for your use case.

RADIUS authentication will require you to run a RADIUS server. The RADIUS auth can be anonymous and you could use anonymous@yourserver.com as the username. The benefit of using RADIUS Sign On for your captive portal is that the Meraki network will apply a group policy based on the RADIUS Accept message.

More here:

developers.meraki.com/splash

horizonuser2003 · ‎10-24-2016

Thanks for your reply. However, I notice the splash page method isn't that secure, that is, once I know the base_grant_url I can create a URL myself ( as a wirelss user that isn't authenticated yet) and simple POST that in a browser to gain access. Does the base_grant_url change? What's to stop an unauthenticated user connecting to the SSID and getting redirected to my Splash page (which I now have setup as a username and password page authenticating to my bespoke auth server) and then simply pasting the URL e.g https://n001.meraki.com/splash/grant/continue_url=https://www.google.com - I have tested this and this would appear to bypass any authentication. Is this normal or am I missing an important part?

thanks

colo · ‎10-31-2016

For authenticated logins, you will want to use the Sign-on Splash with RADIUS sign on.

https://documentation.meraki.com/MR/Splash_Page/Configuring_RADIUS_Authentication_with_a_Sign-on_Splash_Page

This function is also supported in the API. You can see sample code here:

developers.meraki.com/splash