I'm implementing ISE on an existing Meraki wireless deployment. I can’t use the “default” integration path for guest wireless as stakeholders are insisting that the traffic must be WPA-2 PSK protected (selecting ISE for the captive portal means having open access). This means that I’m having to fudge redirection to the ISE guest portal using a splash redirect on the Meraki pointing to the ISE portal test URL. The Meraki captive portal deployment guide https://meraki.cisco.com/lib/pdf/meraki_whitepaper_captive_portal.pdf says that:
Meraki will send http://yourwebsite.com/clickthrough.php?base_grant_url=https%00%00%00n00.meraki.com%2Fsplash%2Fgrant&user_continue_url=http%3A%2F%2Fgoogle.com%2F&node_mac=00:18:0a:xx:xx:xx&client_ip=10.128.128.120&client_mac=xx:xx:xx:xx:xx:xx
Let’s assume the client is registered as a guest and completes the GUI logon, then if ISE wants to instruct the Meraki to permit access to the client, return a URL redirect:
GET[‘base_grant_url’] + “?continue_url=” + GET[‘user_continue_url’] + “&duration=3600” (to grant access for one hour).
- e.g. https://n16.meraki.com/splash/grant?continue_url=www.google.com&duration=3600
The guide also states that this URL shouldn’t be hardcoded as elements such as that n16 host might change and consequently it’ll all break.
Does anybody know how ISE can extract those parameters passed to it from Meraki (if it’s even possible)?
