Troubleshooting Users' Network Access with Splash Page Enabled
Overview
The Splash page is a feature that requires a user to click through or sign-on to a web page delivered by the Meraki or customer hosted web server in order to gain full network access. By clicking through or signing on to a splash the the user will authenticate their device against the cloud and access point.
There are two common situations that can arise that may deny network access to a user when the splash page is enabled. The first is when Captive portal strength is configured to "Block all access until sign-on is complete". The second when a web browser is not configured to accept cookies.
Captive Portal Strength set to "Block all access until sign-on is complete"
The default port used for unencrypted web access is TCP port 80, which is HTTP traffic. When a Meraki access point sees an HTTP connection from an unauthenticated device, it will intercept GET request sent by the users browser, and redirect the browser to the cloud to be authenticated. This authentication creates an ACL on the AP and Meraki Cloud. If "Block all access until sign-on is complete" is configured on the wireless network and the user has never been authenticated by the AP they are associated to, they will be denied network access until they open their web browser and open a web page using HTTP TCP port 80. Being unauthenticated will result in no access to anything except HTTP or a blank web page when roaming to an AP that is unaware of a previous unexpired authentication.
Web Browser is not Configured to Accept Cookies
Successful authentication places a cookie in the users web browser. If a users web browser does not allow cookies, authentication will not succeed. This will result in a user seeing a blank page when using their web browser.
To mitigate the loss of network access, an ACL will be shared with the five closest AP after a user authenticates. These are the five closest APs based on Dashboard map placement.
If user is reporting a blank web pages or blocked network access, check the following:
- Is the web browser configured to not accept cookies?
- Is the web browser configured to use an HTTPS TCP port 443 URL as their home page?
- Is the user attempting to access a web page using HTTPS or some other transport?
- Has the user opened their web browser and authenticated to using HTTP TCP port 80?
Traffic Shaping and Firewall Rules only apply after Splash Page Authentication has Occurred
Captive portal strength settings take precedence over configured traffic shaping and firewall rules when the Splash page is configured. The traffic shaping and firewall rules will not apply to a client device until after the Splash page authentication has occurred successfully. Meraki recommends using the "Block all access until sign-on is complete" setting for Captive portal strength to prevent unauthorized access on the network. The "Allow non-HTTP traffic prior to sign-on" setting for Captive portal strength will ignore the firewall traffic shaping rules configured on the SSID and block HTTP traffic until the user is signed on. After sign-on, the SSID's firewall rules and traffic shaping rules will be applied.