Skip to main content

 

Cisco Meraki Documentation

CoA Disconnect for Splash Sign-on

This document describes Meraki’s support for revoking a Splash user when using a Sign-on Splash page with a RADIUS server. Meraki’s Cloud will listen for RADIUS disconnect messages following the IETF’s RFC 5176. RADIUS Disconnect messages are a type of change-of-authorization (CoA) message. Currently, the only dynamic authorization supported are disconnect messages. 

Use Cases

External Captive Portal

Customers may use a Custom Splash Page to validate network users using Sign-on with RADIUS. The access point will redirect the client to the captive portal hosted on the customer’s server. Using the external captive portal API (EXCAP), the splash page will return the user’s credentials to the Meraki Cloud, and the Meraki Cloud will authenticate with the customer’s RADIUS server. The Meraki Cloud will then listen for disconnect messages from the RADIUS server. If a disconnect message for a client device is received, the client’s access will be revoked. The user will be redirected to the external captive portal.

Meraki Cloud-hosted Sign-on Splash

Customers may choose to use the Meraki Splash page Sign-on with their RADIUS. Using Splash authentication, the access point will redirect the client to the splash page hosted on the Meraki Cloud. After the client enters their login credentials, the Meraki Cloud will authenticate to the customer’s RADIUS server. After the initial login, the Meraki Cloud will listen for disconnect messages from the RADIUS server. If a disconnect message for a client device is received, the client’s access will be revoked. The user will be redirected to the initial splash page.

 

Enable CoA Disconnect Messages

RADIUS Configuration

The RADIUS server must send dynamic authorization messages to Meraki's fully qualified domain name (FQDN) on UDP port 3799. The Meraki domain name is linked to the organization and displayed in the URL of a web browser after logging into the Dashboard as an administrator.  For example, if the Dashboard URL in the browser begins with http://n165.meraki.com/, the dynamic authorization messages should be sent to n165.meraki.com on UDP port 3799.

Required Attributes

Each disconnect message must include the attributes in the table below. Additional attributes will be ignored by the NAS.

 

Field

Content

Acct-Session-Id

The unique session identifier as sent in the session’s accounting start message.

Event-Timestamp

The UNIX epoch time (in seconds) at which the message is sent; we recommend using NTP or a similar time-synchronization time protocol to guarantee the timestamp accuracy

Security Requirements

In order to prevent accidental or malicious disconnect or discovery of client sessions, the Meraki Cloud enforces the following security constraints on dynamic authorization messages:

  • All messages must include an Event-Timestamp field that falls within 300 seconds of the NAS’ known UNIX epoch time (in seconds)

  • The message must be received directly from the public IP address of the client SSID’s RADIUS authorization server

  • The message authenticator must be encrypted with the shared secret of the client SSID’s RADIUS authorization server (per the “response authenticator” described in RFC 2865, §4)

  • The client session must be currently active

 

Disconnect Responses

If the disconnect request is valid, the client session will be terminated with cause Admin-Reset, and a Disconnect-ACK will be sent to the RADIUS authorization server.

 

If a disconnect request fails, a Disconnect-NAK is sent to the RADIUS authorization server, and the appropriate Error-Cause attribute will match the values in the table below. No error response will be sent to the authorization server if the disconnect request is sent with an invalid authenticator, an incorrect message type, a missing Event-Timestamp, or an invalid Event-Timestamp.

 

Response

Meaning

No Response

Invalid authenticator, incorrect message type, missing Event-Timestamp, or an invalid Event-Timestamp

402

The Acct-Session-Id attribute is missing

407

The Acct-Session-Id is improperly formatted

504

No session with the sent identifier is currently connected to any of the RADIUS server’s SSIDs

505

The NAS experienced an unexpected error (Meraki support should be contacted in this case)

Dashboard Configuration

In order to support disconnect messages, the SSID’s Splash page must be configured to Sign-on with a RADIUS server. The Meraki Cloud will automatically be configured to listen for RADIUS dynamic authorization messages on port 3799. For more information please refer to the article, Configuring RADIUS Authentication with a Sign-on Splash Page.

 

  • Was this article helpful?