Home > Wireless LAN > Splash Page > Configuring RADIUS Authentication with a Sign-on Splash Page

Configuring RADIUS Authentication with a Sign-on Splash Page

The Cisco Meraki MR Access Points and MX Security Appliance allow a Splash Page to be configured, requiring users to interact with this captive portal before being granted network access. One configuration option for this Splash Page is to allow authentication with an existing RADIUS server on the network, so users must enter their domain credentials to get through the Splash Page.

This article outlines the Dashboard and RADIUS configuration steps to use a RADIUS server with a sign-on Splash Page.


Supported RADIUS Attributes

When a sign-on Splash Page is configured with RADIUS server, authentication is performed using PAP. The following attributes are present in the Access-Request messages sent from Dashboard to the RADIUS server.

Note: Please refer to RFC 2865 for details on these attributes, additional notes for certain attributes are included below.

  • User-Name 
  • User-Password
  • Called-Station-ID: Contains (1) the MAC address of the Meraki access point (all caps, octets separated by hyphens) and (2) the SSID on which the wireless device is connecting. These 2 fields are separated by a colon.  Example: "AA-BB-CC-DD-EE-FF:SSID_NAME".
  • Calling-Station-ID: Contains the MAC address of the wireless device (all caps, octets separated by hyphens).  Example: "AA-BB-CC-DD-EE-FF".
  • Acct-Session-ID
  • Framed-IP-Address
  • NAS-Identifier
  • NAS-IP-Address
  • NAS-Port-Id
  • NAS-Port-Type
  • Service-Type

 

The following attributes are honored by Cisco Meraki when received in an Access-Accept or Access-Reject message from the RADIUS server to Dashboard:

  • Session-Timeout: This is the maximum time in seconds that the given user's session will last. After that time, the user will need to log in (authenticate) again using their username and password. Only used in Access-Accept packets.
  • Idle-Timeout: This is the idle timeout in seconds. If the user does not transfer any data on the network for this amount of time, the user's session will end and they will need to log in (authenticate) again using their username and password. Only used in Access-Accept packets. This attribute is ignored if RADIUS accounting is not enabled on the network.
  • Maximum-Data-Rate-Upstream / Maximum-Data-Rate-Downstream: These are used to impose bandwidth limits, only used in Access-Accept packets. The values are the maximum rate in bits/second. See RFC 4679: vendor-specific (set Vendor-Id 3561). If these values are not present, Dashboard will use the Bandwidth limits that the user set on the Dashboard traffic shaping page as a default. If these values are set to '0', Dashboard will set the Bandwidth limit to unlimited. 
  • Filter-Id: This attribute can be used to convey a group policy that should be applied to a wireless user or device. The attribute type should match that which is configured under the Configure tab > Group policies page in the Cisco Meraki Cloud Controller. The attribute value should match the name of a policy group configured on that page. (Please note this feature is currently only for the MR, in beta - please contact support to have it enabled for your networks)
  • Reply-Message: This is a message for the user that will be displayed inline on the splash page. It is allowed in Access-Accept and Access-Reject messages, but will only be shown to the user in the case of Access-Reject messages.

Dashboard Configuration

The following instructions explain how to configure an SSID with a Splash Page using a local RADIUS server:

  1. In Dashboard, navigate to Wireless > Configure > Access Control.
  2. Select the desired SSID from the SSID drop-down menu.
  3. Set the Association requirement to Open (no encryption).
  4. Under Splash page, select Sign-on with and choose my RADIUS server from the drop-down menu:

     
  5. (optional) For Captive portal strength, choose Block all access until sign-on is complete.
  6. (optional) For Walled garden, choose Walled garden is disabled.
  7. Under RADIUS for splash page, click Add a server.
  8. Enter the following information:
    • Host - Public IP address of the RADIUS server.
    • Port - UDP port that the RADIUS server listens on for access requests, typically 1812.
    • Secret - RADIUS client shared secret (if a RADIUS server has not been configured yet, select a shared secret here and make note for later).
      Note: RADIUS access request messages for a Splash Page will be sourced from Dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here.
  9. Read the instructions outlined in the IP addresses section and make adjustments to network firewalls if necessary. Make sure to take note of the RADIUS client IPs listed under Help > Firewall Info.

Testing RADIUS from Dashboard 

Dashboard has a built-in RADIUS test utility, to ensure that all access points (at least those broadcasting the SSID using RADIUS) can contact the RADIUS server:

  1. Navigate to Wireless > Configure >Access control.
  2. Ensure that WPA2-Enterprise was already configured based on the instructions in this article.
  3. Under RADIUS servers, click the Test button for the desired server.
  4. Enter the credentials of a user account in the Username and Password fields.
  5. Click Begin test.
  6. The window will show progress of testing from each access point (AP) in the network, and then present a summary of the results at the end.
    APs passed: Access points that were online and able to successfully authenticate using the credentials provided.
    APs failed : Access points that were online but unable to authenticate using the credentials provided. Ensure the server is reachable from the APs, the APs are added as clients on the RADIUS server.
    APs unreachable: Access points that were not online and thus could not be tested with.

RADIUS Configuration

While any RADIUS server can be used, the following configuration requirements are necessary for use with a sign-on Splash Page:

  • RADIUS must be configured to allow PAP (unencrypted authentication)
    Note: Communication between the client and Dashboard is done through the Splash Page, which is encrypted using SSL. 
  • Dashboard's IP addresses must be configured on the server as RADIUS clients/authenticators, with a shared secret. These IP addresses can be gathered in Dashboard from Help > Firewall Info.

Please refer to your RADIUS server vendor's documentation for configuration specifics.

Example RADIUS Server Configuration (Windows NPS + AD)

The following example configuration outlines how to configure an existing Windows 2008 server, running Network Policy Server (NPS) alongside Active Directory:

  1. Add Dashboard as a RADIUS Client.
  2. Configure a RADIUS Network Policy.

Adding Dashboard as a RADIUS Client in NPS

Since access request messages for a sign-on Splash Page are sourced from Dashboard, NPS must be configured to allow incoming requests from Dashboard's IP addresses:

  1. From the desktop of your Windows 2008 server, click Start > Administrative Tools.
  2. Click on Network Policy Server when it appears in the list.
    279009b8-4d11-40d2-9f20-92d43893f3c9

    62ad6e15-dff0-4af2-87d5-d31af6f6a97a
     
  3. In the Network Policy Server console, navigate to NPS ->RADIUS clients and Servers -> RADIUS clients.
  4. Right click RADIUS clients and select New RADIUS client.
    3f0e26d8-7573-434f-aeda-66dd036b4655
     
  5. Fill out the fields in the New RADIUS Client window.
    • Friendly name: Unique identifier for this client. 
    • IP address: The IP ranges used by Dashboard (gathered in step 9 of Dashboard configuration)
    • Shared Secret: Secret configured in the RADIUS server value in Dashboard (used in step 8 of Dashboard configuration). This needs to be the same for each RADIUS client you add.
      927037d7-6f93-4ae2-b2ab-95f76d09c47f
  6. Click OK.
  7. Repeat these steps for each of Dashboard's IP addresses, as specified on the Access control page in Dashboard:

df11f130-ea5d-4afe-8ca9-2f52a1577357

Configure a RADIUS Network Policy in NPS

The following instructions explain how to configure a network policy in NPS, that will allow 

  1. From the Network Policy Server console navigate to NPS > Policies > Network Policies.
  2. Right click Network Policies and select New.
  3. On the Specify Network Policy Name and Connection Type create a Policy name and verify Unspecified is selected in the "Type of network access server:" drop down.
  4. Click Next.
  5. On Specify Conditions click Add and append Windows Group > Domain Users group from the Windows Active Directory domain, then click OK.
  6. Click OK, Review the conditions, then click Next.
  7. On Specify Access Permission select Access granted and click Next.
  8. On Configure Authentication Methods make sure Unencrypted authentication (PAP,SPAP) is the only method checked and click Next
  9. Click No when presented when the Connection Request Policy help pop-up appears.
  10. Click Next on Configure Constraints.
  11. On Configure Settings find the section Network Access Protection, select NAP Enforcement.
  12. For Auto Remediation un-check the box Enable auto remediation on client computers and click Next.
  13. On Completing New Network Policy click Finish.
  14. Prioritize the policy by Right-clicking the policy you created and selecting Move up, placing the policy above any existing deny policies.
  15. Review the policy values in the right side of the console:

RADIUS Accounting with a Sign-on Splash Page

RADIUS accounting can be used with RADIUS authenticated splash pages to provide information regarding when a client was authorized through the splash page, and later had that authorization cleared/expired. These messages are sent from Dashboard to the customer's configured RADIUS server.

Note: RADIUS accounting is only available by default with 802.1X authentication. To enable RADIUS accounting for splash page as well, please contact Cisco Meraki support. RADIUS accounting is not currently available on Splash Pages for the MX Security Appliance.

Accounting Overview

When RADIUS accounting is enabled, RADIUS 'start' accounting messages will be sent whenever a client is authorized through the splash page. These start messages are sent from Dashboard, typically from the same IP address as used for the authentication Access-request message. A ‘stop’ accounting message is generated when the client's splash authorization is manually cleared or expires based on the splash frequency.

The screenshot below shows a Wireshark packet capture of an example RADIUS ‘start’ message sent by Dashboard (using an IP address of 74.50.53.101) to a RADIUS server. When the RADIUS message is expanded, there are many parameters that show the information contained within the ‘start’ message. Some data has been obfuscated for security reasons.

 

The screenshot below shows a wireshark packet capture of a RADIUS accounting ‘stop’ message sent by Dashboard because the Splash frequency time of 30 minutes was reached. This means the client has to log in again through the Splash Page to continue using the network.

Configuration

The following instructions outline how to enable RADIUS accounting for a sign-on Splash Page:

  1. In Dashboard, navigate to Wireless > Configure > Access Control.
  2. Select the SSID currently configured to use RADIUS with a sign-on Splash Page.
  3. Further down the page, set RADIUS accounting to RADIUS accounting is enabled.
    Note: If this option is not available, please contact Cisco Meraki Support to have accounting enabled.
  4. In the RADIUS accounting servers section, click Add a server and provide the following details:
    • Host - Public IP address of the RADIUS accounting server.
    • Port - UDP port that the RADIUS server listens on for accounting messages, typically 1813.
    • Secret - RADIUS client shared secret.
      Note: RADIUS accounting messages for a Splash Page will be sourced from Dashboard, not from the local Meraki devices. As such, the RADIUS server's private LAN IP address cannot be specified here.

Additional Resources

For more information on RADIUS and Splash Pages, please refer to the following documentation:

You must to post a comment.
Last modified
16:20, 10 Feb 2016

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community