I am wondering if it is possible to utilise the Meraki API to allow a custom login page. I specifically do not want to utilise RADIUS, LDAP or any existing authentication method. What I would hope to achieve is something like:
- User associates with SSID and get redirected to public, custom splash page.
- User has to enter username and password into custom page
- Custom service side connects to non-Meraki, bespoke authentication server.
- Non-Merakie, bespoke auth server returns "is_valid" response to form POST
- Server side now recognises this user as valid and, given their parameters (ap, mac, ssid) provided at the splash screen redirect, sends this back to the Meraki cloud controller, using customer API key.
- The Meraki cloud controller allows the users device onto the network
Any information I can find seems to ALMOST do this except it appears we need to interact with a RADIUS server at some stage. Is this an absolute requirement or does the API allow requests to simply allow devices like this psuedo API call
Yes, this is a very common authentication scheme. You can handle all authentication on your splash page's server or connect to any type of auth server. You still need to pass back either a granturl for Click-through splash or a RADIUS authentication to the Meraki cloud.
Click-through splash is the easiest for your use case.
RADIUS authentication will require you to run a RADIUS server. The RADIUS auth can be anonymous and you could use firstname.lastname@example.org as the username. The benefit of using RADIUS Sign On for your captive portal is that the Meraki network will apply a group policy based on the RADIUS Accept message.
Thanks for your reply. However, I notice the splash page method isn't that secure, that is, once I know the base_grant_url I can create a URL myself ( as a wireless user that isn't authenticated yet) and simple POST that in a browser to gain access. Does the base_grant_url change? What's to stop an unauthenticated user connecting to the SSID and getting redirected to my Splash page (which I now have setup as a username and password page authenticating to my bespoke auth server) and then simply pasting the URL e.g https://n001.meraki.com/splash/grant/continue_url=https://www.google.com - I have tested this and this would appear to bypass any authentication. Is this normal or am I missing an important part?
For authenticated logins, you will want to use the Sign-on Splash with RADIUS sign on.
This function is also supported in the API. You can see sample code here:
Please sign in to leave a comment.