Choosing an authentication protocol for networking devices is one of the critical tasks. And when we talk about wireless authentication WPA2 and WPA2-Enterprise are the most used protocol. When we think of enterprise wireless network there are various challenges that an administrator may face while choosing which protocol to use. Each method has its own downfall that an administrator has to determine and adjust it to business needs. With the BYOD policy in place, businesses need to provide employees with a secure corporate wireless network to support it.
In this post, we will discuss iPSK (Identity Pre-Shared-Key), a protocol developed by cisco. As a name suggest it provide identification to each connection authenticated using a pre-shared key. It also tackles the issue of the normal pre-shared key, as a shared key can be used to connect devices that are not compliant with corporate policy. Here it will use FreeRADIUS to identify the company-owned device.
Overall I will show you steps that can be used to setup iPSK in Meraki access point with the help of the FreeRADIUS server. Please note Windows server cannot be used as it currently does not support the functionality needed for iPSK to work.
What you will need :-
- Meraki Access point
- FreeRADIUS on Ubuntu Server
- Meraki System Manager licenses (Optional)
- List of MAC addresses of company-owned devices
Let’s get started
- We will get start by making FreeRADIUS ready. Follow the steps to do so.
sudo apt-get update
sudo apt-get install freeradius- Now let’s edit the client configuration and add Meraki AP as RAIDUS client.
sudo vi /etc/freeradius/3.0/clients.conf- At the end of the file add the following (Repeat the step with multiple AP)
client AP-Name {
ipaddr = 192.168.0.2/24 #Add your AP's IP address
secret = dog #Set it what ever you want
}- In this step we will define all the MAC addresses of company owned devices in users file.
sudo vi /etc/freeradius/3.0/users- Now start editing from the end of the file. (Repeat the step for each different MAC address)
3bd1fe9b358b Cleartext-Password := "3bd1fe9b358b"
Tunnel-Password = helloworldNote: Here write MAC address in the format shown above and you can type whatever Tunnel password you want
- Make sure you restart the FreeRADIUS service. If an error comes up make sure you don’t have a typo.
sudo systemctl restart freeradiusNow let’s set up SSID with iPSK WITH RADIUS NOTE: Below steps are from Meraki official website. Link
- From Dashboard navigate to Wireless > Configure > Access control
- Under SSID, select the SSID from the drop-down that you want to configure.
- Select IPSK with RADIUS from the Association Requirements section of the page.
- Under Splash page, select Systems Manager Sentry enrollment (optional)
- For the RADIUS server, click Add a server. Enter RADIUS server IP address, listening port, and RADIUS shared secret to be used by your APs which are configured RADIUS clients on the server. (Remember secret key will be “dog” as per my configuration in clients.conf)
- Click Save changes
You are ready to go with your SSID. Now if you go to your wifi enabled device and look for the SSID you will notice that it will look the same as regular SSID. So nothing changes in the user end. And if you have a System Manager license and selected on the splash page configuration you will be prompted for system manager installation if not installed.
Here is how it will work.
- Users enter the Tunnel password as a pre-shared key.
- In the background, it will check if the MAC address is on the list.
- It will then check if the system manager is installed.
- If all conditions met then the access will be granted.
Credit: https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication
Looking at your guide I don’t see where you can assign VLANs in your FR user configuration.