PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
PacketFence Cloud allows value-added resellers (VAR) and managed services providers (MSP) to manage multiple PacketFence deployments from a centralized management platform. From PacketFence Cloud, each customer has its own PacketFence virtual machine. The virtual machine is usually deployed on-premise – to increase security, reduce complexity and be tolerant to any Internet connection failures. The virtual machine is nonetheless entirely managed from the PacketFence Cloud platform which can hosted at Amazon AWS, Microsoft Azure, Rackspace and others.
This document will provide the steps to configure a Meraki wireless network with PacketFence.
In this section, we will cover the configuration of the Meraki controller to use Web authentication.
While using the WebAuth mode on the Meraki controller, you need to use “Role mapping by Switch Role” and “Role by Web Auth URL” in the tab Roles from the switch configuration.
Configure your SSID as shown below:
|NOTE||It is mandatory that you use the Airespace-ACL-Name as “RADIUS attribute specifying group policy name”.|
The switch module to use for this configuration is “Meraki cloud controller V2”.
Next, configure the roles for the devices on your network. Go in Network-wide→Group policies, then you will be able to create policies that can be configured as roles in the switch configuration of PacketFence. Creation of the policy Guest:
Your configuration for the tab “Roles” in PacketFence will look like the following:
In the configuration of PacketFence, use “Role by VLAN ID” and fill your VLANs matching roles.
It is possible to use RADSEC between Meraki and PacketFence in order to perform RADIUS over TCP and encrypted using TLS. Before performing the steps outlined in this section, make sure you have a working SSID using normal unencrypted RADIUS by following the steps in the sections above
Then, in order to enable RADSEC, go in your SSID configuration and under RADIUS proxy, select Use Meraki proxy and save the settings.
After saving, check the RADSEC checkbox and save your settings.
Now, on your PacketFence server, you must add the Meraki CA root to the trusted Certificate Authorities of FreeRADIUS when performing RADSEC. You should download the Meraki CA certificate from here http://changeme.com/meraki-root.crt and append it to the content of /usr/local/pf/raddb/certs/ca.pem on your PacketFence server.
Next, restart radiusd to reload the CA certificates using:
# /usr/local/pf/bin/pfcmd service radiusd restart
|NOTE||RADSEC is done over port 2083 so make sure your server is available via a public IP address for this port and allows connections from your Meraki cloud controller. Refer to the Meraki documentation for details.|
|NOTE||You should already have one port setup as Uplink, using a mode trunk, with at least your Registration and Production VLAN allowed on it.|
The Meraki switch offer configuration for VLAN enforcement only.
You will need to access the Meraki dashboard to configure your switch. When you reach it you will need first to create a policy. You can create a “MAC authentication bypass” or a “802.1X” policy. Depending if you want to authenticate user via dot1x or MAB. You cannot combine both neither use a fallback mode on the same port, each port with a policy applied will be exclusive to MAB or dot1x.
To access the policy creation go to Switch→Access policies in the Meraki dashboard menu. From there create a new policy, use the example below to create your policy.
You now need to apply one of your policies to ports. To do so, go to Switch→Switch ports and chose your options. To add a policy you created earlier, select it in the drop down list in Access policy. You need to configure the port in “mode access”, the default access VLAN is not important if your VLANs are properly configured on PacketFence.