For byod purposes it brings a lot more work. You need to set up a free radius server and all your employees need to give in the mac addresses of all there devices + need to deactivate the mac randomisation. I see a lot of support tickets :-D.    I don't understand why they limit the ipsk without mac on 50.   Other vendors can do 5000 or unlimited.   We have a solution linked to Azure/Office365 and Google Gsuite. They login, they get a ipsk/ppsk/dpsk in the right vlan. If they leave the company we delete the ipsk/ppsk/Dpsk. For easy onboarding we also create a qr code. ... View more

The problem with ipsk and radius is that you need to assign a mac address to it. This can give a lot of problems with the mac randomisation that is standard  on the latest versions of Android and IOS. ... View more

You could also use it for big companies, schools, healthcare (room area networks),.... We have created a solution (https://wiflex.eu) for onboarding employees based on Azure/Office365/Gsuite and unique psk's. We can assign dynamically vlans based on the security group in Azure/Office365/Gsuite. And if they leave the company we delete the unique psk password. You can use this also for big companies.   More and more companies and schools are moving to the cloud so they don't have any in house servers, so also no radius server. And the cloud radius solutions are very expensive.   And what about big iot deployments? 50 is not a lot.   We also have secure guest solutions where we need way more than 50 unique psk's.   ... View more

Indeed look very promising. But I hope they well increase the number of allowed unique psk's. To give an example: Mist can do 5000 and Cisco Meraki 50. But it is a nice start! ... View more

Also available without radius: https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS   ... View more

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid.   https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS ... View more

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid.    https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS ... View more

In the coming weeks. But don't know the exact date. ... View more

I had a call with an SE from Meraki. Probably it is a bug. They are investigating this issue. They also mentioned that there will be lauched an ipsk feature without Radius. Just what I need 😄 ... View more

Thanks a lot. I think I'm almost there.   Freeradius return accept-accept but Meraki is rejecting it. Feb 19 15:22:04 complit-PC 802.11 disassociation unspecified reason Feb 19 15:21:59 complit-PC WPA deauthentication radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E   « hide aid 1404825037 Feb 19 15:21:59 complit-PC RADIUS authentication resp: reject Feb 19 15:21:59 complit-PC 802.11 association channel: 108, rssi: 15 Feb 19 15:11:57 complit-PC 802.11 disassociation unspecified reason Feb 19 15:11:52 complit-PC WPA deauthentication radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E   more » Feb 19 15:11:52 complit-PC 802.11 association channel: 108, rssi: 15 Feb 19 15:11:52 complit-PC RADIUS authentication resp: reject     output freeradius:   (0) Received Access-Request Id 4 from 10.10.0.107:32978 to 10.10.0.5:1812 length 221 (0) User-Name = "2816adcaf36e" (0) User-Password = "2816adcaf36e" (0) NAS-IP-Address = 10.10.0.107 (0) Called-Station-Id = "EE-55-2D-F2-EA-CA:Meraki-Wiflex" (0) NAS-Port-Type = Wireless-802.11 (0) Attr-26.29671.2 = 0x436f6d706c69742d747269616c202d20776972656c657373 (0) Attr-26.29671.3 = 0x4d6572616b694170436f6d706c6974 (0) Calling-Station-Id = "28-16-AD-CA-F3-6E" (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Message-Authenticator = 0x8d3a513504ca2a031fa69f69d3246684 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "2816adcaf36e", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> 2816adcaf36e (0) sql: SQL-User-Name set to '2816adcaf36e' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "2816adcaf36e" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> 2816adcaf36e (0) sql: SQL-User-Name set to '2816adcaf36e' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 4 from 10.10.0.5:1812 to 10.10.0.107:32978 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 4 with timestamp +17 Ready to process requests   If I have a look at the radpostauth table I get: | 7 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 13:33:05 | | 8 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:11:52 | | 9 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:21:59 | ... View more

Thanks again. I'm totally new to Freeradius. So we need to tell freeradius to use a database instead of the configuration file? I will try to use mysql and find a way to import the users into mysql from our system. Let's google :-D. If you have any interesting documentation, you may always post it :-D. Do you know why Meraki/Cisco chose to create unique psk's based on radius server instead of a solution like Aerohive/Ruckus? ... View more

You hero! Now it's working. I think Meraki need to update there documentation :-D.    The only thing I need to figure out is how I can create new ipsk's by api's on the freeradius server. We are trying to create a BYOD solution where users can onboard themself by logging in with their AzureAD/Offfice365/Gsuiste credentials and get an IPSK in the right vlan. Vlan is based on the security group in Azure AD/Office365/Gsuite. If they leave the organisation we will delete the ipsk.     ... View more

Thanks a lot guys!!!! Was very helpfull.   Now the default password is working as ipsk. But my user ipsk is still not working. Freeradius is starting good. Any idea what I can check? ... View more

How is it working exactly? You create a user in freeradius and gave the mac address with it. And then it returns an ipsk?   Do you know why meraki/cisco is using unique psk's based on radius instead of using the way ruckus/aerohive/cambium/mist is doing it? Then you don't need tbe radius.   We like to integrate the ipsk in our wiflex solution ... View more

I would not recommend using a splash portal (open ssid) for corporate users. We are looking into a solution with ipsk and Azure. I'll keep you up to date. ... View more

That's correct, but it's the best solution you can do for the moment I think. You can restrict the default vpn profile and run the script every minute.   It would be better that Meraki let to define a group policy when you create the vpn user. I'm pretty new to Meraki and I love it. But I was really disappointed when I found out this wasn't an option. Here are the steps of my api script: Get all clients that connected last hour (api/v0/devices/) If client has an ip-address in the vpn subnet, I ask more information (for example emailaddress) with the api api/v0/networks/$network_id/clients/$mac Check if the vpn has the default group policy (normal), if so I want to change this. (api/v0/networks/$network_id/clients/$mac/policy) Then I assign an other group policy based on the domain name of their emailadress.(api/v0/networks/$network_id/clients/$mac/policy) In the dashboard you can assign new firewall rules to the vpn group policy you assigned. You can allow traffic from the vpn subnet to the subnet of the company ... View more