About Complit

Complit · ‎01-09-2021

For byod purposes it brings a lot more work. You need to set up a free radius server and all your employees need to give in the mac addresses of all there devices + need to deactivate the mac randomisation. I see a lot of support tickets :-D. I don't understand why they limit the ipsk without mac on 50. Other vendors can do 5000 or unlimited. We have a solution linked to Azure/Office365 and Google Gsuite. They login, they get a ipsk/ppsk/dpsk in the right vlan. If they leave the company we delete the ipsk/ppsk/Dpsk. For easy onboarding we also create a qr code.

Complit · ‎01-09-2021

The problem with ipsk and radius is that you need to assign a mac address to it. This can give a lot of problems with the mac randomisation that is standard on the latest versions of Android and IOS.

Complit · ‎06-12-2020

We are integrating Meraki on our Wiflex solution but it seems there are problems with these api's? Do you know when this will be fixed? Yesterday was everything working.

Complit · ‎05-27-2020

You could also use it for big companies, schools, healthcare (room area networks),.... We have created a solution (https://wiflex.eu) for onboarding employees based on Azure/Office365/Gsuite and unique psk's. We can assign dynamically vlans based on the security group in Azure/Office365/Gsuite. And if they leave the company we delete the unique psk password. You can use this also for big companies. More and more companies and schools are moving to the cloud so they don't have any in house servers, so also no radius server. And the cloud radius solutions are very expensive. And what about big iot deployments? 50 is not a lot. We also have secure guest solutions where we need way more than 50 unique psk's.

Complit · ‎05-26-2020

Indeed look very promising. But I hope they well increase the number of allowed unique psk's. To give an example: Mist can do 5000 and Cisco Meraki 50. But it is a nice start!

Complit · ‎05-26-2020

Also available without radius: https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS

Complit · ‎05-26-2020

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid. https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS

Complit · ‎05-26-2020

In beta version 27.1 you have the feature IPSK without radius. Very interesting. But I don't like the limit of 50 unique psk's per ssid. https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS

Complit · ‎02-21-2020

In the coming weeks. But don't know the exact date.

Complit · ‎02-20-2020

I had a call with an SE from Meraki. Probably it is a bug. They are investigating this issue. They also mentioned that there will be lauched an ipsk feature without Radius. Just what I need 😄

Complit · ‎02-19-2020

Thanks a lot. I think I'm almost there. Freeradius return accept-accept but Meraki is rejecting it. Feb 19 15:22:04 complit-PC 802.11 disassociation unspecified reason Feb 19 15:21:59 complit-PC WPA deauthentication radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E « hide aid 1404825037 Feb 19 15:21:59 complit-PC RADIUS authentication resp: reject Feb 19 15:21:59 complit-PC 802.11 association channel: 108, rssi: 15 Feb 19 15:11:57 complit-PC 802.11 disassociation unspecified reason Feb 19 15:11:52 complit-PC WPA deauthentication radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E more » Feb 19 15:11:52 complit-PC 802.11 association channel: 108, rssi: 15 Feb 19 15:11:52 complit-PC RADIUS authentication resp: reject output freeradius: (0) Received Access-Request Id 4 from 10.10.0.107:32978 to 10.10.0.5:1812 length 221 (0) User-Name = "2816adcaf36e" (0) User-Password = "2816adcaf36e" (0) NAS-IP-Address = 10.10.0.107 (0) Called-Station-Id = "EE-55-2D-F2-EA-CA:Meraki-Wiflex" (0) NAS-Port-Type = Wireless-802.11 (0) Attr-26.29671.2 = 0x436f6d706c69742d747269616c202d20776972656c657373 (0) Attr-26.29671.3 = 0x4d6572616b694170436f6d706c6974 (0) Calling-Station-Id = "28-16-AD-CA-F3-6E" (0) Connect-Info = "CONNECT 11Mbps 802.11b" (0) Message-Authenticator = 0x8d3a513504ca2a031fa69f69d3246684 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "2816adcaf36e", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) sql: EXPAND %{User-Name} (0) sql: --> 2816adcaf36e (0) sql: SQL-User-Name set to '2816adcaf36e' rlm_sql (sql): Reserved connection (1) (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id (0) sql: User found in radcheck table (0) sql: Conditional check items matched, merging assignment check items (0) sql: Cleartext-Password := "2816adcaf36e" (0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id (0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id (0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql: --> SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority (0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority (0) sql: User not found in any groups rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10 (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Auth-Type PAP { (0) pap: Login attempt with password (0) pap: Comparing with "known good" Cleartext-Password (0) pap: User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) sql: EXPAND .query (0) sql: --> .query (0) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (0) sql: EXPAND %{User-Name} (0) sql: --> 2816adcaf36e (0) sql: SQL-User-Name set to '2816adcaf36e' (0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59') (0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59') (0) sql: SQL query returned: success (0) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (0) [sql] = ok (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = ok (0) Sent Access-Accept Id 4 from 10.10.0.5:1812 to 10.10.0.107:32978 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 4 with timestamp +17 Ready to process requests If I have a look at the radpostauth table I get: | 7 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 13:33:05 | | 8 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:11:52 | | 9 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:21:59 |

Complit · ‎02-18-2020

Thanks again. I'm totally new to Freeradius. So we need to tell freeradius to use a database instead of the configuration file? I will try to use mysql and find a way to import the users into mysql from our system. Let's google :-D. If you have any interesting documentation, you may always post it :-D. Do you know why Meraki/Cisco chose to create unique psk's based on radius server instead of a solution like Aerohive/Ruckus?

Complit · ‎02-18-2020

You hero! Now it's working. I think Meraki need to update there documentation :-D. The only thing I need to figure out is how I can create new ipsk's by api's on the freeradius server. We are trying to create a BYOD solution where users can onboard themself by logging in with their AzureAD/Offfice365/Gsuiste credentials and get an IPSK in the right vlan. Vlan is based on the security group in Azure AD/Office365/Gsuite. If they leave the organisation we will delete the ipsk.

Complit · ‎02-18-2020

Thanks a lot guys!!!! Was very helpfull. Now the default password is working as ipsk. But my user ipsk is still not working. Freeradius is starting good. Any idea what I can check?

Complit · ‎02-17-2020

Dear, I installed a Ubuntu server and installed freeradius on it. Freeradius is starting as expected. But when I follow the steps of the topic: https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication I get error messages when I start freeradius after I changed the users file. Users file: Error message: Can someone help me with this? I'm new to freeradius.

Complit · ‎02-09-2020

How is it working exactly? You create a user in freeradius and gave the mac address with it. And then it returns an ipsk? Do you know why meraki/cisco is using unique psk's based on radius instead of using the way ruckus/aerohive/cambium/mist is doing it? Then you don't need tbe radius. We like to integrate the ipsk in our wiflex solution

Complit · ‎02-09-2020

I would not recommend using a splash portal (open ssid) for corporate users. We are looking into a solution with ipsk and Azure. I'll keep you up to date.

Complit · ‎08-08-2019

When will it be possible to create a Splash portal login with Cisco Meraki's api's? We really need this. Thanks a lot.

Complit · ‎06-04-2018

That's correct, but it's the best solution you can do for the moment I think. You can restrict the default vpn profile and run the script every minute. It would be better that Meraki let to define a group policy when you create the vpn user. I'm pretty new to Meraki and I love it. But I was really disappointed when I found out this wasn't an option. Here are the steps of my api script: Get all clients that connected last hour (api/v0/devices/) If client has an ip-address in the vpn subnet, I ask more information (for example emailaddress) with the api api/v0/networks/$network_id/clients/$mac Check if the vpn has the default group policy (normal), if so I want to change this. (api/v0/networks/$network_id/clients/$mac/policy) Then I assign an other group policy based on the domain name of their emailadress.(api/v0/networks/$network_id/clients/$mac/policy) In the dashboard you can assign new firewall rules to the vpn group policy you assigned. You can allow traffic from the vpn subnet to the subnet of the company

Complit · ‎06-04-2018

I was working on a project for a customer. We used a Meraki Mx for multiple companies in this project. The big problem was that all vpn clients came in the same subnet. And if all the vpn clients (from different companies) wanted to get to their recourses I needed to open all subnets. Of course this is a very big security problem. I have solved this with the Meraki api's. I look to the domain name of the email address and assign the right Group policy with only rights to the subnet of his company. Maybe this is helpful for other companies. If you want more details you can contact me on jonas@complit.be

Complit · ‎06-04-2018

Probably a stupid question :-D. I want to get all the clients on the network. My script is working but I get the sentence "You are being redirected" instead of an array with the data. If I click on the link behind "Redirected" I get all the data. But I need this info for my script. Any help would be great. My code: <?php $request = new HttpRequest(); $request->setUrl('https://api.meraki.com/api/v0/devices/SERIALNUMBER/clients'); $request->setMethod(HTTP_METH_GET); $request->setQueryData(array( 'timespan' => '84000' )); $request->setHeaders(array( 'postman-token' => '7187e3f4-f792-c5f6-da1e-73e51253767d', 'cache-control' => 'no-cache', 'x-cisco-meraki-api-key' => 'api key' )); try { $response = $request->send(); echo $response->getBody(); } catch (HttpException $ex) { echo $ex; }

Complit

Community Record

Badges

Re: iPSK - 26.5+

Re: iPSK - 26.5+

Identity api's not working anymore?

Re: iPSK - 26.5+

Re: iPSK Configuration with Microsoft NPS

Re: Identity PSK

Re: iPSK - 26.5+

Re: iPSK Configuration with Microsoft NPS

Re: Problems with setting up Freeradius for iPSK

Re: Problems with setting up Freeradius for iPSK

Re: Problems with setting up Freeradius for iPSK

Re: Problems with setting up Freeradius for iPSK

Re: Problems with setting up Freeradius for iPSK

Re: Problems with setting up Freeradius for iPSK

Problems with setting up Freeradius for iPSK

Re: iPSK - 26.5+

Re: Azure AD authentication on Meraki WiFi

Create Network Meraki Auth User

Re: Assign different Vpn group policies (without radius or AD)

Assign different Vpn group policies (without radius or AD)

You are being redirected

Assign different Vpn group policies (without radius or AD)

Re: iPSK - 26.5+

Re: Identity PSK

Re: iPSK - 26.5+

Problems with setting up Freeradius for iPSK