Meru Setup Guide - Odyssys€¢ Your!Meru!controller's!firmware!version!is!at-least-7.0P7P0.!! ... Wireless->-ESS!and!clickAdd.!!!! The!following!form!should!be!displayed: ...

Meru Setup Guide

Page 2 of 30 Global Reach Technology Ltd Commercial in Confidence

Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. GLOBAL REACH AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-‐INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-‐FREE, ACCURATE OR RELIABLE. GLOBAL REACH RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME. Limitation of Liability IN NO EVENT SHALL GLOBAL REACH BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL. VERSION 1.1 PUBLISHED APRIL 2015


IMPORTANT -‐ BEFORE YOU START Before attempting to configure your Meru controller to use Odyssys, please ensure that ALL of the following requirements are in place;

• Your Meru controller's firmware version is at least 7.0-‐7-‐0.

• Your controller is installed in an environment where compatible Access Points are configured to work with the controller, i.e -‐ DNS, DHCP options configured correctly

• Access points must be able to successfully obtain the configuration from controller

Your client environment is configured to allow network clients to;

• Associate to an Access Point

• Obtain an IP address

• Access to the internet The following components are required to be configured and working in your environment before attempting integration with Odyssys;

• DHCP Server

• DNS Server

• Firewall NAT In addition, your Meru controller:

• Must, by the assignment of a public IP address or by means of port forwarding, be accessible to Odyssys via the internet. If the controller is behind a firewall or router, TCP traffic on port 443 (HTTPS) must be forwarded to it.

• Should have an associated, registered domain name (e.g. meru.testcorp.net), which resolves to its IP address (or the IP adress of the intermediate firewall/router) and be provisioned with a SSL certiciate/private key pair. The certificate must be signed by a CA that Odyssys trusts. A list of trusted CAs can be found later in this guide under the section "Trusted 3rd Party Certificates Authorities".

PLEASE NOTE -‐ Odyssys does not use standard RADIUS ports, therefore please make sure you allow the ports in your firewall, defined in your manager.odyssys.net Captive Portal settings. This is a technical document and as such, integration of your hardware with Odyssys should only be handled by trained individuals.


GETTING STARTED WITH ODYSSYS Before you attempt to configure your Meru controller for use with Odyssys, you will need to create a captive portal. 1. First, navigate to https://manager.odyssys.net and log in using your assigned Customer ID, username and password.

2. From the left-‐hand navigation menu, select Captive Portals > Captive Portals and click Create Captive Portal.

The following dialog should be displayed:


You should complete the dialog as follows1: Name: An arbitrary name. Hardware Vendor: Choose Meru. Gateway Address: Your Meru controller's public IP address or associated domain name. Click Create to confirm.

1 For a more detailed explanation of the Gateway Address and Walled Garden fields, please see the "Configuring Your Meru Captive Portal" section.


3. Select your newly created captive portal from the list to view its configuration information.

You will need to refer to these fields when completing the next section.


CONFIGURING ODYSSYS WITHIN MERU 1. Log in to your Meru controller's dashboard and select Configuration from the left-‐hand navigation menu.


2. You should first define the RADIUS servers against which your Wi-‐Fi users will be authenticated. To do this, select Security > RADIUS and click Add.

The following form should be displayed:


a) You will need to define two RADIUS servers as specified below, referring to the configuration information provided in step 3 of "Getting Started with Odyssys": Radius Server 1 (Primary Authentication):

• RADIUS Profile Name: An arbitrary name. • RADIUS IP: Set this to your captive portal's RADIUS Primary Server IP. • RADIUS Secret: Set this to your captive portal's RADIUS Shared Secret. • RADIUS Port: Set this to your captive portal's RADIUS Authentication Port. • COA: Choose Off.

Click OK to confirm. Click Add to define a new RADIUS server. Radius Server 2 (Primary Accounting):

• RADIUS Profile Name: An arbitrary name. • RADIUS IP: Same as above. • RADIUS Secret: Same as above. • RADIUS Port: Set this to your captive portal's RADIUS Accounting Port. • COA: Same as above.

b) You can optionally define two more RADIUS servers for failover. To do so, you should repeat a) but this time setting each server's RADIUS IP to your captive portal's RADIUS Secondary Server IP.


3. Next, select Security > Captive Portal.


a) Click Internal Portal Settings. The following should be displayed:

You should complete the form as follows: Portal URL:

• Protocol: Choose https. User Authentication:

• Authentication Type: Choose radius. Radius Authentication:

• Primary Profile: Set this to the primary authentication RADIUS Profile Name you chose in step 2a. Radius Accounting:

• Primary Profile: Set this to the primary accounting RADIUS Profile Name you chose in step 2a. b) Next, click External Portal Settings. The following should be displayed:


You should complete the form as follows, referring to the configuration information provided in step 3 of "Getting Started with Odyssys": External Portal URL: Set this to your captive portal's Splash Page URL. External Portal IP: Set this to your Meru controller's public IP address. Click OK to confirm.


4. The next step is to allow your Wi-‐Fi users to connect to Odyssys. To do this, select QoS Settings > QoS and Firewall Rules.

Click Add to create a new rule. The following form should be displayed:


You will need to add two rules, refering to the configuration information provided in step 3 of "Getting Started with Odyssys": Rule 1:

• Destination IP: This should be set to your captive portal's RADIUS Primary Server IP. The adjacent Match tickbox should be checked.

• Destination Netmask: This should be set to 255.255.255.255. • Source IP/Source Netmask: Do not modify. Leave the adjacent Match tickbox unchecked. • Firewall Filter ID: This can be set to an arbitrary identifier (e.g. "test-‐filter-‐id"). The adjacent Match tickbox

should be checked. • QoS Protocol: Set this to none.

Click OK to confirm. Click Add to create a new rule. Rule 2:

• Destination IP/Destination Netmask: Do not modify. Leave the adjacent Match tickbox unchecked. • Source IP: Set to your captive portal's RADIUS Primary Server IP. The adjacent Match tickbox should be

checked. • Source Netmask: This should be set to 255.255.255.255. • Firewall Filter ID: Same as for Rule 1. • QoS Protocol: Same as for Rule 1.


Click OK to confirm.


5. Next, you should create a security profile to define which methods will be used to authenticate your Wi-‐Fi users. Select Security > Profile and click Add.



Ensure that you complete the following fields: Security Profile Name: An arbitrary name. Captive Portal: Choose WebAuth. Captive Portal Authentication Method: Choose external. Passthrough Firewall Filter ID: Enter the Firewall Filter ID you chose in step 4. Click OK to confirm.


6. Next, select Wireless > ESS and click Add.



You should complete the form as follows: ESS Profile: An arbitrary name. Enable/Disable: Set this to Enable. SSID: The desired SSID for your APs to broadcast. Security Profile: Set this to the Security Profile Name you chose in step 5. Dataplane Mode: Set this to Tunneled. 7. Your Meru controller is now configured and ready to use Odyssys. Please take this opportunity to save/back up your configuration. If you have opted to upload a SSL certificate signed by a trusted 3rd-‐party certificate authority, then you should also complete the next step.


9. (Optional) Before continuing please complete the "Preparing and Verifying Your Certificate Chain" section. You will then need to upload the full CA certificate chain to your Meru controller. To do this, select Certificates from the Configuration menu. a) Click Import.

You should complete the dialog as follows: Certificate Alias: An arbitrary name used to identify the CA certificate. User Certificate: A file containing a root or intermediate CA certificate. b) Now repeat a) until the root CA certificate and all intermediate CA certificates have been uploaded. This must be done before you upload your own signed certificate/private key pair. Click Save to continue.

TECH NOTE You must upload the CA certificates in the order in which they were signed. This means that the self-‐signed root CA certificate must be uploaded first, followed by the intermediate certificate signed by the root and so on. Failure to do so may lead to certificate validation errors.


10. Next, upload your signed certificate and private key. To do this, select the Controller Certificates tab and click Import Certificate.

The following settings should be applied: Certificate Type: Choose Certificate with private key. Certificate Alias: An arbitrary name used to identify this certificate/key pair. User Certificate: The file containing your signed certificate. Password: The password used to encrypt your private key. Private Key: The file containing your encrypted private key. Click Save to continue.


11. Next, you need to instruct the Meru controller to use your signed certificate when handling HTTPS requests. To do this, click Applications.

The following settings should be applied: Web Administration & Management Application: Select the Certificate Alias you chose in step 10. Click Save to continue.


12. Your Meru controller is now configured to use your signed certificate for web requests. Please take this opportunity to save/back up your configuration. For the changes to take effect, you will need to either restart the GUI service (via the CLI) or reboot the controller. Once this is complete, you should navigate to your Meru controller using a web browser and view the certificate chain. Details of how to do this are browser specific. In Safari, you can click the "https" button next to the Location bar. Please ensure that correct certificates are displayed.


13. Finally, if you have not already done so, please update your captive portal's Gateway Address field in Odyssys. You should enter either the common name (CN) or a Subject Alternative Name of your signed certificate.

TECH NOTE Remember, the domain name you specifiy here must be registered with a public domain name registrar, otherwise Odyssys will not be able to resolve it.


CONFIGURING YOUR MERU CAPTIVE PORTAL The following describes in detail the different configuration options that can be specified for a Meru captive portal.

Gateway Address: Set this to either an IP address or a fully-‐qualified domain name. If an IP address is specified, Odyssys will connect to your Meru controller via SSL but not validate the certificate it receives during the initial handshake. This makes the connection vulernable to man-‐in-‐the-‐middle attacks. It is therefore recommended that an IP address be used for testing purposes only. Alternatively, a domain name may be specified, in which case it must be registered with a public DNS registrar so that Odyssys can resolve it. Odyssys will also perform all the standard SSL validity checks including verifying that the specified domain actually appears on your controller's certificate. This is the recommended option for live portals. If Odyssys is unable to establish a HTTPS connection to your controller, or the received SSL certificate fails a validation check, an error message will be displayed to your Wi-‐Fi users. Walled Garden: Set this to a comma-‐separated list of fully-‐qualified domain names, e.g. facebook.com,akamaihd.net,fbcdn.net. Your Wi-‐Fi users will be allowed access to these domains and their subdomains before they log in (e.g. specifying facebook.com is equivalent to allowing *.facebook.com). Each domain (and all of its subdomains) is whitelisted for 5 minutes. A maximum of ten domains may be specified. This field is required if you wish to use a social login authentication provider such as Facebook or Twitter. Note that access to these domains is not granted until after a user has been redirected to an Odyssys captive portal. For this reason, including manager.odyssys.net in this list is ineffective. If Odyssys is unable to establish a HTTPS connection to your controller, or the received SSL certificate fails a validation check, an error message will be displayed to your Wi-‐Fi users.


PREPARING AND VERIFYING YOUR CERTIFICATE CHAIN This section requires you to have a recent version of OpenSSL installed on your system. On Mac OS X, OpenSSL should be installed by default, for Linux and Windows it may have to be installed separately. Binary versions for Windows may be found under https://www.openssl.org. Linux users should consult their distribution's package manager for more information. Please ensure your signed certificate, private key and CA certificates are all in separate, PEM-‐encoded files. The examples in this section assume the following certificates: A GlobalSign root CA certificate (globalsign.pem), an AlphaSSL intermediate CA certificate (alphassl.pem), a signed certificate for *.odyssys.net (odyssys.net.pem) and its accompanying private key odyssys.net.key. 1. To check that OpenSSL is correctly installed, enter the following at the terminal (Mac OS X/Linux) or command prompt (Windows).

You should see the following OpenSSL command prompt. Type quit to exit.

OpenSSL>

2. Now verify the integrity of your certificate chain using the following commands:

(Note: The "cat" command is not available on Windows so you will need to use a text-‐editor to concatenate the root/intermediate certificates into a single file. To do this, simply open the root/intermediate certificate files, then copy and paste their contents into Notepad and save as necessary). 3. Finally, ensure that your private key file is password protected, as the Meru controller will expect it to be. It should begin something similar to the following:

If the "Proc-‐Type"/"DEK-‐Info" lines are missing, you can add password protection using the following command:

openssl rsa -in odyssys.net.key -des3 -out encrypted.key

When uploading the private key to your Meru controller, you will be required to enter the private key password, so please ensure you have this available. You are now ready to upload the certificates and private key to your Meru controller.

$ openssl

$ cat alphassl.pem globalsign.pem > cacerts.pem $ openssl verify -CAfile cacerts.pem odyssys.net.pem odyssys.net.pem: OK

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A87D2F2D44233825


TRUSTED 3RD PARTY CERTIFICATE AUTHORITIES Odyssys trusts the following certificate authorities. Please ensure the your Meru controller's certificate is signed by one of the following:

• AddTrust • Comodo • DigiCert • Equifax • GeoTrust • GlobalSign • GoDaddy • SecureTrust • Starfield • Startcom • Thawte • VeriSign


FREQUENTLY ASKED QUESTIONS

Q. I want to add different authentication provider types, how do I do this? A. Please see our Odyssys Authentication guide for further information.

Q. I need more information on how to setup Odyssys A. Please see our Odyssys setup guide.


GLOSSARY

ACL Access Control List AAA Authentication, Authorization, and Accounting CA Certificate Authority DHCP Dynamic Host Configuration Protocol DNS Domain Name Service NAT Network Address Translation PORT A process-‐specific or an application-‐specific software construct serving as a communication endpoint,

which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP)

RADIUS Remote Authentication Dial In User Service (RADIUS) SHARED SECRET A single password shared between two devices SSID Service Set Identifier -‐ A unique identifier for your Wi-‐Fi service WLAN Wireless Local Area Network

Global Reach Technology Ltd Craven House, 121 Kingsway London WC2B 6PA T +44 (0) 20 7831 5630 [email protected] Copyright © Global Reach Technology Limited All rights reserved. Global Reach and the Global Reach logo are registered trademarks.

Meru Setup Guide - Odyssys€¢ Your!Meru!controller's!firmware!version!is!at-least-7.0P7P0.!! ... Wireless->-ESS!and!clickAdd.!!!! The!following!form!should!be!displayed: ...

Documents