!Meru ! Setup&Guide& - Odyssys® Supportsupport.odyssys.net/wp-content/uploads/2015/07/Meru-Setup-Guide.pdfBefore!attempting!to!configure!your!Meru!controller!in!to!Odyssys,!please

!!!

! !

!!Meru!!Setup&Guide&&! !

!

!!!!Page!2!of!25!!!Global!Reach!Technology!Ltd!!!!!!!!!!!!!!!!!!!!!!!!!Commercial!in!Confidence!

!!!!!!!Disclaimer,,!THIS!DOCUMENTATION!AND!ALL!INFORMATION!CONTAINED!HEREIN!(“MATERIAL”)!IS!PROVIDED!FOR!GENERAL!INFORMATION!PURPOSES!ONLY.!GLOBAL!REACH!AND!ITS!LICENSORS!MAKE!NO!WARRANTY!OF!ANY!KIND,!EXPRESS!OR!IMPLIED,!WITH!REGARD!TO!THE!MATERIAL,!INCLUDING,!BUT!NOT!LIMITED!TO,!THE!IMPLIED!WARRANTIES!OF!MERCHANTABILITY,!NONPINFRINGEMENT!AND!FITNESS!FOR!A!PARTICULAR!PURPOSE,!OR!THAT!THE!MATERIAL!IS!ERRORPFREE,!ACCURATE!OR!RELIABLE.!GLOBAL!REACH!RESERVES!THE!RIGHT!TO!MAKE!CHANGES!OR!UPDATES!TO!THE!MATERIAL!AT!ANY!TIME.!!!Limitation,of,Liability,!IN!NO!EVENT!SHALL!GLOBAL!REACH!BE!LIABLE!FOR!ANY!DIRECT,!INDIRECT,!INCIDENTAL,!SPECIAL!OR!CONSEQUENTIAL!DAMAGES,!OR!DAMAGES!FOR!LOSS!OF!PROFITS,!REVENUE,!DATA!OR!USE,!INCURRED!BY!YOU!OR!ANY!THIRD!PARTY,!WHETHER!IN!AN!ACTION!IN!CONTRACT!OR!TORT,!ARISING!FROM!YOUR!ACCESS!TO,!OR!USE!OF,!THE!MATERIAL.!!VERSION,1.1,PUBLISHED,APRIL,2015,

!!!!!!!!!!!!!!!!!!!&&&&&

!!!,,

!


,IMPORTANT,F,BEFORE,YOU,START,!Before!attempting!to!configure!your!Meru!controller!in!to!Odyssys,!please!ensure!that!ALL!of!the!following!requirements!are!in!place;!!

• Your!Meru!controller's!firmware!version!is!at,least,7.0P7P0.!!

• You!have!a!controller!installed!in!an!environment!where!compatible!Access!Points!are!configured!to!work!with!the!controller,!i.e!P!DNS,!DHCP!options!configured!correctly!

!• Access!points!must!be!able!to!successfully!obtain!the!configuration!from!controller!!

!Your!client!environment!is!configured!to!allow!network!clients!to;!!

• Associate!to!an!Access!Point!!

• Obtain!an!IP!address!!!

• Access!to!the!internet!!The!following!components!are!required!to!be!configured!and!working!in!your!environment!before!attempting!integration!with!Odyssys;!!

• DHCP!Server!!

• DNS!Server!!

• Firewall!NAT!!In!addition,!your!Meru!controller:!!

• Must,!by!the!assignment!of!a!public!IP!address!or!by!means!of!port!forwarding,!be!accessible!to!Odyssys!via!the!internet.!If!the!controller!is!behind!a!firewall!or!router,!TCP!traffic!on!port!443!(HTTPS)!must!be!forwarded!to!it.!

• Should!have!an!associated,!registered!domain!name!(e.g.!meru.testcorp.net),!which!resolves!to!its!IP!address!(or!the!IP!adress!of!the!intermediate!firewall/router)!and!be!provisioned!with!a!SSL!certiciate/private!key!pair.!The!certificate!must!be!signed!by!a!CA!that!Odyssys!trusts.!A!list!of!trusted!CAs!can!be!found!later!in!this!guide!under!the!section!"Trusted!3rd!Party!Certificates!Authorities".!

,PLEASE,NOTE!P!Odyssys!does!not!use!standard!RADIUS!ports,!therefore!please!make!sure!you!allow!the!ports!in!your!firewall,!defined!in!your!manager.odyssys.net!Captive!Portal!settings.!,This,is,a,technical,document,and,as,such,,integration,of,your,hardware,with,Odyssys,should,only,be,handled,by,trained,individuals.,!!!!!!!!!!!!!

!


,GETTING,STARTED,WITH,ODYSSYS,!Before!you!attempt!to!configure!your!controller!for!use!with!Odyssys,!you!will!need!to!create!your!own!Captive!Portal!in!order!to!get!the!required!details.!!1.!Within!your!Internet!browser,!navigate!to!https://manager.odyssys.net!!2.!Login!to!Odyssys,!using!your!Customer!ID,!Username!and!Password!!

!3.!!Using!the!navigation!panel!on!the!left!hand!side!of!the!Odyssys!Dashboard,!select!"Captive!Portals"!then!"Captive!Portals"!and!finally!"Create!Captive!Portal"!!

!!4.!Enter!the!following!details!to!create!a!new!Captive!Portal!!Name:!An!arbitrary!name&Description:!An!arbitrary!description&Hardware,Vendor:!Choose!Meru,Gateway,Address:!Your!Meru!controller's!public!IP!address!or!associated!domain!name1!Walled,Garden:!A!commaPseparated!list!of!domain!names!(max.!10,!optional)2!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1!If!an!IP!address!is!specified!rather!than!a!domain!name,!Odyssys!will!not!perform!any!validation!checks!on!the!certificate!it!receives,!making!the!connection!vulnerable!to!manPinPthePmiddle!attacks.!It!is!therefore!recommended!to!use!an!IP!address!for!testing!purposes!only.!Details!of!how!to!provision!your!Meru!controller!with!a!custom!certificate!are!given!later!in!this!guide.!2!The!Walled!Garden!field!allows!users!access!to!a!limited!number!of!domains!(e.g.!facebook.com)!before!logging!in.!This!field!is!required!if!you!wish!to!use!a!social!login!authentication!provider!such!as!Facebook!or!Twitter.!For!more!information!on!social!login!authentication!providers,!please!consult!the!Odyssys!Authentication!Provider!guide.!!

!


!

!Click!"Create"!to!save!the!settings!and!complete!initial!setup!of!the!Captive!Portal.!!5.!Select!the!newly!created!Captive!Portal!and!it!will!display!the!information!required!to!configure!the!Meru!controller.!The!information!listed!here!will!be!required!in!the!next!section.&!

!!

,,

!


,CONFIGURING,ODYSSYS,WITHIN,MERU,!1.!Log!in!in!to!your!Meru!controller's!dashboard!and!select!the!"Configuration"!menu!on!the!rightPhandPside.!

!

All!OdyssysPspecific!configuration!is!performed!using!this!menu.!

!

!

!!!

!


!2.!First,!you!need!to!define!the!RADIUS!servers!against!which!users!will!be!authenticated.!To!do!this,!select!"RADIUS"!under!"Security".!Then!click!"Add"!to!define!a!new!RADIUS!server.!!

!

Enter!the!following!settings!using!the!configuration!information!provided!in!step!5!of!the!previous!section:!RADIUS,Profile,Name:!An!arbitrary!name!for!the!RADIUS!server.!RADIUS,Secret:!Set!this!to!the!shared!secret!given!in!the!"RADIUS,Shared,Secret",field.!RADIUS,IP:!Set!this!to!the!IP!address!given!in!the!"RADIUS,Primary,Server,IP"!field.!RADIUS,Port:!Set!this!to!UDP!port!number!given!in!the!"RADIUS,Authentication,Port",field.!COA:!Choose!Off.!!Repeat!this!step!to!define!a!RADIUS!accounting!server,!substituting!the!value!of!the!"RADIUS!Port"!field!with!the!your!captive!portal's!RADIUS!accounting!port.!

You!can!optionally!define!two!more!RADIUS!servers!for!failover!using!the!"RADIUS!Secondary!Server!IP"!address!given!in!your!Odyssys!configuration!and!specifying!the!same!ports!as!before.!

!

!

!

!

!

!

!

!

!

!!

!


!3.!Next,!select!"Captive!Portal"!from!under!the!"Security"!heading,!and!then!"Internal!Portal!Settings".!!

!!The!following!settings!should!be!applied:!!Protocol:!Choose!https!UserFAuthentication,F,Authentication,Type:!!Choose!radius!UserFAuthentication,F,Radius,Authentication,F,Primary,Profile:!You!should!select!the!authentication!radius!server!you!defined!in!step!3.!UserFAuthentication,F,Radius,Authentication,F,Secondary,Profile:,You!should!select!the!failover!authentication!radius!server!you!defined!in!step!3,!if!any.!UserFAuthentication,F,Radius,Accounting,F,Primary,Profile:!You!should!select!the!accounting!radius!server!you!defined!in!step!3.!UserFAuthentication,F,Radius,Accounting,F,Secondary,Profile:,You!should!select!the!failover!accounting!radius!server!you!defined!in!step!3,!if!any.!!Next!click!"External!Portal!Settings"!and!use!the!following!settings:!External,Portal,URL:!This!should!be!set!to!the!"Splash,Page,URL"!field!listed!as!part!of!your!Odyssys!configuration.!(e.g.!https://manager.odyssys.net/account/captivePortal/1234567)!External,Portal,IP:!This!should!be!set!to!the!same!IP!address!as!you!specified!for!the!"Gateway!Address"!in!step!4!of!the!previous!section!(e.g.!1.2.3.4).!,,,,

!


,

!!!!!!!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

TECH,NOTE,Odyssys,always,uses,the,"Gateway,Address",in,preference,to,the,"External,Portal,IP",,so,changing,this,field,will,not,override,the,settings,given,when,the,captive,portal,was,created.,,

!

!

!!!!Page!10!of!25!!Global!Reach!Technology!Ltd!!!!!!!!!!!!!!!!!!!!!!!!!Commercial!in!Confidence!

!4.!Next,!create!a!security!profile!to!define!which!methods!will!be!used!to!authenticate!your!WiPFi!users.!Select!"Profile"!and!then!click!“Add".!!

!!Ensure!that!the!following!configuration!items!are!set:!Captive,Portal:!!Choose!"WebAuth".!Captive,Portal,Authentication,Method:!!Choose!"external".!!!Passthrough,Firewall,Filter,ID:!!Enter!a!filter!ID.!This!could!be,!for!example,!"testPfilterPid".!!

!


!5.!The!next!step!is!to!allow!WiPFi!clients!to!connect!Odyssys.!To!do!this,!select!"QoS!and!Firewall!Rules"!under!"QoS!Settings",!then!"Add".!!!

!!Enter!the!following!settings:!Destination,IP:,This!should!be!set!to!the!field!listed!as!"RADIUS,Primary,Server,IP".!Destination,Netmask:!This!should!be!set!to!255.255.255.255.,The!adjacent!tickbox,!under!the!heading!of!"Match",!should!also!be!checked.!Firewall,Filter,ID:!This!should!be!set!to!the!Firewall!Filter!ID!you!chose!in!step!4!(e.g.!"testPfilterPid").!!The!adjacent!tickbox!should!also!be!checked.!QoS,Protocol:!Set!this!to!none.!!!

!


!Click!"OK"!to!confirm.!!Now!repeat!this!step,!but!this!time!setting!the!"Source!IP"!and!"Source!Netmask"!!to!the!same!IP!address/netmask!combination!as!before.!The!adjacent!tickbox,!under!the!heading!of!"Match",!should!also!be!checked.!!Click!"OK"!to!confirm.!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

TECH,NOTE,Specifiying!"manager.odyssys.net"!as!part!of!the!Walled!Garden!in!step!4!of!"Getting!Started!with!Odyssys"!is!ineffective.!The!specified!walled!garden!is!not!applied!until!after!a!client!has!connected!to!Odyssys.!

!


!6.!Next,!select!"ESS"!under!the!"Wireless"!heading!and!click!"Add".!!

!!Enter!the!following!settings:!!ESS,Profile:,,An!arbitrary!name.!Enable/Disable:,Enable,SSID:,The!desired!SSID!for!your!hotspot!to!broadcast.!Security,Profile:!This!should!be!set!to!the!security!profile!created!in!step!5.!Dataplane,Mode:!This!may!be!set!to!either!Tunneled!or!Bridged3.!!7.!Your!Meru!controller!is!now!configured!and!ready!to!use.!Please!take!this!opportunity!to!save/backup!your!controller's!configuration.!If!you!have!opted!to!use!a!SSL!certificate!signed!by!a!trusted!3rdPparty!certificate!authority,!then!please!continue!with!the!next!step.!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3!Please!note!that!the!walled!garden!feature!is!not!currently!available!in!Bridged!mode.!

!


!8.!(Optional)!To!secure!communications!between!Odyssys!and!your!Meru!controller,!you!will!need!upload!a!custom!certificate,!signed!by!a!trusted!3rd!party!certificate!authority,!and!its!accompanying!certificate!chain.!While!this!is!not!mandatory,!it!is!highly,recommended!to!protect!the!privacy!of!your!WiPFi!users.!!To!complete!these!steps,!you!will!need!the!selfPsigned!root!certificate!of!your!chosen!CA,!the!certificates!of!any!intermediate!CAs,!as!well!as!your!signed!certificate!and!private!key.!!!For!a!list!of!trusted!CAs,!please!consult!the!"Trusted!3rd!Party!Certificate!Authorities"!section.!!You!should!already!have!a!copy!of!your!private!key!and!signed!certificate.!The!root/intermediate!certificates!should!be!available!from!your!chosen!certificate!authorities’!website.!Additionally,!each!certificate!and!private!key!should!be!in!its!own!file!(DER!or!PEM!format).!!!For!more!information!on!working!with!PEM/DER!files!please!consult!the!"Preparing!and!Verifying!Your!Certificate!Chain"!section.!!9.!First,!upload!the!full!CA!certificate!chain!to!your!Meru!controller.!!!To!do!this!select!"Certificates"!in!the!"Configuration"!menu,!then!choose!the!"Trusted!Root!CA"!tab!and!click!the!"Import"!button!!

!!

!

!


!The!following!settings!should!be!applied:!Certificate,Alias:!An!arbitrary!name!used!to!identify!the!CA!certificate.!User,Certificate:!A!file!containing!a!root!or!intermediate!CA!certificate.!!You!should!repeat!this!step!until!the!root!CA!certificate!and!all!the!intermediate!CA!certificates!have!been!uploaded.!This!MUST!be!done!BEFORE!you!upload!your!signed!certificate/private!key!pair.!!!Click!"Save"!to!continue.!

!

,,!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

TECH,NOTE,You!MUST!upload!the!CA!certificates!in!the!order!in!which!they!were!signed.!This!means!that!the!selfPsigned!root!CA!certificate!must!be!uploaded!first,!followed!by!the!intermediate!certificate!signed!by!the!root!and!so!on.!Failure!to!do!so!may!lead!to!certificate!validation!errors.!

!


!10.!Next,!your!signed!certificate/private!key!pair!needs!to!be!uploaded.!To!do!this,!select!the!"Controller!Certificates"!tab,!and!then!click!"Import".!!

!!The!following!settings!should!be!applied:!Certificate,Type:!Choose!Certificate,with,private,key.!Certificate,Alias:!An!arbitrary!name!used!to!identify!this!certificate.!User,Certificate:!The!file!containing!your!signed!certificate.!Password:!The!password!used!to!encrypt!your!private!key.!Private,Key:!The!file!containing!your!encrypted!private!key.!!Click!"Save"!to!continue.!!

!!!!!!!

TECH,NOTE,For!this!to!succeed,!you!MUST!have!already!uploaded!the!full!certificate!chain!as!described!in!the!previous!step.!

!


!11.!Next,!you!need!to!instruct!the!Meru!controller!to!use!your!signed!certificate!when!handling!HTTPS!requests.!To!do!this,!click!"Applications".!!

!!The!following!settings!should!be!applied:!Web,Administration,&,Management,Application:!Choose!the!alias!of!the!signed!certificate!you!uploaded!in!the!previous!step.!!Click!"Save"!to!continue.!!!!!!!!!!!!!!

!


!12.!Your!Meru!controller!should!now!be!configured!to!use!your!signed!certificate!for!web!requests.!Please!take!this!opportunity!to!save/backup!your!configuration.!For!the!changes!to!take!effect,!you!will!need!to!either!restart!the!GUI!service!(via!the!CLI)!or!reboot!the!controller.!Once!this!is!complete,!you!should!navigate!to!your!Meru!controller!using!a!web!browser!and!view!the!certificate!chain.!Details!of!how!to!do!this!are!browser!specific.!In!Safari,!you!can!click!the!"https"!button!next!to!the!Location!bar.!Please!ensure!that!correct!certificates!are!displayed.!!

!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!


!13.!Finally,!if!you!have!not!already!done!so,!please!update!the!"Gateway!Address"!field!in!your!Odyssys!configuration!to!use!the!domain!name!that!appears!on!your!signed!certificate.!!

!!

!!!

,,,,,,,,,,

TECH,NOTE,Remeber,!the!domain!name!you!specifiy!here!MUST!registered!with!a!public!domain!name!registrar!and!MUST!correspond!to!domain!for!which!you!requested!your!SSL!certificate.!

!


,TRUSTED,3RD,PARTY,CERTIFICATE,AUTHORITIES,,Odyssys!trusts!the!following!certificate!authorities.!Please!ensure!the!your!Meru!controller's!certificate!is!signed!by!one!of!the!following:!!

• AddTrust!• Comodo!• DigiCert!• Equifax!• GeoTrust!• GlobalSign!• GoDaddy!• SecureTrust!• Starfield!• Startcom!• Thawte!• VeriSign!

!

,,,,,,,,,,,,,,,,,,,,,,,,

!


,PREPARING,AND,VERIFYING,YOUR,CERTIFICATE,CHAIN,,This!section!requires!that!you!have!a!recent!version!of!OpenSSL!installed!on!your!system.!On!Mac!OS!X,!OpenSSL!should!be!installed!by!default,!for!Linux!and!Windows!it!may!have!to!be!installed!separately.!Binary!versions!for!Windows!may!be!found!under!https://www.openssl.org.!Linux!users!should!consult!their!distribution's!package!manager!for!more!information.!!1.!To!check!that!OpenSSL!is!correctly!installed,!enter!the!following!at!the!terminal!(Mac!OS!X/Linux)!or!command!prompt!(Windows).!!!

!You!should!see!the!following!OpenSSL!command!prompt.!Type!"quit"!to!exit.!!

OpenSSL> !

2.!If!you!received!your!certificates/private!key!in!a!PKCS#12!file!(e.g.!odyssys.pfx),!then!you!first!need!to!export!each!into!its!own!file.!If!you!already!have!all!of!your!certificates!in!separate!PEM!or!DER!formatted!files!then!you!can!skip!this!step.!This!guide!assumes!your!certificate/private!key!files!are!PEM!encoded.!!PKCS#12!files!are!generally!password!protected.!The!individual!files!contained!inside!may!also!be!password!protected,!so!please!ensure!you!have!all!the!required!passwords!available!before!continuing.!!!To!export!the!certificates/private!keys!contained!in!your!PKCS#12!file,!use!the!following!command:!!

$ openssl pkcs12 -in odyssys.pfx -out contents.pem !!You!should!then!separate!the!certificates!and!private!keys!contained!in!contents.pem!into!separate!files.!Each!file!should!begin!and!end!with!"PPPPPBEGIN!CERTIFICATEPPPPP"!and!"PPPPPEND!CERTIFICATEPPPPP"!if!it!contains!a!certificate,!and!"PPPPPBEGIN!RSA!PRIVATE!KEYPPPPP"!and!"PPPPPEND!RSA!PRIVATE!KEYPPPPP"!if!it!contains!a!private!key.!!You!should!now!have!a!separate!file!for!each!selfPsigned!root!CA!certificate,!intermediate!CA!certificate!or!signed!certificate!in!your!chain.!Your!private!key!should!also!be!in!its!own!file.!!3.!Next,!you!should!verify!the!integrity!of!your!certificate!chain.!To!illustrate,!the!following!certificates!will!be!assumed:!A!GlobalSign!root!certificate!(globalsign.pem),!an!AlphaSSL!intermediate!certificate!(alphassl.pem),!and!a!certificate!for!*.odyssys.net!(odyssys.net.pem).!!To!verify!your!certificate!chain,!use!the!following!commands:!!

!!(Note:!The!"cat"!command!is!not!available!on!Windows!so!you!will!need!to!use!a!textPeditor!to!concatenate!the!root/intermediate!certificates!into!a!single!file.!To!do!this,!simply!open!the!root/intermediate!certificate!files,!then!copy!and!paste!their!contents!into!Notepad!and!save!as!necessary).!!4.!Finally,!ensure!that!your!private!key!file!is!passwordPprotected,!as!the!Meru!controller!will!expect!it!to!be.!If!it!is!password!protected!then!it!should!begin!with!the!following!lines:!

!

!!!!

$ openssl

$ cat alphassl.pem globalsign.pem > cacerts.pem $ openssl verify -CAfile cacerts.pem odyssys.net.pem odyssys.net.pem: OK

-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A87D2F2D44233825

!


!If!the!private!key!file!does!not!have!the!"ProcPType"/"DEKPInfo"!lines,!you!can!add!password!protection!using!the!following!command:!!

openssl rsa -in odyssys.net.key -des3 -out encrypted.key !!

When!uploading!the!private!key!to!your!Meru!controller,!you!will!be!required!to!enter!the!private!key!password,!so!please!ensure!you!have!this!information!available.!!You!are!now!ready!to!upload!the!certificates!and!private!key!to!your!Meru!controller.!

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

!


,FREQUENTLY,ASKED,QUESTIONS!

Q.,I!want!to!add!different!authentication!provider!types,!how!do!I!do!this?,A.,Please!see!our!Odyssys!Authentication!guide!for!further!information.,

Q.,I!need!more!information!on!how!to!setup!Odyssys,A.,Please!see!our!Odyssys!setup!guide.!

,

,

,

,

,

,

,

,

,

,

,

,

,

,

,

,

!


,GLOSSARY,

ACL, Access!Control!List!,AAA!! Authentication,!Authorization,!and!Accounting!!CA! Certificate!Authority!!DHCP, Dynamic!Host!Configuration!Protocol,!DNS,, Domain!Name!Service!!NAT! Network!Address!Translation!!PORT! A!processPspecific!or!an!applicationPspecific!software!construct!serving!as!a!communication!endpoint,!

which!is!used!by!the!Transport!Layer!protocols!of!Internet!Protocol!suite,!such!as!User!Diagram!Protocol!(UDP)!and!Transmission!Control!Protocol!(TCP)!

!RADIUS! Remote!Authentication!Dial!In!User!Service!(RADIUS)!!!SHARED,SECRET! A!single!password!shared!between!two!devices!!SSID! Service!Set!Identifier!P!A!unique!identifier!for!your!WiPFi!service!,WLAN! Wireless!Local!Area!Network!

!

!

!!!

Global!Reach!Technology!Ltd!Craven!House,!121!Kingsway!London!WC2B!6PA!T!+44!(0)[email protected],!!Copyright!©!Global!Reach!Technology!Limited!All!rights!reserved.!Global!Reach!and!the!Global!Reach!logo!are!registered!trademarks.!

!

!Meru ! Setup&Guide& - Odyssys® Supportsupport.odyssys.net/wp-content/uploads/2015/07/Meru-Setup-Guide.pdfBefore!attempting!to!configure!your!Meru!controller!in!to!Odyssys,!please

Documents