Configuring Meraki IPSK with FreeRADIUS

Last week Meraki announced some exciting new security features on their platform. One of these features is Identity PSK (or IPSK) with RADIUS for Wi-Fi, their own proprietary implementation of a Personal Pre-shared Key infrastructure, generally referred to as PPSK. This type of security infrastructure can leverage an existing WPA2-Personal network as introduced in 802.11i to implement individual pre-shared keys per client instead of using One Key To Connect Them All.

This offers a couple of security and identity benefits over a regular PSK used in WPA2-Personal. First of all the IPSK can be uniquely configured for a specific device’s MAC address. It can’t be used by another device, unless you spoof the MAC address of course. Access for that particular device can be revoked by removing its unique key, which won’t affect other devices on the same SSID. Second of all the entire network isn’t immediately vulnerable if an IPSK is compromised. If an identity pre-shared key is hacked it will only affect that particular device. Its traffic can now be decrypted, but other traffic on the same SSID is still secure, since it uses different IPSK’s. The compromised IPSK can’t be easily used for access to the SSID, unless you spoof the MAC address of the client. But this is easily mitigated by changing or revoking that particular IPSK, which, again, won’t affect the rest of your Wi-Fi clients. So IPSK is still not perfect, but it’s a big improvement over regular WPA2-Personal.

The documentation Meraki provides for IPSK is at the moment a bit sparse: They do provide some information, but it’s rather incomplete and even incorrect at places. The main caveat is that it lacks instructions for Windows NPS support, which is presumably the most used RADIUS server for Meraki 802.1X implementations. The reason for this is that Windows NPS probably lacks the RADIUS attributes or functionality to support IPSK. The instructions do mention Cisco ISE, which is a rarity in the SMB market, and FreeRADIUS, but this is more of a pointer than an instruction. Plus it forgets to mention the most awesomest feature of all: VLAN assignment!

After a bit of testing I was able to get this to work quite easily and brilliantly using a Pine A64 board and Armbian, a lightweight Debian distribution. Of course you can also do this using a Raspberry Pi or a VM running Linux. The FreeRADIUS daemon name and installation location however depends on the distribution you’re using. Please refer to the FreeRADIUS documentation for more info: For the remainder of this guide I’m assuming you already have Linux installed and updated (apt-get install update && apt-get install upgrade) and that you’ve installed FreeRADIUS on it (apt-get install freeradius). That’s all the components you’ll need to begin with. As a side note I’m not using sudo in these commands since this is a home device and I’m using root, but you definitely should use sudo!

Let’s first configure the SSID in the Meraki dashboard. You need to be running firmware version MR 26.5 or later to use this feature. Go to Wireless – Access Control and enable Identity PSK with RADIUS under Network Access.

Add the IP address of your Linux host to the RADIUS servers and configure a shared secret for the RADIUS client. Let’s call this key A.

Now here comes the fun bit. Under Addressing and traffic select Bridge mode. Select Use VLAN tagging in the dropdown box below. Enter a VLAN ID in the field after All other APs (Note: this VLAN ID will eventually not be used). And finally set the RADIUS override to RADIUS response can override VLAN tag.

You can change the band selection and minimum bitrate to your preference, but leave all other settings intact.

On the LAN and firewall side I’ve configured a couple of VLANs:

  • VLAN 10 with IP subnet with access to the LAN and internet
  • VLAN 20 with IP subnet with only internet access

Since this is a Wi-Fi article I’ll leave the details of the LAN and firewall configuration to your own expertise. Don’t forget to tag these VLANs on the AP uplink switchports. That’s basically all you need to configure in the Meraki dashboard.

Now let’s switch to the Linux host. First you’ll need to add the access points as RADIUS clients by editing the clients.conf file in the FreeRADIUS configuration folder. In Debian this can be done by using the following command:

# nano /etc/freeradius/3.0/clients.conf

This will open the clients.conf file in the Nano editor. In other distributions this folder will be named /etc/raddb/, so be aware of that. Since I don’t want to add every single access point as a separate RADIUS client, I’ll add the entire management IP subnet containing all of the access points using key A as the shared secret:

client private-network-1 {
         ipaddr  = x.x.x.0/24
         secret  = <key A>

Press Ctrl + O to write the file, press Enter to save and press Ctrl + X to exit Nano. Now we need to add the users, which are the Wi-Fi clients with their MAC address and IPSK’s. Let’s suppose I have the following clients I want to add:

  • Client 1: iPhone with MAC addres fc:fc:48:00:11:22 and IPSK helloiphone
  • Client 2: Samsung phone with MAC address 00:07:ab:33:44:55 and IPSK hellosamsung

I want the iPhone and Samsung devices to have access to the LAN and internet, so I want to assign them VLAN 10. Finally I can define an overall IPSK which can be used by all unknown devices. This will function as a regular PSK, so let’s use hellounknowndevice. These devices will only get internet access, so they’ll be assigned VLAN 20. To edit the users file use the following command:

# nano /etc/freeradius/3.0/users

Now here’s where the Meraki article mentions the wrong format for the clients in my FreeRADIUS setup. Plus it makes no mention of the VLAN assignment parameter, which is actually very useful. To add the clients I’ve mentioned above plus a default key use this configuration instead:

fcfc48001122 Cleartext-password := fcfc48001122
     Tunnel-password = helloiphone,
     Tunnel-Type = "VLAN",
     Tunnel-Medium-Type = "IEEE-802",
     Tunnel-Private-Group-Id = "10"

# Samsung
0007ab334455 Cleartext-password := 0007ab334455
     Tunnel-password = hellosamsung,
     Tunnel-Type = "VLAN",
     Tunnel-Medium-Type = "IEEE-802",
     Tunnel-Private-Group-Id = "10"

# Default PSK
DEFAULT Auth-Type := Accept
     Tunnel-Password = hellounknowndevice,
     Tunnel-Type = "VLAN",
     Tunnel-Medium-Type = "IEEE-802",
     Tunnel-Private-Group-Id = "20"

Once again press Ctrl + O to save and Ctrl + X to exit.

Let’s break down this configuration before we continue. All devices are added using their MAC address as the username and password. This needs to be in lower case without the “:” breaks (Note: This was the case in my setup, please test this in your own configuration using freeradius debug). The IPSK password is then added using the Tunnel-Password parameter. The following two lines Tunnel-Type and Tunnel-Medium-Type are set to “VLAN” resp. “IEEE-802” for every user. And finally the assigned VLAN is set with the Tunnel-Private-Group-Id parameter. The last user entry DEFAULT will act as the PSK for all unknown devices and assign them to VLAN 20.

To test this we need to start FreeRADIUS, since this will not automatically start after installation. I highly recommend using the debug option when starting it the first time:

# freeradius -X

On non-Debian distributions you can start FreeRADIUS using radiusd -X. If I connect the iPhone and Samsung device using their respective IPSK’s, this will result in an “Access-Accept” message on the RADIUS server. These devices will then get an IP address from the range and will have access to both the LAN and the internet. If I connect any other device using the pre-shared key hellounknowndevice, it will get an IP address from the range and will only have internet access. So that’s how you implement private pre-shared keys and VLAN assignment using Meraki access points and the new IPSK feature.

However this blog post isn’t completely finished yet. Remember how I mentioned that FreeRADIUS doesn’t automatically start at boot? We’ll need to add it to the autostart services. First close the running FreeRADIUS instance using Ctrl + C. Then enter the following command on your Debian host:

# systemctl enable freeradius

This will automatically start the FreeRADIUS server at boot. You can then stop and start the service using the commands:

# service freeradius stop
# service freeradius start
or simply:
# service freeradius restart

You will need to restart the FreeRADIUS service every time you change the client.conf or the user configuration files! So enjoy your new Meraki features and let me know what you think of them. If you have any comment, tips or improvements, please contact me on Twitter at @SynicWiFi.