I’ve figured it out. Things that were required to get this working: * Used Hostapd for the Type on my switch group for Aps (set disconnect port to 1700 for Meraki APs under radius) * Added DPSK Provisioner which includes the SSID used for iPSK * Added Connection Profile with DPSK enabled, and input PSK under “Default PSK key”, Filter with SSID, and Provisioner created above
Checking the radius audit logs under the RADIUS tab I needed to see the RAIDUS Reply to include the Tunnel-Password = the PSK specified under the above Connection Profile. Nodes don’t require to be associated to users for this to work. From: Simon Sutcliffe <simon.sutcli...@rhdhv.com> Date: Wednesday, August 2, 2023 at 1:00 PM To: packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Cc: Bergen, Ryan <ryan.ber...@hylife.com> Subject: Re: Issues with Meraki WiFi using IPSK and Radius Mac Auth Hi Ryan, So you know your not flogging a dead horse we have this setup here. So it's a configuration setting somewhere your missing I expect. Maybe one of the PF team will see the issue in the configuration Kind Regards Simon Sent from Outlook ZjQcmQRYFpfptBannerStart This Message Is From an Untrusted Sender You have not previously corresponded with this sender. Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/Hzp_HrzB!8jzEkrTZJtcQlsCgnQ1Sf7MJLd-JcfRz7JTehMY7nQWVYlbJMWKz2k2aLBHk2r9Khw_oC262Ygcyl5ru6Yo7cdKOl8NRG3XcmKX8aFP6OJKc1tXvLnQaWNoeNPIhsqKT1Dgy1BIfyZVVIg$> ZjQcmQRYFpfptBannerEnd Hi Ryan, So you know your not flogging a dead horse we have this setup here. So it's a configuration setting somewhere your missing I expect. Maybe one of the PF team will see the issue in the configuration Kind Regards Simon Sent from Outlook for Android<https://urldefense.com/v3/__https:/aka.ms/AAb9ysg__;!!Hzp_HrzB!fXqFT-CyM5hgHVO1FtQnRD-r6Wogi1HnTMosva5T49VtaKuM-egVGdtRe5CmuldfPEYY9FcTAmjBRv6mnADro_mULKz8$> ________________________________ From: Bergen, Ryan via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Monday, July 31, 2023 10:39:27 PM To: Bergen, Ryan via PacketFence-users <packetfence-users@lists.sourceforge.net> Cc: Bergen, Ryan <ryan.ber...@hylife.com> Subject: [PacketFence-users] Issues with Meraki WiFi using IPSK and Radius Mac Auth This message was sent from an e-mail domain unknown to Royal HaskoningDHV. Please be cautious. Hello, has anyone had success with setting up Meraki Wifi using MAC based Auth and Identity PSK with RADIUS? I have wired mac based auth working fine with meraki switches. Also my logs are show the wireless clients connect and authenticate, its just windows 10 client reports back “Can’t Connecto to this network” Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) WARN: [mac:10:6f:d9:a1:52:a1] Unable to extract audit-session-id for module pf::Switch::Meraki::MS220_8. SSID-based VLAN assignments won't work. Make sure you enable Vendor Specific Attributes (VSA) on the AP if you want them to work. (pf::Switch::getCiscoAvPairAttribute) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] handling radius autz request: from switch_ip => (10.109.19.251), connection_type => Wireless-802.11-NoEAP,switch_mac => (e4:55:a8:12:b8:3c), mac => [10:6f:d9:a1:52:a1], port => 0, username => "106fd9a152a1", ssid => RAD-TEST (pf::radius::authorize) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] Found authentication source(s) : 'local,file1' for realm 'null' (pf::config::util::filter_authentication_sources) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] Username was defined "106fd9a152a1" - returning role 'Corp-Wifi' (pf::role::getRegisteredRole) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] PID: "ryan.bergen", Status: reg Returned VLAN: (undefined), Role: Corp-Wifi (pf::role::fetchRoleForNode) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] (10.109.19.251) Added VLAN 512 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jul 31 16:28:45 STB01NAC01 httpd.aaa-docker-wrapper[2793]: httpd.aaa(7) INFO: [mac:10:6f:d9:a1:52:a1] (10.109.19.251) Added role 512 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Meraki SSID is “RAD-TEST” and in Meraki I have it configured the following: Security: Identity PSK with RADIUS WPA encryption: WPA2 only Splash page: none (direct access) Radius Servers: [packetfence IP] port 1812, with Secret Radius Accounting server: [packetfence IP] port 1813, with Secret Radius testing: enabled Radius CoA Support: enabled Radius attribute: Filter-Id IP Assignment: Bridge w/ Radius override vlan tag Vlan tagging: disabled Packetfence Configuration: Switch: Type: Meraki MS220_8 Mode: Production Deauth method: RADIUS Roles: VLAN ID Radius: Secret matching above Meraki SSID Configuration Node: Manually added node, athorized it, associated to user User: input PSK entry Anything Im missing to get this working? We have it working with our legacy custom built free-radius/mysql setup. Client is requred a manual mac entry, with role and is authenticated using a generic PSK , MAC is looked up, then put on the proper VLAN mapped. Thanks This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users