Meru Setup Guide
Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. GLOBAL REACH AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-‐INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-‐ FREE, ACCURATE OR RELIABLE. GLOBAL REACH RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME.
Limitation of Liability
IN NO EVENT SHALL GLOBAL REACH BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL.
VERSION 1.1 PUBLISHED APRIL 2015
Page 2 of 30
Global Reach Technology Ltd Commercial in Confidence
IMPORTANT -‐ BEFORE YOU START Before attempting to configure your Meru controller to use Odyssys, please ensure that ALL of the following requirements are in place; • Your Meru controller's firmware version is at least 7.0-‐7-‐0. • Your controller is installed in an environment where compatible Access Points are configured to work with the controller, i.e -‐ DNS, DHCP options configured correctly • Access points must be able to successfully obtain the configuration from controller Your client environment is configured to allow network clients to; • Associate to an Access Point • Obtain an IP address • Access to the internet The following components are required to be configured and working in your environment before attempting integration with Odyssys; • DHCP Server • DNS Server • Firewall NAT In addition, your Meru controller: • Must, by the assignment of a public IP address or by means of port forwarding, be accessible to Odyssys via the internet. If the controller is behind a firewall or router, TCP traffic on port 443 (HTTPS) must be forwarded to it. • Should have an associated, registered domain name (e.g. meru.testcorp.net), which resolves to its IP address (or the IP adress of the intermediate firewall/router) and be provisioned with a SSL certiciate/private key pair. The certificate must be signed by a CA that Odyssys trusts. A list of trusted CAs can be found later in this guide under the section "Trusted 3rd Party Certificates Authorities". PLEASE NOTE -‐ Odyssys does not use standard RADIUS ports, therefore please make sure you allow the ports in your firewall, defined in your manager.odyssys.net Captive Portal settings. This is a technical document and as such, integration of your hardware with Odyssys should only be handled by trained individuals.
Page 3 of 30
Global Reach Technology Ltd Commercial in Confidence
GETTING STARTED WITH ODYSSYS Before you attempt to configure your Meru controller for use with Odyssys, you will need to create a captive portal. 1. First, navigate to https://manager.odyssys.net and log in using your assigned Customer ID, username and password.
2. From the left-‐hand navigation menu, select Captive Portals > Captive Portals and click Create Captive Portal.
The following dialog should be displayed: Page 4 of 30
Global Reach Technology Ltd Commercial in Confidence
1 You should complete the dialog as follows : Name: An arbitrary name. Hardware Vendor: Choose Meru. Gateway Address: Your Meru controller's public IP address or associated domain name. Click Create to confirm.
1 For a more detailed explanation of the Gateway Address and Walled Garden fields, please see the "Configuring Your Meru Captive Portal" section. Page 5 of 30 Global Reach Technology Ltd Commercial in Confidence
3. Select your newly created captive portal from the list to view its configuration information.
You will need to refer to these fields when completing the next section.
Page 6 of 30
Global Reach Technology Ltd Commercial in Confidence
CONFIGURING ODYSSYS WITHIN MERU 1. Log in to your Meru controller's dashboard and select Configuration from the left-‐hand navigation menu.
Page 7 of 30
Global Reach Technology Ltd Commercial in Confidence
2. You should first define the RADIUS servers against which your Wi-‐Fi users will be authenticated. To do this, select Security > RADIUS and click Add.
The following form should be displayed:
Page 8 of 30
Global Reach Technology Ltd Commercial in Confidence
a) You will need to define two RADIUS servers as specified below, referring to the configuration information provided in step 3 of "Getting Started with Odyssys": Radius Server 1 (Primary Authentication): • • • • •
RADIUS Profile Name: An arbitrary name. RADIUS IP: Set this to your captive portal's RADIUS Primary Server IP. RADIUS Secret: Set this to your captive portal's RADIUS Shared Secret. RADIUS Port: Set this to your captive portal's RADIUS Authentication Port. COA: Choose Off.
Click OK to confirm. Click Add to define a new RADIUS server. Radius Server 2 (Primary Accounting): • • • • •
RADIUS Profile Name: An arbitrary name. RADIUS IP: Same as above. RADIUS Secret: Same as above. RADIUS Port: Set this to your captive portal's RADIUS Accounting Port. COA: Same as above.
b) You can optionally define two more RADIUS servers for failover. To do so, you should repeat a) but this time setting each server's RADIUS IP to your captive portal's RADIUS Secondary Server IP.
Page 9 of 30
Global Reach Technology Ltd Commercial in Confidence
3. Next, select Security > Captive Portal.
Page 10 of 30
Global Reach Technology Ltd Commercial in Confidence
a) Click Internal Portal Settings. The following should be displayed:
You should complete the form as follows: Portal URL: • Protocol: Choose https. User Authentication: • Authentication Type: Choose radius. Radius Authentication: • Primary Profile: Set this to the primary authentication RADIUS Profile Name you chose in step 2a. Radius Accounting: • Primary Profile: Set this to the primary accounting RADIUS Profile Name you chose in step 2a. b) Next, click External Portal Settings. The following should be displayed:
Page 11 of 30
Global Reach Technology Ltd Commercial in Confidence
You should complete the form as follows, referring to the configuration information provided in step 3 of "Getting Started with Odyssys": External Portal URL: Set this to your captive portal's Splash Page URL. External Portal IP: Set this to your Meru controller's public IP address. Click OK to confirm.
Page 12 of 30
Global Reach Technology Ltd Commercial in Confidence
4. The next step is to allow your Wi-‐Fi users to connect to Odyssys. To do this, select QoS Settings > QoS and Firewall Rules.
Click Add to create a new rule. The following form should be displayed:
Page 13 of 30
Global Reach Technology Ltd Commercial in Confidence
You will need to add two rules, refering to the configuration information provided in step 3 of "Getting Started with Odyssys": Rule 1: • Destination IP: This should be set to your captive portal's RADIUS Primary Server IP. The adjacent Match tickbox should be checked. • Destination Netmask: This should be set to 255.255.255.255. • Source IP/Source Netmask: Do not modify. Leave the adjacent Match tickbox unchecked. • Firewall Filter ID: This can be set to an arbitrary identifier (e.g. "test-‐filter-‐id"). The adjacent Match tickbox should be checked. • QoS Protocol: Set this to none. Click OK to confirm. Click Add to create a new rule. Rule 2: • Destination IP/Destination Netmask: Do not modify. Leave the adjacent Match tickbox unchecked. • Source IP: Set to your captive portal's RADIUS Primary Server IP. The adjacent Match tickbox should be checked. • Source Netmask: This should be set to 255.255.255.255. • Firewall Filter ID: Same as for Rule 1. • QoS Protocol: Same as for Rule 1.
Page 14 of 30
Global Reach Technology Ltd Commercial in Confidence
Click OK to confirm.
Page 15 of 30
Global Reach Technology Ltd Commercial in Confidence
5. Next, you should create a security profile to define which methods will be used to authenticate your Wi-‐Fi users. Select Security > Profile and click Add.
The following form should be displayed: Page 16 of 30
Global Reach Technology Ltd Commercial in Confidence
Ensure that you complete the following fields: Security Profile Name: An arbitrary name. Captive Portal: Choose WebAuth. Captive Portal Authentication Method: Choose external. Passthrough Firewall Filter ID: Enter the Firewall Filter ID you chose in step 4. Click OK to confirm.
Page 17 of 30
Global Reach Technology Ltd Commercial in Confidence
6. Next, select Wireless > ESS and click Add.
The following form should be displayed:
Page 18 of 30
Global Reach Technology Ltd Commercial in Confidence
You should complete the form as follows: ESS Profile: An arbitrary name. Enable/Disable: Set this to Enable. SSID: The desired SSID for your APs to broadcast. Security Profile: Set this to the Security Profile Name you chose in step 5. Dataplane Mode: Set this to Tunneled. 7. Your Meru controller is now configured and ready to use Odyssys. Please take this opportunity to save/back up your configuration. If you have opted to upload a SSL certificate signed by a trusted 3rd-‐party certificate authority, then you should also complete the next step.
Page 19 of 30
Global Reach Technology Ltd Commercial in Confidence
9. (Optional) Before continuing please complete the "Preparing and Verifying Your Certificate Chain" section. You will then need to upload the full CA certificate chain to your Meru controller. To do this, select Certificates from the Configuration menu. a) Click Import.
You should complete the dialog as follows: Certificate Alias: An arbitrary name used to identify the CA certificate. User Certificate: A file containing a root or intermediate CA certificate. b) Now repeat a) until the root CA certificate and all intermediate CA certificates have been uploaded. This must be done before you upload your own signed certificate/private key pair. Click Save to continue. TECH NOTE You must upload the CA certificates in the order in which they were signed. This means that the self-‐signed root CA certificate must be uploaded first, followed by the intermediate certificate signed by the root and so on. Failure to do so may lead to certificate validation errors.
Page 20 of 30
Global Reach Technology Ltd Commercial in Confidence
10. Next, upload your signed certificate and private key. To do this, select the Controller Certificates tab and click Import Certificate.
The following settings should be applied: Certificate Type: Choose Certificate with private key. Certificate Alias: An arbitrary name used to identify this certificate/key pair. User Certificate: The file containing your signed certificate. Password: The password used to encrypt your private key. Private Key: The file containing your encrypted private key. Click Save to continue. Page 21 of 30
Global Reach Technology Ltd Commercial in Confidence
11. Next, you need to instruct the Meru controller to use your signed certificate when handling HTTPS requests. To do this, click Applications.
The following settings should be applied: Web Administration & Management Application: Select the Certificate Alias you chose in step 10. Click Save to continue.
Page 22 of 30
Global Reach Technology Ltd Commercial in Confidence
12. Your Meru controller is now configured to use your signed certificate for web requests. Please take this opportunity to save/back up your configuration. For the changes to take effect, you will need to either restart the GUI service (via the CLI) or reboot the controller. Once this is complete, you should navigate to your Meru controller using a web browser and view the certificate chain. Details of how to do this are browser specific. In Safari, you can click the "https" button next to the Location bar. Please ensure that correct certificates are displayed.
Page 23 of 30
Global Reach Technology Ltd Commercial in Confidence
13. Finally, if you have not already done so, please update your captive portal's Gateway Address field in Odyssys. You should enter either the common name (CN) or a Subject Alternative Name of your signed certificate.
TECH NOTE Remember, the domain name you specifiy here must be registered with a public domain name registrar, otherwise Odyssys will not be able to resolve it.
Page 24 of 30
Global Reach Technology Ltd Commercial in Confidence
CONFIGURING YOUR MERU CAPTIVE PORTAL The following describes in detail the different configuration options that can be specified for a Meru captive portal.
Gateway Address: Set this to either an IP address or a fully-‐qualified domain name. If an IP address is specified, Odyssys will connect to your Meru controller via SSL but not validate the certificate it receives during the initial handshake. This makes the connection vulernable to man-‐in-‐the-‐middle attacks. It is therefore recommended that an IP address be used for testing purposes only. Alternatively, a domain name may be specified, in which case it must be registered with a public DNS registrar so that Odyssys can resolve it. Odyssys will also perform all the standard SSL validity checks including verifying that the specified domain actually appears on your controller's certificate. This is the recommended option for live portals. If Odyssys is unable to establish a HTTPS connection to your controller, or the received SSL certificate fails a validation check, an error message will be displayed to your Wi-‐Fi users. Walled Garden: Set this to a comma-‐separated list of fully-‐qualified domain names, e.g. facebook.com,akamaihd.net,fbcdn.net. Your Wi-‐Fi users will be allowed access to these domains and their subdomains before they log in (e.g. specifying facebook.com is equivalent to allowing *.facebook.com). Each domain (and all of its subdomains) is whitelisted for 5 minutes. A maximum of ten domains may be specified. This field is required if you wish to use a social login authentication provider such as Facebook or Twitter. Note that access to these domains is not granted until after a user has been redirected to an Odyssys captive portal. For this reason, including manager.odyssys.net in this list is ineffective. If Odyssys is unable to establish a HTTPS connection to your controller, or the received SSL certificate fails a validation check, an error message will be displayed to your Wi-‐Fi users.
Page 25 of 30
Global Reach Technology Ltd Commercial in Confidence
PREPARING AND VERIFYING YOUR CERTIFICATE CHAIN This section requires you to have a recent version of OpenSSL installed on your system. On Mac OS X, OpenSSL should be installed by default, for Linux and Windows it may have to be installed separately. Binary versions for Windows may be found under https://www.openssl.org. Linux users should consult their distribution's package manager for more information. Please ensure your signed certificate, private key and CA certificates are all in separate, PEM-‐encoded files. The examples in this section assume the following certificates: A GlobalSign root CA certificate (globalsign.pem), an AlphaSSL intermediate CA certificate (alphassl.pem), a signed certificate for *.odyssys.net (odyssys.net.pem) and its accompanying private key odyssys.net.key. 1. To check that OpenSSL is correctly installed, enter the following at the terminal (Mac OS X/Linux) or command prompt (Windows). $ openssl You should see the following OpenSSL command prompt. Type quit to exit. OpenSSL>
2. Now verify the integrity of your certificate chain using the following commands: $ cat alphassl.pem globalsign.pem > cacerts.pem $ openssl verify -CAfile cacerts.pem odyssys.net.pem odyssys.net.pem: OK (Note: The "cat" command is not available on Windows so you will need to use a text-‐editor to concatenate the root/intermediate certificates into a single file. To do this, simply open the root/intermediate certificate files, then copy and paste their contents into Notepad and save as necessary). 3. Finally, ensure that your private key file is password protected, as the Meru controller will expect it to be. It should begin something similar to the following: -----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A87D2F2D44233825 If the "Proc-‐Type"/"DEK-‐Info" lines are missing, you can add password protection using the following command: openssl rsa -in odyssys.net.key -des3 -out encrypted.key When uploading the private key to your Meru controller, you will be required to enter the private key password, so please ensure you have this available. You are now ready to upload the certificates and private key to your Meru controller.
Page 26 of 30
Global Reach Technology Ltd Commercial in Confidence
TRUSTED 3RD PARTY CERTIFICATE AUTHORITIES Odyssys trusts the following certificate authorities. Please ensure the your Meru controller's certificate is signed by one of the following: • AddTrust • Comodo • DigiCert • Equifax • GeoTrust • GlobalSign • GoDaddy • SecureTrust • Starfield • Startcom • Thawte • VeriSign
Page 27 of 30
Global Reach Technology Ltd Commercial in Confidence
FREQUENTLY ASKED QUESTIONS Q. I want to add different authentication provider types, how do I do this? A. Please see our Odyssys Authentication guide for further information. Q. I need more information on how to setup Odyssys A. Please see our Odyssys setup guide.
Page 28 of 30
Global Reach Technology Ltd Commercial in Confidence
GLOSSARY ACL AAA CA DHCP DNS NAT PORT RADIUS SHARED SECRET SSID WLAN
Access Control List Authentication, Authorization, and Accounting Certificate Authority Dynamic Host Configuration Protocol Domain Name Service Network Address Translation A process-‐specific or an application-‐specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP) Remote Authentication Dial In User Service (RADIUS) A single password shared between two devices Service Set Identifier -‐ A unique identifier for your Wi-‐Fi service Wireless Local Area Network
Page 29 of 30
Global Reach Technology Ltd Commercial in Confidence
Global Reach Technology Ltd Craven House, 121 Kingsway London WC2B 6PA T +44 (0) 20 7831 5630
[email protected] Copyright © Global Reach Technology Limited All rights reserved. Global Reach and the Global Reach logo are registered trademarks.
