Meraki AP RSSO Integration Guide

You can configure your WatchGuard Firebox to support RADIUS single sign-on (RSSO) for Meraki® AP devices. This document describes the steps to integrate a Meraki AP for RSSO with your WatchGuard Firebox.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware v12.3 or higher
  • Meraki MR32
  • FreeRADIUS v2.1.10 on Ubuntu 12.04.1

Test Topology and Workflow

This diagram shows the topology used to test this integration.

You can connect to either an Optional or Trusted Firebox interface.

Authentication workflow:

  1. A mobile device connects to the AP device with WPA/WPA2 enterprise authentication.
  2. The user authenticates with credentials that exist on the RADIUS server.
  3. The AP communicates with the RADIUS server to authenticate the user.
  4. The mobile device connects to the network.
  5. The AP sends an accounting message to the Firebox. This message includes the user name and client IP address.
  6. The Firebox creates an SSO session for the user.

Set Up the Firebox

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select Authentication > Single Sign-On.
  3. Select the RADIUS tab.
  4. Select the Enable Single Sign-On (SSO) with RADIUS check box.
  5. In the IP Address text box, type the IP address of the RADIUS server.
  6. In the Secret and Confirm Secret text boxes, type a shared secret to use to communicate with the RADIUS server.
  7. Keep the default values for all other settings.

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.
  3. Add a RADIUS-RFC packet filter policy for connections from Any-Optional to Any-Trusted.

  1. Enable the DHCP server in the settings for the optional interface so that the Firebox can provide an IP address to the Meraki AP.

Set Up the Meraki AP

Connect to the Meraki AP through the Meraki Dashboard at https://n155.meraki.com. Use your Meraki email address and password to connect.

  1. Select Wireless > Monitor > Access points.
  2. Add the AP.
  3. Select Wireless > Configure > SSID.
  4. Enable an SSID.

  1. Click Edit settings to configure the SSID settings.
  2. Select WPA2-Enterprise with and select the RADIUS server.

  1. In the RADIUS servers section, click Add a server.
  2. In the Host text box, type the IP address of the FreeRADIUS server.
  3. In the Port text box, type the port used to communicate with the FreeRADIUS server.
  4. In the Secret text box, type the shared secret used for communication with the FreeRADIUS server.
  5. In the RADIUS accounting servers section, click Add a server.
  6. In the Host text box, type the IP address of the Firebox interface.
  7. In the Port text box, type the port used to communicate with the Firebox.
  8. In the Secret text box, type the shared secret used for communication with the Firebox.

  1. In the Addressing and traffic section, for Client IP assignment, select NAT mode: Use Meraki DHCP.
  2. From the VLAN tagging drop-down list, select Don't use VLAN tagging.
  3. From the Content filtering drop-down list, select Don't filter content.
  4. From the Bonjour forwarding drop-down list, select Disable Bonjour Forwarding.
  5. In the Wireless options section, for Band selection, select Dual band operation with Band Steering.

  1. Select Wireless > Configure > SSID availability.
  2. From the Visibility drop-down list, select Advertise this SSID publicly.
  3. From the Per-AP availability drop-down list, select This SSID is enabled on all APs.
  4. From the Scheduled availability drop-down list, select disabled.

Test the Integration

Use a phone or tablet to make a WiFi connection to the SSID you configured (in our example, this is SSID: MRKI). Then type the credentials of a user that exists on the RADIUS server.

To verify that the user was automatically authenticated to the Firebox:

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select System Status > Authentication List.
    The list of authenticated user appears.

  1. Verify that the user name appears in the Authenticated Users list, with the Client shown as Single Sign-On.

To see information about the authenticated user on the Meraki AP:

  1. Log in to the Meraki Dashboard at https://n155.meraki.com.
  2. Select Wireless > Access point.
  3. Select the AP.
  4. Verify that the connected device appears in the Current clients list.