Step 2: Configure Meraki AP
This document provides general guidelines for required settings in order to integrate with FortiNAC. If having problems configuring the device, contact the vendor for additional support.
-
Avoid certain characters: When configuring the device itself, use only letters, numbers and hyphens (-) in names for items within the device configuration, in SNMP and CLI credentials. Other characters may prevent FortiNAC from reading the device configuration. For example, in many cases the # sign is interpreted by FortiNAC as a prompt. Cisco restricts the use of @ and #.
-
Meraki APs should be configured with static IP addresses (or dynamic IP addresses that are reserved). Once a device that provides network services had been identified in FortiNAC there is no mechanism to automatically update the IP address for that device if there is a change. If the IP address on the device itself is changed, the device appears in FortiNAC to be offline or to have a communication error.
-
Configure SSIDs
-
Navigate to Wireless > Access Control.
-
Configure the SSIDs to be managed by FortiNAC. The values in the table below are required when integrating with FortiNAC. Configure all other settings as appropriate. Refer to vendor documentation for additional information.
IPSK related settings are based on the following document:
https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication
Association Requirements
Or
Security
MAC Authentication: Select MAC-based access control (no encryption)
802.1x: Select WPA2-Enterprise with my RADIUS server
IPSK: Select Identity PSK with RADIUS
Splash page
Setting depends upon the FortiNAC RADIUS Mode used. For details see Local RADIUS Server in the Administration Guide.
Proxy Mode: Select None
Local Mode (FortiNAC version 8.8.0 and greater)
-
IPSK: Select None
-
802.1x Authentication: Select None
-
MAC Authentication: Select None
RADIUS Servers
Host: FortiNAC Server/Control Server eth0 IP Address
Port:
-
Proxy Mode: 1812
-
Local Mode: Value defined in Local RADIUS Server configuration in FortiNAC
High Availability (HA) Environments: Add both Primary and Secondary Servers. Do not use Shared IP Address.
RADIUS Testing
Disabled
RADIUS CoA support
Enabled
RADIUS attribute specifying group policy name
Filter-Id
Client IP assignment
Bridge mode: Make clients part of the LAN
RADIUS override
RADIUS response can override VLAN tag
Or
Override VLAN tag
-
-
-
Configure a Group Policy for each VLAN.
-
Navigate to Network-Wide > Group Policies
-
To add a group policy, click Add a group
-
For VLAN, select Tag VLAN from drop-down and specify the VLAN ID
-
Save Changes
-
-
Configure Meraki to send Syslog messages to FortiNAC. Syslog messages notify FortiNAC of wireless clients disconnecting.
-
Navigate to Network-wide > General
-
Under the Logging section click Add a syslog server
-
Configure using the table below
Server IP
FortiNAC Server/Control Server eth0 IP Address
High Availability (HA) Environments: Add both Primary and Secondary Servers as syslog servers. Do not use Shared IP Address.
Port
514
Roles
-
Wireless event log
-
Flows (may be necessary if FortiNAC does not obtain the IP address of wireless sessions efficiently from other L3 devices)
-
-
-
Review Firewall & traffic shaping policies to ensure traffic is allowed to pass from the wireless network to the local LAN. Reference
-
Configure SNMP access to allow for FortiNAC device discovery. Under the SNMP section, allow either v1/v2 or v3 access.
Note:
-
RADIUS accounting is not utilized for Meraki APs
-
Other options can be set as desired, though any settings that may interfere with the features stated above might have an impact on the integration.