It's no big secret that me and corporate wifi don't get along. I have no problems with wifi at home, its a small number of users and it works 99% of the time. Within an office though it's a different matter. People tend to rely on it and only opt for a cabled option as a last resort. Placement of access points seems to require a degree in mathematics and engineering, and everytime someone heats up a bowl of soup in the microwave, someone else gets booted off the network. In short, I would cable everyone up.
But then came along Meraki - well, more to the point, the chance to get a free access point, all for attending one short (but very informative webinar). The bonus is that it's all cloud based, no more logging into four different wireless lan controllers to configure a handful of wireless networks, and from the webinar I watched, the interface looks easy to use, and very feature packed.
Any company that is willing to put their wallet where their mouth is is certainly worth looking into.
My free AP, with three years cloud license arrived after a couple of days.
Unboxing
In the box is a standard UK power supply (but obviously you'll get a suitable one depending on your location), a useful leaflet entitled "10 Tips for your Cisco Meraki Wifi network" and a small white device with the Cisco logo on it. The model is MR12, which retails at around £260 (ish).
The MR12 AP has three ports, one for power, eth0 which supports PoE, and eth1. I connected eth0 and the power cable.
It powers on and the power light goes a reddish color to signify that its downloading the latest firmware. After a short while all the lights go green.
Registration
Once you head over to http://dashboard.meraki.com/claim/ordernumber (where order number is your order number) and finalise the registration process (most of the fields were prepopulated) you are presented with a very nice dashboard, and its time to get started.
The dashboard is very readable. The various aspects of navigating around the dashboard are all controlled from the menu on the left hand side:
General activity is all under the monitor tab, here you will be able to see your clients and from there drill down into application usage. It even offers a PCI report built in which should keep the compliance people happy.
The actual administration is through the Configure menu, here you can create your SSIDs, set up access control and firewall, as well as policies.
Organization allows you to set up more administrators, and more general aspects of your account.
Lastly is the Help menu, where you can raise tickets, and browse the help.
Initial Goals:
The initial goals for this are:
1: LAN and Internet access for regular users, authenticated by Radius to our internal radius server.
2: Guest wifi with printer and Internet access but no corporate network access
Creating a new Network
By default the portal shows a network called "Free AP", and this is connectable out of the box, with the AP being automatically assigned to this.
I want to create new network, after all having a visible wireless called "Free AP" could very easily bring with it an influx of people jumping onto your wifi and using up your bandwidth, at the top of the page is a drop down, and in there is an option to "Create a network".
We can't assign our AP to more than one network, so we must remove it from the existing "Free AP" network and add it to our own. To do this under Monitor > Access Points on the left hand side we select our AP, click on the move icon, and a drop down appears. From here we can select "Remove From Network"
And then repeat the process, this time selecting the option to Move to network, and select our new network from the dropdown, then click on Move.
We can then see our AP on our new network
This does not mean that we have stopped free access for all though. By default the AP does NAT, so at least I know that "rogue" users will not have access to my LAN, but (as per the goals) I want to have LAN access under one SSID, and guest access (with one printer) under another SSID.
We should now set up some limitations, or security, and this is done on the Configure menu from the left hand side of the screen.
Here is the first issue.
All the options under Configure are stuck on "Loading...", in fact I found quite a few pages that were missing information. this was pretty annoying, and I tested it using the latest version of Chrome on two different operating systems. Once I turned off popup filtering (even though its all on the same page) all the options are available.
Goal 1: LAN Access
I am happy to keep the SSID that was automatically created (taking the name of the network and appending Wifi at the end) for my LAN SSID.
To set up radius I added a guest on the radius server and set up a new policy to match the broadest AD group, with the friendly name I gave to the AP. the policy was simple, and just set to allow PAP/SPAP.
Radius authentication is set up under
Configure > Access Control. The Association requirements were set to WPA2 Enterprise, using "my RADIUS server", and then we specify the host, port (1812) and the secret string we assigned when we created the guest on the radius server.
Testing from my iPhone I selected the SSID and was prompted for my username and password. Once entering my AD credentials I could browse the Intranet and Internet with no problems.
Goal 2: Guest access with printer
From the Configure > SSIDS option I selected the next unconfigured SSID, enabled it and changed the name to highlight it's guest status.
The under Configure > Firewall and traffic shaping, I selected the SSID from the drop down menu, added a rule to allow TCP access to one printer, deny access to the local LAN, and permit everything else:
I then connected from my Macbook Air, I could browse the internet, but not the Intranet, and once I had configured a TCP/IP printer, was able to print.
That's it for part one. So far I am very impressed. Without the hiccup over popups from my browser I could have had everything set up within about 30 minutes. Which considering I have had to learn my way around the interface (though everything is pretty obvious) I think this is excellent. Certainly much easier than setting up Cisco WLCs.
In part 2 we will cover traffic shaping and monitoring.
