<<

NAME

pf::Switch::Meru

SYNOPSIS

Module to manage Meru controllers

STATUS

Tested against MeruOS version 3.6.1-67

Supports
Deauthentication with CLI (Telnet/SSH)
Roles-assignment through RADIUS

BUGS AND LIMITATIONS

CLI deauthentication

De-authentication of a Wireless user is based on CLI access (Telnet or SSH). This is a vendor issue and it might be fixed in newer firmware versions.

Per SSID VLAN Assignment on unencrypted network not supported

The vendor doesn't include the SSID in their RADIUS-Request when on MAC Authentication. VLAN assignment per SSID is not possible. This is a vendor issue and might be fixed in newer firmware versions.

Caching problems on secure connections

Performing a de-authentication does not clear the key cache. Meaning that on reconnection the device's authorization is served straight from the cache instead of creating a new RADIUS query. This defeats the reason why we perform de-authentication (to change VLAN or deny access).

A client-side workaround exists: disable the PMK Caching on the client. However this could (and should in our opinion) be fixed by the vendor.

We made some progress about this lately. In fact, for the 4.0 version tree, you need to get version 4.0-160 in order to disable the PMK caching at the AP level. For the 5.0 version tree, all versions including 5.0-87 are impacted. Vendor is saying that in the 5.1 version, PMK will be disabled by default. To be confirmed.

Be careful with Roles access control support (Meru's firewall rules)

Once written these are enforced automatically on the controller's primary ethernet interface.

SUBROUTINES

getVersion

obtain image version information from switch

parseTrap

This is called when we receive an SNMP-Trap for this device

deauthenticateMacDefault

deauthenticate a MAC address from wireless network

Right now te only way to do it is from the CLi (through Telnet or SSH).

Warning: this code doesn't support elevating to privileged mode. See #900 and #1370.

returnRoleAttribute

Meru uses the standard Filter-Id parameter.

deauthTechniques

Return the reference to the deauth technique or the default deauth technique.

AUTHOR

Inverse inc. <info@inverse.ca>

COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

<<