Problems with setting up Freeradius for iPSK

Solved
Complit
Getting noticed

Problems with setting up Freeradius for iPSK

Dear,

 

I installed a Ubuntu server and installed freeradius on it. Freeradius is starting as expected.

 

But when I follow the steps of the topic: https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication

 

I get error messages when I start freeradius after I changed the users file.

 

Users file:

 

IMG_20200217_131036.jpg

 

Error message:

IMG_20200217_131000.jpg

 

Can someone help me with this? I'm new to freeradius.

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

I know this one.

Put a space(or indent) before the Tunnel-password

View solution in original post

12 Replies 12
ww
Kind of a big deal
Kind of a big deal

I know this one.

Put a space(or indent) before the Tunnel-password

CptnCrnch
Kind of a big deal
Kind of a big deal

Indent the line with "Tunnel-Password" via Tab.

 

The documentation tells you why:

"Indented (with the tab character) lines following the first
line indicate the configuration values to be passed back to
the comm server to allow the initiation of a user session.
This can include things like the PPP configuration values
or the host to log the user onto."

Complit
Getting noticed

Thanks a lot guys!!!! Was very helpfull.

 

Now the default password is working as ipsk. But my user ipsk is still not working. Freeradius is starting good. Any idea what I can check?

CptnCrnch
Kind of a big deal
Kind of a big deal

I had to leave out the ":" when configuring the MAC addresses when using the FreeRADIUS standard config.

 

E.g.: aabbccddeeff Cleartext-password := aabbccddeeff

Complit
Getting noticed

You hero! Now it's working. I think Meraki need to update there documentation :-D. 

 

The only thing I need to figure out is how I can create new ipsk's by api's on the freeradius server. We are trying to create a BYOD solution where users can onboard themself by logging in with their AzureAD/Offfice365/Gsuiste credentials and get an IPSK in the right vlan. Vlan is based on the security group in Azure AD/Office365/Gsuite. If they leave the organisation we will delete the ipsk.

 

 

CptnCrnch
Kind of a big deal
Kind of a big deal

FreeRADIUS by itself doesn't provide you with an API-capability.

 

Food for thought: you could handle accounts not within configuration files but rather use a database. Whatever system you're using to provide these accounts (some kidnd of webfrontend, script, ...) would have to fill them into that database.

Complit
Getting noticed

Thanks again. I'm totally new to Freeradius. So we need to tell freeradius to use a database instead of the configuration file? I will try to use mysql and find a way to import the users into mysql from our system. Let's google :-D. If you have any interesting documentation, you may always post it :-D.

Do you know why Meraki/Cisco chose to create unique psk's based on radius server instead of a solution like Aerohive/Ruckus?
CptnCrnch
Kind of a big deal
Kind of a big deal

Quite straightforward: https://www.osradar.com/freeradius-with-mysql-backend/

 

Frankly, I don‘t even know how iPSK is implemented on Ruckus. My only guess is that RADIUS is widely used for authentication / 802.1x especially in WiFi environments since ages. But the only valid answer can be provided by Cisco itself. 😉

Complit
Getting noticed

Thanks a lot. I think I'm almost there.

 

Freeradius return accept-accept but Meraki is rejecting it.

Feb 19 15:22:04complit-PC802.11 disassociation
unspecified reason
Feb 19 15:21:59complit-PCWPA deauthentication
radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E  « hide
aid1404825037
Feb 19 15:21:59complit-PCRADIUS authentication
resp: reject
Feb 19 15:21:59complit-PC802.11 association
channel: 108, rssi: 15
Feb 19 15:11:57complit-PC802.11 disassociation
unspecified reason
Feb 19 15:11:52complit-PCWPA deauthentication
radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E  more »
Feb 19 15:11:52complit-PC802.11 association
channel: 108, rssi: 15
Feb 19 15:11:52complit-PCRADIUS authentication
resp: reject

 

 

output freeradius:

 

(0) Received Access-Request Id 4 from 10.10.0.107:32978 to 10.10.0.5:1812 length 221
(0) User-Name = "2816adcaf36e"
(0) User-Password = "2816adcaf36e"
(0) NAS-IP-Address = 10.10.0.107
(0) Called-Station-Id = "EE-55-2D-F2-EA-CA:Meraki-Wiflex"
(0) NAS-Port-Type = Wireless-802.11
(0) Attr-26.29671.2 = 0x436f6d706c69742d747269616c202d20776972656c657373
(0) Attr-26.29671.3 = 0x4d6572616b694170436f6d706c6974
(0) Calling-Station-Id = "28-16-AD-CA-F3-6E"
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Message-Authenticator = 0x8d3a513504ca2a031fa69f69d3246684
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "2816adcaf36e", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> 2816adcaf36e
(0) sql: SQL-User-Name set to '2816adcaf36e'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "2816adcaf36e"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> 2816adcaf36e
(0) sql: SQL-User-Name set to '2816adcaf36e'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 4 from 10.10.0.5:1812 to 10.10.0.107:32978 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 4 with timestamp +17
Ready to process requests

 

If I have a look at the radpostauth table I get:

| 7 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 13:33:05 |
| 8 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:11:52 |
| 9 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:21:59 |

Complit
Getting noticed

I had a call with an SE from Meraki. Probably it is a bug. They are investigating this issue.

They also mentioned that there will be lauched an ipsk feature without Radius. Just what I need 😄

danielnygaard
Conversationalist

Hi @Complit

Did they mention when this will be launced? 🙂
Complit
Getting noticed

In the coming weeks. But don't know the exact date.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels