Thanks a lot guys!!!! Was very helpfull.

 

Now the default password is working as ipsk. But my user ipsk is still not working. Freeradius is starting good. Any idea what I can check?

I had to leave out the ":" when configuring the MAC addresses when using the FreeRADIUS standard config.

 

E.g.: aabbccddeeff Cleartext-password := aabbccddeeff

You hero! Now it's working. I think Meraki need to update there documentation :-D. 

 

The only thing I need to figure out is how I can create new ipsk's by api's on the freeradius server. We are trying to create a BYOD solution where users can onboard themself by logging in with their AzureAD/Offfice365/Gsuiste credentials and get an IPSK in the right vlan. Vlan is based on the security group in Azure AD/Office365/Gsuite. If they leave the organisation we will delete the ipsk.

 

 

FreeRADIUS by itself doesn't provide you with an API-capability.

 

Food for thought: you could handle accounts not within configuration files but rather use a database. Whatever system you're using to provide these accounts (some kidnd of webfrontend, script, ...) would have to fill them into that database.

Thanks again. I'm totally new to Freeradius. So we need to tell freeradius to use a database instead of the configuration file? I will try to use mysql and find a way to import the users into mysql from our system. Let's google :-D. If you have any interesting documentation, you may always post it :-D.

Do you know why Meraki/Cisco chose to create unique psk's based on radius server instead of a solution like Aerohive/Ruckus?

Quite straightforward: https://www.osradar.com/freeradius-with-mysql-backend/

 

Frankly, I don‘t even know how iPSK is implemented on Ruckus. My only guess is that RADIUS is widely used for authentication / 802.1x especially in WiFi environments since ages. But the only valid answer can be provided by Cisco itself. 😉

Thanks a lot. I think I'm almost there.

 

Freeradius return accept-accept but Meraki is rejecting it.

Feb 19 15:22:04	complit-PC	802.11 disassociation	unspecified reason
Feb 19 15:21:59	complit-PC	WPA deauthentication	radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E  « hide aid 1404825037
Feb 19 15:21:59	complit-PC	RADIUS authentication	resp: reject
Feb 19 15:21:59	complit-PC	802.11 association	channel: 108, rssi: 15
Feb 19 15:11:57	complit-PC	802.11 disassociation	unspecified reason
Feb 19 15:11:52	complit-PC	WPA deauthentication	radio: 1, vap: 3, client_mac: 28:16:AD:CA:F3:6E  more »
Feb 19 15:11:52	complit-PC	802.11 association	channel: 108, rssi: 15
Feb 19 15:11:52	complit-PC	RADIUS authentication	resp: reject

 

 

output freeradius:

 

(0) Received Access-Request Id 4 from 10.10.0.107:32978 to 10.10.0.5:1812 length 221
(0) User-Name = "2816adcaf36e"
(0) User-Password = "2816adcaf36e"
(0) NAS-IP-Address = 10.10.0.107
(0) Called-Station-Id = "EE-55-2D-F2-EA-CA:Meraki-Wiflex"
(0) NAS-Port-Type = Wireless-802.11
(0) Attr-26.29671.2 = 0x436f6d706c69742d747269616c202d20776972656c657373
(0) Attr-26.29671.3 = 0x4d6572616b694170436f6d706c6974
(0) Calling-Station-Id = "28-16-AD-CA-F3-6E"
(0) Connect-Info = "CONNECT 11Mbps 802.11b"
(0) Message-Authenticator = 0x8d3a513504ca2a031fa69f69d3246684
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "2816adcaf36e", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) sql: EXPAND %{User-Name}
(0) sql: --> 2816adcaf36e
(0) sql: SQL-User-Name set to '2816adcaf36e'
rlm_sql (sql): Reserved connection (1)
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: User found in radcheck table
(0) sql: Conditional check items matched, merging assignment check items
(0) sql: Cleartext-Password := "2816adcaf36e"
(0) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '2816adcaf36e' ORDER BY id
(0) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql: --> SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority
(0) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '2816adcaf36e' ORDER BY priority
(0) sql: User not found in any groups
rlm_sql (sql): Released connection (1)
Need 4 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.7.29-0ubuntu0.18.04.1, protocol version 10
(0) [sql] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) sql: EXPAND .query
(0) sql: --> .query
(0) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(0) sql: EXPAND %{User-Name}
(0) sql: --> 2816adcaf36e
(0) sql: SQL-User-Name set to '2816adcaf36e'
(0) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59')
(0) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '2816adcaf36e', '2816adcaf36e', 'Access-Accept', '2020-02-19 14:21:59')
(0) sql: SQL query returned: success
(0) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(0) [sql] = ok
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = ok
(0) Sent Access-Accept Id 4 from 10.10.0.5:1812 to 10.10.0.107:32978 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 4 with timestamp +17
Ready to process requests

 

If I have a look at the radpostauth table I get:

| 7 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 13:33:05 |
| 8 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:11:52 |
| 9 | 2816adcaf36e | 2816adcaf36e | Access-Accept | 2020-02-19 14:21:59 |

I had a call with an SE from Meraki. Probably it is a bug. They are investigating this issue.

They also mentioned that there will be lauched an ipsk feature without Radius. Just what I need 😄

Hi @Complit

Did they mention when this will be launced? 🙂

In the coming weeks. But don't know the exact date.