Meraki

Community

iPSK with FreeRadius (Packetfence)

mcbrown
Comes here often
‎Nov 11 2020 7:23 AM
‎Nov 11 2020 7:23 AM

iPSK with FreeRadius (Packetfence)

Hi Everyone,

 

I am trying to get iPSK working with PacketFence/FreeRadius radius.

 

It looks like everything is working on the PacketFence side of things.  Here are the logs from PacketFence:

PACKETFENCE LOG:

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Username was defined "00e04c19dd56" - returning role 'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] PID: "user", Status: reg Returned VLAN: (undefined), Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] (172.20.110.19) Added VLAN 118 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] security_event 1300003 force-closed for 00:e0:4c:19:dd:dd (pf::security_event::security_event_force_close)

 

RADIUS LOG:

Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:dd] Accepted user:  and returned VLAN 118

Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from client 172.20.10.19/32 port 0 cli 00:e0:4c:19:dd:dd)

 

Radius is authenticating correctly and returning vlan 118 which is correct but on the Windows machine I am trying to join from I get "Can't connect to this network"

 

Here are my SSID settings:

Association requirements: Identity PSK with RADIUS

WPA encryption mode: WPA2

Splash page: None

Readius server set to PacketFence management

Radius testing: disabled

Radius CoA: disabled

Client IP assignment: Bridge mode

VLAN tagging: Don't use

Radius override: Radius response can override VLAN tag

 

 
 

Here is the Meraki log for the client:

AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 disassociation client has left AP

AP-01 WIFI-BYOD IT-VM-TEST-02 WPA deauthentication radio: 1, vap: 0, client_mac: 00:E0:4C:19:DD:DD « hide
client_ip 0.0.0.0
aid 1114159115

AP-01 WIFI-BYOD IT-VM-TEST-02 RADIUS authentication resp: reject

AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 association channel: 153, rssi: 26

 

Thanks. 

 

  

0 Kudos
8 Replies 8
GreenMan
Meraki Employee
Meraki Employee
‎Nov 11 2020 8:34 AM
‎Nov 11 2020 8:34 AM

I don't see the RADIUS server returning the Tunnel-Password..?

This is what the AP needs, to attempt to match with the (same) PSK being used by the client.

 

I take it you have been using https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication#Fr...

In response to GreenMan
mcbrown
Comes here often
‎Nov 12 2020 7:14 AM
‎Nov 12 2020 7:14 AM

It's a little different than what is in that document because I am using PacketFence not just FreeRadius.  The MACs and the PSKs are stored in a database instead of the conf file. 

 

I checked some additional logs and it looks like PacketFence is passing the tunnel-password back in the reply but it is passing it as attribute Cisco-AVPair.  Here is the log.:

 

RADIUS Request
RADIUS Request
User-Name = "00e04c19dddd"
User-Password = "******"
NAS-IP-Address = 172.20.10.20
Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"
Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624cccc
Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01"
Stripped-User-Name = "00e04c19dddd"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20
Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee"
PacketFence-Radius-Ip = "172.20.100.2"
SQL-User-Name = "00e04c19dddd"
 
 
RADIUS Reply
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "118"
Tunnel-Medium-Type = IEEE-802
Cisco-AVPair = "psk=otahreeddttreeee"
Cisco-AVPair = "psk-mode=ascii"

 

 

0 Kudos
In response to mcbrown
GreenMan
Meraki Employee
Meraki Employee
‎Nov 12 2020 8:28 AM
‎Nov 12 2020 8:28 AM

Unfortunately, that's not where the Access Point is looking for it - hence the failure, I'm pretty sure.  I'm afraid I've not got any experience with PacketFence - and some basic Googling didn't really come up with anything either...

0 Kudos
In response to GreenMan
mcbrown
Comes here often
‎Nov 12 2020 1:50 PM
‎Nov 12 2020 1:50 PM

Any idea how to tell FreeRadius to send additional attributes with the access-accept?  

 

Do you think the firmware update on the 21st will have some additional coding for IPSK?  

0 Kudos
In response to mcbrown
mcbrown
Comes here often
‎Dec 8 2020 8:32 AM
‎Dec 8 2020 8:32 AM

Worked with PacketFence and we added a line to send back the tunnel-password.  Works now.  

 

Another question though, is there a way to send the ipsk to the radius server in the access-request from Meraki?  

0 Kudos
In response to mcbrown
mcbrown
Comes here often
‎Dec 9 2020 7:07 AM
‎Dec 9 2020 7:07 AM

Any ideas on if there is there a way to send the ipsk to the radius server in the access-request from Meraki?  

0 Kudos
In response to mcbrown
GreenMan
Meraki Employee
Meraki Employee
‎Dec 14 2020 4:07 AM
‎Dec 14 2020 4:07 AM

No, this is not supported.   As your RADIUS server is there to be the centralised point of authority, I'm not sure why you would want to do that anyway...?

 

Have you looked at iPSK without RADIUS?   https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS

0 Kudos
In response to mcbrown
hybergen
New here
‎Aug 1 2023 8:36 AM
‎Aug 1 2023 8:36 AM

Hello, what exactly was done to send back the tunnel-password? I've run into the same issue your having. Thanks

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.