Hi Everyone,
I am trying to get iPSK working with PacketFence/FreeRadius radius.
It looks like everything is working on the PacketFence side of things. Here are the logs from PacketFence:
PACKETFENCE LOG:
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Username was defined "00e04c19dd56" - returning role 'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] PID: "user", Status: reg Returned VLAN: (undefined), Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] (172.20.110.19) Added VLAN 118 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] security_event 1300003 force-closed for 00:e0:4c:19:dd:dd (pf::security_event::security_event_force_close)
RADIUS LOG:
Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:dd] Accepted user: and returned VLAN 118
Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from client 172.20.10.19/32 port 0 cli 00:e0:4c:19:dd:dd)
Radius is authenticating correctly and returning vlan 118 which is correct but on the Windows machine I am trying to join from I get "Can't connect to this network"
Here are my SSID settings:
Association requirements: Identity PSK with RADIUS
WPA encryption mode: WPA2
Splash page: None
Readius server set to PacketFence management
Radius testing: disabled
Radius CoA: disabled
Client IP assignment: Bridge mode
VLAN tagging: Don't use
Radius override: Radius response can override VLAN tag
Here is the Meraki log for the client:
AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 disassociation client has left AP
AP-01 WIFI-BYOD IT-VM-TEST-02 WPA deauthentication radio: 1, vap: 0, client_mac: 00:E0:4C:19:DD:DD « hide
client_ip 0.0.0.0
aid 1114159115
AP-01 WIFI-BYOD IT-VM-TEST-02 RADIUS authentication resp: reject
AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 association channel: 153, rssi: 26
Thanks.
I don't see the RADIUS server returning the Tunnel-Password..?
This is what the AP needs, to attempt to match with the (same) PSK being used by the client.
I take it you have been using https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication#Fr...
It's a little different than what is in that document because I am using PacketFence not just FreeRadius. The MACs and the PSKs are stored in a database instead of the conf file.
I checked some additional logs and it looks like PacketFence is passing the tunnel-password back in the reply but it is passing it as attribute Cisco-AVPair. Here is the log.:
Unfortunately, that's not where the Access Point is looking for it - hence the failure, I'm pretty sure. I'm afraid I've not got any experience with PacketFence - and some basic Googling didn't really come up with anything either...
Any idea how to tell FreeRadius to send additional attributes with the access-accept?
Do you think the firmware update on the 21st will have some additional coding for IPSK?
Worked with PacketFence and we added a line to send back the tunnel-password. Works now.
Another question though, is there a way to send the ipsk to the radius server in the access-request from Meraki?
Any ideas on if there is there a way to send the ipsk to the radius server in the access-request from Meraki?
No, this is not supported. As your RADIUS server is there to be the centralised point of authority, I'm not sure why you would want to do that anyway...?
Have you looked at iPSK without RADIUS? https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS
Hello, what exactly was done to send back the tunnel-password? I've run into the same issue your having. Thanks