iPSK with FreeRadius (Packetfence)

mcbrown
Comes here often

iPSK with FreeRadius (Packetfence)

Hi Everyone,

 

I am trying to get iPSK working with PacketFence/FreeRadius radius.

 

It looks like everything is working on the PacketFence side of things.  Here are the logs from PacketFence:

PACKETFENCE LOG:

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Username was defined "00e04c19dd56" - returning role 'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] PID: "user", Status: reg Returned VLAN: (undefined), Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] (172.20.110.19) Added VLAN 118 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] security_event 1300003 force-closed for 00:e0:4c:19:dd:dd (pf::security_event::security_event_force_close)

 

RADIUS LOG:

Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:dd] Accepted user:  and returned VLAN 118

Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from client 172.20.10.19/32 port 0 cli 00:e0:4c:19:dd:dd)

 

Radius is authenticating correctly and returning vlan 118 which is correct but on the Windows machine I am trying to join from I get "Can't connect to this network"

 

Here are my SSID settings:

Association requirements: Identity PSK with RADIUS

WPA encryption mode: WPA2

Splash page: None

Readius server set to PacketFence management

Radius testing: disabled

Radius CoA: disabled

Client IP assignment: Bridge mode

VLAN tagging: Don't use

Radius override: Radius response can override VLAN tag

 

 
 

Here is the Meraki log for the client:

AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 disassociation client has left AP

AP-01 WIFI-BYOD IT-VM-TEST-02 WPA deauthentication radio: 1, vap: 0, client_mac: 00:E0:4C:19:DD:DD « hide
client_ip 0.0.0.0
aid 1114159115

AP-01 WIFI-BYOD IT-VM-TEST-02 RADIUS authentication resp: reject

AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 association channel: 153, rssi: 26

 

Thanks. 

 

  

8 Replies 8
GreenMan
Meraki Employee
Meraki Employee

I don't see the RADIUS server returning the Tunnel-Password..?

This is what the AP needs, to attempt to match with the (same) PSK being used by the client.

 

I take it you have been using https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication#Fr...

mcbrown
Comes here often

It's a little different than what is in that document because I am using PacketFence not just FreeRadius.  The MACs and the PSKs are stored in a database instead of the conf file. 

 

I checked some additional logs and it looks like PacketFence is passing the tunnel-password back in the reply but it is passing it as attribute Cisco-AVPair.  Here is the log.:

 

RADIUS Request
RADIUS Request
User-Name = "00e04c19dddd"
User-Password = "******"
NAS-IP-Address = 172.20.10.20
Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"
Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624cccc
Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01"
Stripped-User-Name = "00e04c19dddd"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20
Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee"
PacketFence-Radius-Ip = "172.20.100.2"
SQL-User-Name = "00e04c19dddd"
 
 
RADIUS Reply
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "118"
Tunnel-Medium-Type = IEEE-802
Cisco-AVPair = "psk=otahreeddttreeee"
Cisco-AVPair = "psk-mode=ascii"

 

 

GreenMan
Meraki Employee
Meraki Employee

Unfortunately, that's not where the Access Point is looking for it - hence the failure, I'm pretty sure.  I'm afraid I've not got any experience with PacketFence - and some basic Googling didn't really come up with anything either...

mcbrown
Comes here often

Any idea how to tell FreeRadius to send additional attributes with the access-accept?  

 

Do you think the firmware update on the 21st will have some additional coding for IPSK?  

mcbrown
Comes here often

Worked with PacketFence and we added a line to send back the tunnel-password.  Works now.  

 

Another question though, is there a way to send the ipsk to the radius server in the access-request from Meraki?  

mcbrown
Comes here often

Any ideas on if there is there a way to send the ipsk to the radius server in the access-request from Meraki?  

GreenMan
Meraki Employee
Meraki Employee

No, this is not supported.   As your RADIUS server is there to be the centralised point of authority, I'm not sure why you would want to do that anyway...?

 

Have you looked at iPSK without RADIUS?   https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS

hybergen
New here

Hello, what exactly was done to send back the tunnel-password? I've run into the same issue your having. Thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels