Meraki Community

mcbrown · ‎Nov 11 2020

Hi Everyone,

I am trying to get iPSK working with PacketFence/FreeRadius radius.

It looks like everything is working on the PacketFence side of things. Here are the logs from PacketFence:

PACKETFENCE LOG:

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Connection type is MAC-AUTH. Getting role from node_info (pf::role::getRegisteredRole)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] Username was defined "00e04c19dd56" - returning role 'WIFI-IT-STAFF-DISTRICT' (pf::role::getRegisteredRole)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] PID: "user", Status: reg Returned VLAN: (undefined), Role: WIFI-IT-STAFF-DISTRICT (pf::role::fetchRoleForNode)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] (172.20.110.19) Added VLAN 118 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)

Oct 17 22:18:07 srv-pf-02 packetfence_httpd.aaa: httpd.aaa(2131) INFO: [mac:00:e0:4c:19:dd:dd] security_event 1300003 force-closed for 00:e0:4c:19:dd:dd (pf::security_event::security_event_force_close)

RADIUS LOG:

Oct 17 22:18:07 srv-pf-02 auth[2992]: [mac:00:e0:4c:19:dd:dd] Accepted user: and returned VLAN 118

Oct 17 22:18:07 srv-pf-02 auth[2992]: (12467) Login OK: [00e04c19dd56] (from client 172.20.10.19/32 port 0 cli 00:e0:4c:19:dd:dd)

Radius is authenticating correctly and returning vlan 118 which is correct but on the Windows machine I am trying to join from I get "Can't connect to this network"

Here are my SSID settings:

Association requirements: Identity PSK with RADIUS

WPA encryption mode: WPA2

Splash page: None

Readius server set to PacketFence management

Radius testing: disabled

Radius CoA: disabled

Client IP assignment: Bridge mode

VLAN tagging: Don't use

Radius override: Radius response can override VLAN tag

Here is the Meraki log for the client:

AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 disassociation client has left AP

AP-01 WIFI-BYOD IT-VM-TEST-02 WPA deauthentication radio: 1, vap: 0, client_mac: 00:E0:4C:19:DD:DD « hide
client_ip 0.0.0.0
aid 1114159115

AP-01 WIFI-BYOD IT-VM-TEST-02 RADIUS authentication resp: reject

AP-01 WIFI-BYOD IT-VM-TEST-02 802.11 association channel: 153, rssi: 26

Thanks.

GreenMan · ‎Nov 11 2020

I don't see the RADIUS server returning the Tunnel-Password..?

This is what the AP needs, to attempt to match with the (same) PSK being used by the client.

I take it you have been using https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_with_RADIUS_Authentication#Fr...

mcbrown · ‎Nov 12 2020

It's a little different than what is in that document because I am using PacketFence not just FreeRadius. The MACs and the PSKs are stored in a database instead of the conf file.

I checked some additional logs and it looks like PacketFence is passing the tunnel-password back in the reply but it is passing it as attribute Cisco-AVPair. Here is the log.:

RADIUS Request

RADIUS Request
User-Name = "00e04c19dddd"
User-Password = "******"
NAS-IP-Address = 172.20.10.20
Called-Station-Id = "68:3a:1e:85:cc:cc:WIFI-BYOD"
Calling-Station-Id = "00:e0:4c:19:dd:dd"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Nov 12 2020 09:58:47 EST"
Connect-Info = "CONNECT 11Mbps 802.11b"
Message-Authenticator = 0x2458d1c2852dfb55ec85d8484624cccc
Meraki-Network-Name = "Network"
Meraki-Ap-Name = "AP-01"
Stripped-User-Name = "00e04c19dddd"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.20.10.20
Called-Station-SSID = "WIFI-BYOD"
PacketFence-KeyBalanced = "8e4b512c5636628cd16b291bf294eeee"
PacketFence-Radius-Ip = "172.20.100.2"
SQL-User-Name = "00e04c19dddd"

RADIUS Reply

Tunnel-Type = VLAN

Tunnel-Private-Group-Id = "118"

Tunnel-Medium-Type = IEEE-802

Cisco-AVPair = "psk=otahreeddttreeee"

Cisco-AVPair = "psk-mode=ascii"

GreenMan · ‎Nov 12 2020

Unfortunately, that's not where the Access Point is looking for it - hence the failure, I'm pretty sure. I'm afraid I've not got any experience with PacketFence - and some basic Googling didn't really come up with anything either...

mcbrown · ‎Nov 12 2020

Any idea how to tell FreeRadius to send additional attributes with the access-accept?

Do you think the firmware update on the 21st will have some additional coding for IPSK?

mcbrown · ‎Dec 8 2020

Worked with PacketFence and we added a line to send back the tunnel-password. Works now.

Another question though, is there a way to send the ipsk to the radius server in the access-request from Meraki?

mcbrown · ‎Dec 9 2020

Any ideas on if there is there a way to send the ipsk to the radius server in the access-request from Meraki?

GreenMan · ‎Dec 14 2020

No, this is not supported. As your RADIUS server is there to be the centralised point of authority, I'm not sure why you would want to do that anyway...?

Have you looked at iPSK without RADIUS? https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_Without_RADIUS

hybergen · ‎Aug 1 2023

Hello, what exactly was done to send back the tunnel-password? I've run into the same issue your having. Thanks

Meraki Community

iPSK with FreeRadius (Packetfence)

iPSK with FreeRadius (Packetfence)