Freeradius and WPA2

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I'm having trouble with setting up an external freeradius and WPA2 authentication. We are using a samba4 domain controller operating as a Windows 2008 server.

 I have successfully been able to get this working with our Aruba controller but I cannot seem to get the aerohive to spit out the mschap attributes. Here is an authentication request from the aruba controller to the freeradius server:

  User-Name = "jerame.hernandez"         NAS-IP-Address = 10.20.30.1
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        User-Name = "jerame.hernandez"
        Service-Type = Login-User
        Calling-Station-Id = "############"
        Called-Station-Id = "############"
        MS-CHAP-Challenge = ##################################
        MS-CHAP2-Response = ######################################################################################################
        Aruba-Essid-Name = "USD470 PD"
        Aruba-Location-Id = "ArubaHS_MainGym"
        Aruba-Attr-10 = ##################
        Aruba-Attr-12 = ##########

Here is the request I get from the aerohive test:

  User-Name = "jerame.hernandez"        NAS-IP-Address = 10.20.16.155
        NAS-Identifier = "AuthTest"
        NAS-Port = 0
        Called-Station-Id = "##-##-##-##-##-##:AuthTest"
        Calling-Station-Id = "##-##-##-##-##-##"
        Framed-MTU = 1500
        NAS-Port-Type = Wireless-802.11
        EAP-Message = ############################################
        Service-Type = Framed-User
        Message-Authenticator = ##################################

My freeradius users file is set up as follows:

DEFAULT Huntgroup-Name == aruba-wifi, Ldap-Group == "Student"  Aruba-User-Role = Student,
  Fall-Through = Yes 

DEFAULT Huntgroup-Name == aruba-wifi, Ldap-Group == "Staff"
  Aruba-User-Role = Staff,
  Fall-Through = Yes

DEFAULT Huntgroup-Name == aruba-wifi, Ldap-Group == "arubaadmins" 
  Aruba-User-Role = Tech

DEFAULT Huntgroup-Name == aerohive-cont, Ldap-Group == "aerohiveadmins"
  AH-HM-Admin-Group-Id := 1  

DEFAULT Huntgroup-Name == aerohive-wifi, Ldap-Group == "Staff"
  Tunnel-Type := 10,
  Tunnel-Medium-Type := 1,
  Tunnel-Private-Group-Id = ‘201’, 
  Fall-Through = Yes

DEFAULT Huntgroup-Name == aerohive-wifi, Ldap-Group == "Tech"
  Tunnel-Type := 10,
  Tunnel-Medium-Type := 1,
  Tunnel-Private-Group-Id = ‘101’ 

DEFAULT Auth-Type := Reject

At this point, I can not figure out what is missing from the config in the aerohive. The radius test is working on the controller and sends the following request:

      User-Name = "jerame.hernandez"        NAS-IP-Address = 10.1.30.1
        NAS-Identifier = "hivemanager"
        MS-CHAP-Challenge = ##################################
        MS-CHAP2-Response = ######################################################################################################
        Message-Authenticator = ##################################


Any help is greatly appreciated. Thanks
Photo of Jerame Hernandez

Jerame Hernandez

  • 6 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hello Jerame,

Just to be sure: Did you add the IP address of each Aerohive AP as valid NAS to your Freeradius server?
Photo of Jerame Hernandez

Jerame Hernandez

  • 6 Posts
  • 0 Reply Likes
Hey Carsten,

Yes. As this is the testing phase (although I'm on a time crunch with school starting in less than a month), I blank checked the whole district. Here is my clients config:

client localhost { ipaddr = 127.0.0.1
secret = ##########################
require_message_authenticator = no
nastype     = other
}

client 10.0.0.0/8 {
secret = ##########################
require_message_authenticator = no
nastype     = other
}

The requests are getting there, just no mschap.

Thanks for the reply
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Ok, just checking :-)

I have not much experience with FreeRadius, there are other people in this forum that know it better and hopefully jump on it soon...

However, it would be a good idea already to use Client Monitor to get a trace of the full wireless connection process and post it here. So we can see how it looks from the Aerohive side.
Photo of Jerame Hernandez

Jerame Hernandez

  • 6 Posts
  • 0 Reply Likes
Great. I appreciate it. Here is the Client Monitor. I am pretty sure since the radius is not receiving mschap from the radius, the transaction is limited.

       Time        Client MAC Addr     BSSID     Device Name  Level   Description

=================================================================================

07/25/2014 11:37:57 AM  #########  #########  AuthTest     DETAIL  (8843)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=119 length=166,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8844)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=119 length=83
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8845)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=120 length=169,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8846)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=120 length=83
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8847)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=121 length=291,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8848)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=121 length=820
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8849)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=122 length=501,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8850)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=122 length=123
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8851)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=123 length=169,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8852)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=123 length=101
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8853)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=124 length=222,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8854)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=124 length=101
07/25/2014 11:37:58 AM  #########  #########  AuthTest     DETAIL  (8855)Send message to RADIUS Server(10.20.2.133): code=1 (Access-Request) identifier=125 length=206,  User-Name=jerame.hernandez NAS-IP-Address=10.20.16.155 Called-Station-Id=##-##-##-##-##-##:AuthTest Calling-Station-Id=##-##-##-##-##-##
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8856)Authentication is terminated (at if=wifi1.1) because it is rejected by RADIUS server
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8857)Sta(at if=wifi1.1) is de-authenticated because of notification of driver
07/25/2014 11:37:59 AM  #########  #########  AuthTest     DETAIL  (8858)Rx <specific> probe req (rssi 78dB)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8859)Tx probe resp (pwr 13dBm)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     DETAIL  (8860)Rx <specific> probe req (rssi 76dB)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8861)Tx probe resp (pwr 13dBm)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     DETAIL  (8862)Rx <specific> probe req (rssi 63dB)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8863)Tx probe resp (pwr 15dBm)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     DETAIL  (8864)Rx <specific> probe req (rssi 64dB)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8865)Tx probe resp (pwr 15dBm)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8866)Rx auth <open> (frame 1, rssi 0dB)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8867)Tx auth <open> (frame 2, status 0, pwr 15dBm)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8868)Rx assoc req (rssi 62dB)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     BASIC   (8869)Tx assoc resp <accept> (status 0, pwr 15dBm)
07/25/2014 11:37:59 AM  #########  #########  AuthTest     INFO    (8870)IEEE802.1X auth is starting (at if=wifi1.1)

Thanks again for the help!
(Edited)
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hmmm... to be sure: You have configured your SSID with WPA/WPA2 802.1X (Enterprise) and no Captive Web Portal, right? Can you post a screenshot of your relevant SSID and Radius client configuration?
Photo of Jerame Hernandez

Jerame Hernandez

  • 6 Posts
  • 0 Reply Likes
Sure.






Thanks
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Hmmm... what happens if you un-check "Preauthentication" and push the configuration again?
Photo of Jerame Hernandez

Jerame Hernandez

  • 6 Posts
  • 0 Reply Likes
Ok. I unchecked preauthentication and updated the access point. This did introduce a State = but still no MSCHAP. 

Thanks for the suggestion.


User-Name = "jerame.hernandez" NAS-IP-Address = 10.20.16.155
 NAS-Identifier = "AuthTest"
 NAS-Port = 0
 Calling-Station-Id = "##-##-##-##-##-##"
 Framed-MTU = 1500
 NAS-Port-Type = Wireless-802.11
 EAP-Message = ##############
 State = ##################################
 Service-Type = Framed-User
 Message-Authenticator = ##################################
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Sorry, I can't help any further here :-/

If nobody else answers here, I'd recommend to open an Aerohive support ticket (or check with your reseller if you do not have direct support access).
Photo of Jerame Hernandez

Jerame Hernandez

  • 6 Posts
  • 0 Reply Likes
Ok. I appreciate you much for taking the time.

Thanks