Changed subject line to reflect new topic.
I've taken your advice and asked for the project requirements to be
modified. We'll just have to deal with incompatible devices (and their
users) on an ad-hoc basis - and maybe give some people an reason to
upgrade. ;-)
I'm now using a bog standard freeradius install with SQL enabled and
talking to a mysql database. It worked perfectly out of the box with the
MSM460 set to use WPA2 and AES.
I still need to provide MAC address restriction on a per-user basis.
Yes, I know it's fairly easy these days to spoof the MAC address, but
that will be a deliberate act by a user. It is not being used as a
technical security measure but as an indication of intent that will have
consequences.
mysql> select * from radcheck;
+----+----------+--------------------+----+-------------------+
| id | username | attribute | op | value |
+----+----------+--------------------+----+-------------------+
| 1 | user01 | Cleartext-Password | := | pass01 |
| 2 | user01 | Calling-Station-Id | == | 98-4B-4A-F5-BF-40 |
+----+----------+--------------------+----+-------------------+
With just a username and password in the table, I can authenticate from
my device. I see the crypto handshaking, the sql module returns ok for
the user and the password is verified.
When I add the second row in the table, the auth fails. Tracing
backwards, peap reports "Peap state send tlv failure", caused by mschap
reporting "No Cleartext-Password configured", caused by rlm_sql
reporting "User user01 not found".
Replaying the SQL query from the debug manually:
mysql> SELECT id, username, attribute, value, op FROM radcheck WHERE
username = 'user01' ORDER BY id;
+----+----------+--------------------+-------------------+----+
| id | username | attribute | value | op |
+----+----------+--------------------+-------------------+----+
| 1 | user01 | Cleartext-Password | pass01 | := |
| 2 | user01 | Calling-Station-Id | 98-4B-4A-F5-BF-40 | == |
+----+----------+--------------------+-------------------+----+
So, there's something wrong with how I'm doing my check items - they're
not matching and the Cleartext-Password attribute is not being set. I've
read the SQL_HOWTO and Operators docs on the website and come up with
this myself. I copied and pasted the attribute and value from the debug
output directly:
Calling-Station-Id = "98-4B-4A-F5-BF-40"
I can simply change the username of row 2 to another string (eg "foo")
and my device will authenticate again. Change it back and it won't.
Many thanks, glen.
On 26/03/12 19:10, Phil Mayers wrote:
On 03/26/2012 10:01 AM, Glen Harris wrote:
Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
MD5 and PAP.
I'm trying to set up a simple MAC-Auth based network using HP 2610
switches and MSM640 wireless APs as radius clients. I've added the AP to
This is a matter of choice, but personally I would advise against
using MAC-auth on wireless. It provides illusory security, and 802.1x
is pretty easy on modern equipment. You call however.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
