Seems like you have to? How else are you going to use radius for for wifi? On Sunday, November 18, 2018 at 3:10:27 AM UTC-6, Federico Capoano wrote: > > Are you using WPA2 Enterprise on the devices? > > Fed > > > Il dom 18 nov 2018, 07:02 A Stanley <[email protected] <javascript:>> ha > scritto: > >> Openwrt docs make me think its a client (not nas) setting. Point being >> the inner tunnel config shouldn't be necessary. If its working for you >> perhaps you can help contribute this scenario to the documentation. >> >> >> https://openwrt.org/docs/guide-user/network/wifi/basic#wpa_enterprise_access_point >> >> >> On Sun, Nov 18, 2018, 12:20 AM Marty Plummer <[email protected] >> <javascript:> wrote: >> >>> I highly doubt the merik documentation is relevant; I'm not running >>> stock firmware (which requires licenses >>> of a pricy, reoccurring sort) but openwrt. >>> >>> On Saturday, November 17, 2018 at 10:36:48 PM UTC-6, 2stacks wrote: >>>> >>>> Sounds like your AP is configured for eap by default. Would explain >>>> the output in the Freeradius debug output. Glad you got it working. Some >>>> additional info. >>>> >>>> >>>> https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise >>>> https://wiki.freeradius.org/protocol/eap >>>> >>>> >>>> On Sat, Nov 17, 2018, 11:02 PM Marty Plummer <[email protected] >>>> wrote: >>>> >>>>> Haha! I've got it working. I moved most of the stuff you guys wanted >>>>> in sites-enabled/default into >>>>> sites-enabled/inner-tunnel and it works. default decrypts/whatever the >>>>> eap stuff, and passes that >>>>> into inner tunnel, which does the api stuff to actually auth the user. >>>>> Still need to work out some >>>>> kinks (most of which are probably because I'm using postgresql instead >>>>> of some more mainstream >>>>> stuff [like no function unix_timestamp and such]). >>>>> >>>>> On Saturday, November 17, 2018 at 8:58:07 PM UTC-6, 2stacks wrote: >>>>>> >>>>>> Hmm. Grab a wireshark capture of a request using radtest for >>>>>> comparison. Ill have to do some research on the Meraki MT24's. >>>>>> >>>>>> On Sat, Nov 17, 2018, 6:19 PM Marty Plummer <[email protected] >>>>>> wrote: >>>>>> >>>>>>> Nothing in there that I can see that looks like that. Do you mean an >>>>>>> md5 >>>>>>> hash like say 'echo -n PasswordGoesHere | md5sum' or one of those >>>>>>> salted >>>>>>> ones? >>>>>>> >>>>>>> On Saturday, November 17, 2018 at 5:14:15 PM UTC-6, 2stacks wrote: >>>>>>>> >>>>>>>> Yes, sorry I meant NAS. You should see an md5 hash of the password >>>>>>>> in the access request packet. Use wireshark to decode each packet >>>>>>>> type. >>>>>>>> That always helps me. >>>>>>>> >>>>>>>> https://wiki.freeradius.org/protocol/Access-Request >>>>>>>> >>>>>>>> On Sat, Nov 17, 2018, 5:53 PM Marty Plummer <[email protected] >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Oh wait, do you mean the NAS? Those are all Cisco Meraki MT24's >>>>>>>>> running OpenWRT >>>>>>>>> (hopefully once I get this sorted I'll be able to manage them with >>>>>>>>> openwisp). I've managed >>>>>>>>> to get a capture of one of the packets, I'm not seeing a >>>>>>>>> User-Password attribute at all. >>>>>>>>> >>>>>>>>> 22:42:45.609551 IP (tos 0x0, ttl 63, id 12096, offset 0, flags >>>>>>>>> [none], proto UDP (17), length 225) >>>>>>>>> 10.141.99.51.41461 > 23684b3bc3a7.1812: [udp sum ok] RADIUS, >>>>>>>>> length: 197 >>>>>>>>> Access-Request (1), id: 0x88, Authenticator: >>>>>>>>> 6841fe060f8f623bdc8c09250ccc73e8 >>>>>>>>> User-Name Attribute (1), length: 10, Value: aleath56 >>>>>>>>> 0x0000: 616c 6561 7468 3536 >>>>>>>>> Called-Station-Id Attribute (30), length: 31, Value: >>>>>>>>> 8A-DC-96-07-AF-F5:GoodSamWifi >>>>>>>>> 0x0000: 3841 2d44 432d 3936 2d30 372d 4146 2d46 >>>>>>>>> 0x0010: 353a 476f 6f64 5361 6d57 6966 69 >>>>>>>>> NAS-Port-Type Attribute (61), length: 6, Value: Wireless >>>>>>>>> - IEEE 802.11 >>>>>>>>> 0x0000: 0000 0013 >>>>>>>>> Service-Type Attribute (6), length: 6, Value: Framed >>>>>>>>> 0x0000: 0000 0002 >>>>>>>>> NAS-Port Attribute (5), length: 6, Value: 1 >>>>>>>>> 0x0000: 0000 0001 >>>>>>>>> Calling-Station-Id Attribute (31), length: 19, Value: >>>>>>>>> C0-EE-FB-5B-6A-1F >>>>>>>>> 0x0000: 4330 2d45 452d 4642 2d35 422d 3641 2d31 >>>>>>>>> 0x0010: 46 >>>>>>>>> Connect-Info Attribute (77), length: 24, Value: CONNECT >>>>>>>>> 54Mbps 802.11a >>>>>>>>> 0x0000: 434f 4e4e 4543 5420 3534 4d62 7073 2038 >>>>>>>>> 0x0010: 3032 2e31 3161 >>>>>>>>> Acct-Session-Id Attribute (44), length: 18, Value: >>>>>>>>> 3397D5BA38CC6B22 >>>>>>>>> 0x0000: 3333 3937 4435 4241 3338 4343 3642 3232 >>>>>>>>> Unknown Attribute (186), length: 6, Value: >>>>>>>>> 0x0000: 000f ac04 >>>>>>>>> Unknown Attribute (187), length: 6, Value: >>>>>>>>> 0x0000: 000f ac04 >>>>>>>>> Unknown Attribute (188), length: 6, Value: >>>>>>>>> 0x0000: 000f ac01 >>>>>>>>> Framed-MTU Attribute (12), length: 6, Value: 1400 >>>>>>>>> 0x0000: 0000 0578 >>>>>>>>> EAP-Message Attribute (79), length: 15, Value: .. >>>>>>>>> 0x0000: 02e6 000d 0161 6c65 6174 6835 36 >>>>>>>>> Message-Authenticator Attribute (80), length: 18, Value: >>>>>>>>> .....qV....Q...G >>>>>>>>> 0x0000: aab7 b311 a071 5616 16cc ff51 e72e 0847 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Saturday, November 17, 2018 at 4:20:01 PM UTC-6, Marty Plummer >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Clients are varied, I've tried with android (running lineageos, >>>>>>>>>> relatively recent update) and >>>>>>>>>> windows 10 (yeah, I kinda expect that to be fucky). I also have >>>>>>>>>> some users using various >>>>>>>>>> mac hardware. The only thing that tests correctly is radtest and >>>>>>>>>> manual curl's. >>>>>>>>>> >>>>>>>>>> On Saturday, November 17, 2018 at 3:54:25 PM UTC-6, 2stacks wrote: >>>>>>>>>>> >>>>>>>>>>> Apologies if Im asking things you've already answered but what >>>>>>>>>>> is the client that should be sending the password? Have you tried >>>>>>>>>>> capturing the traffic to see if the password is being sent? Did >>>>>>>>>>> you say if >>>>>>>>>>> testing with radtest works? Perhaps its not a freeradius config >>>>>>>>>>> issue but >>>>>>>>>>> something wonky with the client. >>>>>>>>>>> >>>>>>>>>>> On Sat, Nov 17, 2018, 4:33 PM Marty Plummer < >>>>>>>>>>> [email protected] wrote: >>>>>>>>>>> >>>>>>>>>>>> Even with using exactly and only what you have in the >>>>>>>>>>>> authorize...etc sections of >>>>>>>>>>>> sites-available/default, %{User-Password} still expands to >>>>>>>>>>>> empty. There has been >>>>>>>>>>>> no change to that regardless of what suggested changes I've >>>>>>>>>>>> made. >>>>>>>>>>>> >>>>>>>>>>>> On Saturday, November 17, 2018 at 1:42:08 PM UTC-6, Federico >>>>>>>>>>>> Capoano wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> PS: >>>>>>>>>>>>> >>>>>>>>>>>>> On Saturday, November 17, 2018 at 8:28:29 PM UTC+1, Marty >>>>>>>>>>>>> Plummer wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> So is that authorize section the entire thing? as in, comment >>>>>>>>>>>>>> out/delete the defaults and >>>>>>>>>>>>>> replace it with that? >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Yes >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>> Google Groups "OpenWISP" group. >>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>> You received this message because you are subscribed to the Google >>>>>>>>> Groups "OpenWISP" group. >>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>> send an email to [email protected]. >>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>> >>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "OpenWISP" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "OpenWISP" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "OpenWISP" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "OpenWISP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> >
-- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
