Captive portal, that's where the misunderstanding is coming from so the docs need to be updated to reflect that.
Thanks Federico On Sun, Nov 18, 2018 at 11:42 AM Marty Plummer <[email protected]> wrote: > Seems like you have to? How else are you going to use radius for for wifi? > > > On Sunday, November 18, 2018 at 3:10:27 AM UTC-6, Federico Capoano wrote: > >> Are you using WPA2 Enterprise on the devices? >> >> Fed >> > Il dom 18 nov 2018, 07:02 A Stanley <[email protected]> ha scritto: >> > Openwrt docs make me think its a client (not nas) setting. Point being >>> the inner tunnel config shouldn't be necessary. If its working for you >>> perhaps you can help contribute this scenario to the documentation. >>> >>> >>> https://openwrt.org/docs/guide-user/network/wifi/basic#wpa_enterprise_access_point >>> >> >>> >>> On Sun, Nov 18, 2018, 12:20 AM Marty Plummer <[email protected] >>> wrote: >>> >>>> I highly doubt the merik documentation is relevant; I'm not running >>>> stock firmware (which requires licenses >>>> of a pricy, reoccurring sort) but openwrt. >>>> >>>> On Saturday, November 17, 2018 at 10:36:48 PM UTC-6, 2stacks wrote: >>>>> >>>>> Sounds like your AP is configured for eap by default. Would explain >>>>> the output in the Freeradius debug output. Glad you got it working. Some >>>>> additional info. >>>>> >>>>> >>>>> https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise >>>>> https://wiki.freeradius.org/protocol/eap >>>>> >>>>> >>>>> On Sat, Nov 17, 2018, 11:02 PM Marty Plummer <[email protected] >>>>> wrote: >>>>> >>>>>> Haha! I've got it working. I moved most of the stuff you guys wanted >>>>>> in sites-enabled/default into >>>>>> sites-enabled/inner-tunnel and it works. default decrypts/whatever >>>>>> the eap stuff, and passes that >>>>>> into inner tunnel, which does the api stuff to actually auth the >>>>>> user. Still need to work out some >>>>>> kinks (most of which are probably because I'm using postgresql >>>>>> instead of some more mainstream >>>>>> stuff [like no function unix_timestamp and such]). >>>>>> >>>>>> On Saturday, November 17, 2018 at 8:58:07 PM UTC-6, 2stacks wrote: >>>>>>> >>>>>>> Hmm. Grab a wireshark capture of a request using radtest for >>>>>>> comparison. Ill have to do some research on the Meraki MT24's. >>>>>>> >>>>>>> On Sat, Nov 17, 2018, 6:19 PM Marty Plummer <[email protected] >>>>>>> wrote: >>>>>>> >>>>>>>> Nothing in there that I can see that looks like that. Do you mean >>>>>>>> an md5 >>>>>>>> hash like say 'echo -n PasswordGoesHere | md5sum' or one of those >>>>>>>> salted >>>>>>>> ones? >>>>>>>> >>>>>>>> On Saturday, November 17, 2018 at 5:14:15 PM UTC-6, 2stacks wrote: >>>>>>>>> >>>>>>>>> Yes, sorry I meant NAS. You should see an md5 hash of the >>>>>>>>> password in the access request packet. Use wireshark to decode each >>>>>>>>> packet >>>>>>>>> type. That always helps me. >>>>>>>>> >>>>>>>>> https://wiki.freeradius.org/protocol/Access-Request >>>>>>>>> >>>>>>>>> On Sat, Nov 17, 2018, 5:53 PM Marty Plummer <[email protected] >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Oh wait, do you mean the NAS? Those are all Cisco Meraki MT24's >>>>>>>>>> running OpenWRT >>>>>>>>>> (hopefully once I get this sorted I'll be able to manage them >>>>>>>>>> with openwisp). I've managed >>>>>>>>>> to get a capture of one of the packets, I'm not seeing a >>>>>>>>>> User-Password attribute at all. >>>>>>>>>> >>>>>>>>>> 22:42:45.609551 IP (tos 0x0, ttl 63, id 12096, offset 0, flags >>>>>>>>>> [none], proto UDP (17), length 225) >>>>>>>>>> 10.141.99.51.41461 > 23684b3bc3a7.1812: [udp sum ok] RADIUS, >>>>>>>>>> length: 197 >>>>>>>>>> Access-Request (1), id: 0x88, Authenticator: >>>>>>>>>> 6841fe060f8f623bdc8c09250ccc73e8 >>>>>>>>>> User-Name Attribute (1), length: 10, Value: aleath56 >>>>>>>>>> 0x0000: 616c 6561 7468 3536 >>>>>>>>>> Called-Station-Id Attribute (30), length: 31, Value: >>>>>>>>>> 8A-DC-96-07-AF-F5:GoodSamWifi >>>>>>>>>> 0x0000: 3841 2d44 432d 3936 2d30 372d 4146 2d46 >>>>>>>>>> 0x0010: 353a 476f 6f64 5361 6d57 6966 69 >>>>>>>>>> NAS-Port-Type Attribute (61), length: 6, Value: >>>>>>>>>> Wireless - IEEE 802.11 >>>>>>>>>> 0x0000: 0000 0013 >>>>>>>>>> Service-Type Attribute (6), length: 6, Value: Framed >>>>>>>>>> 0x0000: 0000 0002 >>>>>>>>>> NAS-Port Attribute (5), length: 6, Value: 1 >>>>>>>>>> 0x0000: 0000 0001 >>>>>>>>>> Calling-Station-Id Attribute (31), length: 19, Value: >>>>>>>>>> C0-EE-FB-5B-6A-1F >>>>>>>>>> 0x0000: 4330 2d45 452d 4642 2d35 422d 3641 2d31 >>>>>>>>>> 0x0010: 46 >>>>>>>>>> Connect-Info Attribute (77), length: 24, Value: CONNECT >>>>>>>>>> 54Mbps 802.11a >>>>>>>>>> 0x0000: 434f 4e4e 4543 5420 3534 4d62 7073 2038 >>>>>>>>>> 0x0010: 3032 2e31 3161 >>>>>>>>>> Acct-Session-Id Attribute (44), length: 18, Value: >>>>>>>>>> 3397D5BA38CC6B22 >>>>>>>>>> 0x0000: 3333 3937 4435 4241 3338 4343 3642 3232 >>>>>>>>>> Unknown Attribute (186), length: 6, Value: >>>>>>>>>> 0x0000: 000f ac04 >>>>>>>>>> Unknown Attribute (187), length: 6, Value: >>>>>>>>>> 0x0000: 000f ac04 >>>>>>>>>> Unknown Attribute (188), length: 6, Value: >>>>>>>>>> 0x0000: 000f ac01 >>>>>>>>>> Framed-MTU Attribute (12), length: 6, Value: 1400 >>>>>>>>>> 0x0000: 0000 0578 >>>>>>>>>> EAP-Message Attribute (79), length: 15, Value: .. >>>>>>>>>> 0x0000: 02e6 000d 0161 6c65 6174 6835 36 >>>>>>>>>> Message-Authenticator Attribute (80), length: 18, >>>>>>>>>> Value: .....qV....Q...G >>>>>>>>>> 0x0000: aab7 b311 a071 5616 16cc ff51 e72e 0847 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Saturday, November 17, 2018 at 4:20:01 PM UTC-6, Marty Plummer >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Clients are varied, I've tried with android (running lineageos, >>>>>>>>>>> relatively recent update) and >>>>>>>>>>> windows 10 (yeah, I kinda expect that to be fucky). I also have >>>>>>>>>>> some users using various >>>>>>>>>>> mac hardware. The only thing that tests correctly is radtest and >>>>>>>>>>> manual curl's. >>>>>>>>>>> >>>>>>>>>>> On Saturday, November 17, 2018 at 3:54:25 PM UTC-6, 2stacks >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Apologies if Im asking things you've already answered but what >>>>>>>>>>>> is the client that should be sending the password? Have you tried >>>>>>>>>>>> capturing the traffic to see if the password is being sent? Did >>>>>>>>>>>> you say if >>>>>>>>>>>> testing with radtest works? Perhaps its not a freeradius config >>>>>>>>>>>> issue but >>>>>>>>>>>> something wonky with the client. >>>>>>>>>>>> >>>>>>>>>>>> On Sat, Nov 17, 2018, 4:33 PM Marty Plummer < >>>>>>>>>>>> [email protected] wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Even with using exactly and only what you have in the >>>>>>>>>>>>> authorize...etc sections of >>>>>>>>>>>>> sites-available/default, %{User-Password} still expands to >>>>>>>>>>>>> empty. There has been >>>>>>>>>>>>> no change to that regardless of what suggested changes I've >>>>>>>>>>>>> made. >>>>>>>>>>>>> >>>>>>>>>>>>> On Saturday, November 17, 2018 at 1:42:08 PM UTC-6, Federico >>>>>>>>>>>>> Capoano wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> PS: >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Saturday, November 17, 2018 at 8:28:29 PM UTC+1, Marty >>>>>>>>>>>>>> Plummer wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So is that authorize section the entire thing? as in, >>>>>>>>>>>>>>> comment out/delete the defaults and >>>>>>>>>>>>>>> replace it with that? >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Yes >>>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>> Google Groups "OpenWISP" group. >>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>> it, send an email to [email protected]. >>>>>>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "OpenWISP" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>>>> >>>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "OpenWISP" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "OpenWISP" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "OpenWISP" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "OpenWISP" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "OpenWISP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "OpenWISP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
