We help IT Professionals succeed at work.

HP Procurve MSM710 using FreeRadius as a AAA server

Last Modified: 2012-05-11
Okay so i am starting with some back ground first. So What we are looking for is, a wifi network for all 12 of our terminal stations for our drivers to have WiFi access. We want to be able to have it setup pretty much like a WISP, but we want to lock down access to our driver (who already have logins (over 900 drivers). I purchased an HP Procurve MSM710 controller, with 2 (to start) MSM310-R access points. Since the maximum users allowed on the Controller was only 100 users, we setup FreeRadius (v.2.x) on a server running Ubuntu v 10.04.

So I have the Controller setup to redirect anyone that connect to the AP, to the captive portal, where it asks for a username and password. The Test user setup on the Controller (u -test p- test) and it works. I have configured the FreeRadius server according to this guide
In my radius DB in MySql, i have a user setup as sqltest and pass : testpwd. When i run the command: radtest sqltest testpwd 1812 testing123 I get an Access-Accept message.

So Where I am getting stuck is configuring the MSM710 to use my freeradius server. I have gone through the VSC, and authentication setup on the Controller, and pointed it to the FreeRadius server, but it is a no go. I also tested to make sure they could ping each other which they can. But i cannot authenticate users from the controller to the Freeradius server. attached in capture.jpg is part of the system log on the Controller and what it says happened. MSM710 system logWhen the Server is running in debug mode, i dont see anything come across. They are both running on the same Vlan as well (not sure if anything with that config would have anythign to do with it.)

So thats where im at, I'm Looking for any suggestions, and what i may have missed on configuring the Freeradius or controller. Any help would be greatly appreciated. Thank you very much for your time.
Watch Question

The radius server must have a client login for the HP710 itself setup and then you put that username/password in the HP710 with the following command

#service controller ap authentication credentials <username> <password>

When the RADIUS authentication source is selected, this option specifies the RADIUS username
and password assigned to the controller.

#no service controller ap authentication credentials

Clears the RADIUS username/password.

Or from the GUI
Configure the Retrieve attributes using RADIUS options as follows:
¿ RADIUS profile: Select a RADIUS profile. The profile is used to establish the connection
to a RADIUS server. RADIUS profiles are defined by selecting Controller >>
Authentication > RADIUS profiles. ¿ RADIUS username: Specify the username of the RADIUS account assigned to the
¿ RADIUS password / Confirm password: Specify the password of the RADIUS account
assigned to the controller.


Okay so I couldn't find the Username and Password in the Radius profile this is what i have in the GUI :
 Under Controller > Authentication > Radius profiles I started toying with the System tools (under Tools) in the MSM710 GUI, and found a tool called "Extra AD/Radius debug" and here is what comes up on the system log. Also toward the top you can see what happens when i try to authenticate. I dont see where this is going wrong exactly but hopefull you can shed some light on it.
It looks like the procurve and the freeradius server are talking to each other though, and I just have something miss configured.

Thanks so much for your help!

What is the IP address of the MSM710 and what is the IP address of the freeradius.

Also, you have 2 passwords above

The Test user setup on the Controller (u -test p- test)

have a user setup as sqltest and pass : testpwd

In your logs its using sqltest and failing to authenticate

There is an entry in the log file stating:
Apr 21 14:30:39 debug      radiusd      D:auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

what authentication method are you using? CHAP? PEAP?


the Address of the Radius server is, and the address of the controller is

I have the user test test setup on the controller local user accounts, and the local one is working. So if i put in sqltest and testpwd into the controller that one would work as well, but we don't want / can't use the local accounts because it only supports up to 100 users, hence the radius + SQL integration.

If you noticed a second user account i was trying to authenticate, that was another account i had plugged into the Radius DB in mysql. (DWL account)

And the Authorize and authentication types i have selected in etc/freeradius/sites-available/default file in sites available is as follows :

Auth-Type PAP {

Just noticed there was now option under Authenticate for SQL.. could that be our problem? And the authentication method i chose for the controller to use to communicate to radius is PAP. I choose the PAP Authentication because when i tried the radtest to make sure sql and freeradius were working together, i saw PAP said something along the lines of Authentication Accepted (for sqltest and testpwd). If I should use somthing else just let me know (im a total rookie at this)

Again thanks for your time and help.


Okay so i just added the account on the controller of sqltest and testpwd, and when i tested the login, it worked of course, but what i noticed in the system log was a message coming from radiusd :

Apr 22 13:48:51 debug radiusd  A:Login OK: [sqltest] (from client localhost port 1 cli 00-1B-77-25-4E-D0)
Apr 22 13:48:50 debug iprulesmgr  Received IPC LOGIN REQ for user (nas-port='1',framed-ip-address ='',calling-station-id='00-1b-77-25-4e-do')

So I guess these radiusd messages aren't coming from my FreeRadius server's radiusd ?  

no these messages are coming from the radius service running in the MSM710, right, isn't that what you said above.  I believe radiusd refers to the sprocess on the MSM710
I still think that there is something configured wrong between the radius and the MSM but I suppose since your actual user database is in the sql server then I would have to see logs off the freeRadius
So, think of it this way
Best to keep authentication method/protocol the same throughout.
I would use mschap or eap as pap is not secure especially since this is wireless.
Set it the same throughout, MSM710, freeRadius and Radius <--> SQL server

So you are going from client to MSM710 to Radius to SQL and back again.
Everyone has to be communicating in the same language.
So in the network adapter settings on the laptop it also has to be set to the same protocol.

Just as a point of reference, in my environment we use 802.1x on a steel belted radius on Procurve switches.
On each procurve I set up a username and secret which I enter in the radius server, which you also have entries for.
I can see in the Radius logs if I mistyped that secret password when I try to authenticate my switch (this happens automatically) as it fails.
I have several logs, failed client requests and failed shared secret requests, the 2nd is obviously my switches.  I have about 100 switches so I like to see this empty.
clients fail all the time for a variety of reasons, we use AD authentication for company users, mac authentication for printers, static passowrd for VoIP phones and vlan assignment for guests.  It gets quite ugly sometimes.
So here is an attached screenshot of my network adapter config on a client.  Ensure your clients are set to the right protocol as well.

I hope I've given you enough info to roll on as I'm going home for weekend.
I assume you are referencing chapter 6 of this document
Unlock this solution and get a sample of our free trial.
(No credit card required)


Accepted this as the solution, because this was the whole problem with my setup.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.