• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3795
  • Last Modified:

HP Procurve MSM710 using FreeRadius as a AAA server

Okay so i am starting with some back ground first. So What we are looking for is, a wifi network for all 12 of our terminal stations for our drivers to have WiFi access. We want to be able to have it setup pretty much like a WISP, but we want to lock down access to our driver (who already have logins (over 900 drivers). I purchased an HP Procurve MSM710 controller, with 2 (to start) MSM310-R access points. Since the maximum users allowed on the Controller was only 100 users, we setup FreeRadius (v.2.x) on a server running Ubuntu v 10.04.

So I have the Controller setup to redirect anyone that connect to the AP, to the captive portal, where it asks for a username and password. The Test user setup on the Controller (u -test p- test) and it works. I have configured the FreeRadius server according to this guide
https://help.ubuntu.com/community/CategoryNetworking/daloRADIUS 
In my radius DB in MySql, i have a user setup as sqltest and pass : testpwd. When i run the command: radtest sqltest testpwd 127.0.0.1 1812 testing123 I get an Access-Accept message.

So Where I am getting stuck is configuring the MSM710 to use my freeradius server. I have gone through the VSC, and authentication setup on the Controller, and pointed it to the FreeRadius server, but it is a no go. I also tested to make sure they could ping each other which they can. But i cannot authenticate users from the controller to the Freeradius server. attached in capture.jpg is part of the system log on the Controller and what it says happened. MSM710 system logWhen the Server is running in debug mode, i dont see anything come across. They are both running on the same Vlan as well (not sure if anything with that config would have anythign to do with it.)

So thats where im at, I'm Looking for any suggestions, and what i may have missed on configuring the Freeradius or controller. Any help would be greatly appreciated. Thank you very much for your time.
0
sobrsu
Asked:
sobrsu
  • 5
  • 4
1 Solution
 
atrevidoCommented:
The radius server must have a client login for the HP710 itself setup and then you put that username/password in the HP710 with the following command

#service controller ap authentication credentials <username> <password>

When the RADIUS authentication source is selected, this option specifies the RADIUS username
and password assigned to the controller.


#no service controller ap authentication credentials

Clears the RADIUS username/password.

Or from the GUI
Configure the Retrieve attributes using RADIUS options as follows:
¿ RADIUS profile: Select a RADIUS profile. The profile is used to establish the connection
to a RADIUS server. RADIUS profiles are defined by selecting Controller >>
Authentication > RADIUS profiles. ¿ RADIUS username: Specify the username of the RADIUS account assigned to the
controller.
¿ RADIUS password / Confirm password: Specify the password of the RADIUS account
assigned to the controller.
0
 
sobrsuAuthor Commented:
Okay so I couldn't find the Username and Password in the Radius profile this is what i have in the GUI :
 Under Controller > Authentication > Radius profiles I started toying with the System tools (under Tools) in the MSM710 GUI, and found a tool called "Extra AD/Radius debug" and here is what comes up on the system log. Also toward the top you can see what happens when i try to authenticate. I dont see where this is going wrong exactly but hopefull you can shed some light on it.
It looks like the procurve and the freeradius server are talking to each other though, and I just have something miss configured.

Thanks so much for your help!
system-unfiltered.log
0
 
atrevidoCommented:
What is the IP address of the MSM710 and what is the IP address of the freeradius.

Also, you have 2 passwords above

The Test user setup on the Controller (u -test p- test)

have a user setup as sqltest and pass : testpwd

In your logs its using sqltest and failing to authenticate

There is an entry in the log file stating:
Apr 21 14:30:39 debug      radiusd      D:auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

what authentication method are you using? CHAP? PEAP?
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
sobrsuAuthor Commented:
the Address of the Radius server is 10.0.0.28, and the address of the controller is 10.0.0.3.

I have the user test test setup on the controller local user accounts, and the local one is working. So if i put in sqltest and testpwd into the controller that one would work as well, but we don't want / can't use the local accounts because it only supports up to 100 users, hence the radius + SQL integration.

If you noticed a second user account i was trying to authenticate, that was another account i had plugged into the Radius DB in mysql. (DWL account)

And the Authorize and authentication types i have selected in etc/freeradius/sites-available/default file in sites available is as follows :
Authorize:
Preprocess
Chap
mschap
suffix
eap
unix
files
sql
pap

Authenticate:
Auth-Type PAP {
pap
chap
mschap
unix
eap

Just noticed there was now option under Authenticate for SQL.. could that be our problem? And the authentication method i chose for the controller to use to communicate to radius is PAP. I choose the PAP Authentication because when i tried the radtest to make sure sql and freeradius were working together, i saw PAP said something along the lines of Authentication Accepted (for sqltest and testpwd). If I should use somthing else just let me know (im a total rookie at this)

Again thanks for your time and help.

0
 
sobrsuAuthor Commented:
Okay so i just added the account on the controller of sqltest and testpwd, and when i tested the login, it worked of course, but what i noticed in the system log was a message coming from radiusd :

Apr 22 13:48:51 debug radiusd  A:Login OK: [sqltest] (from client localhost port 1 cli 00-1B-77-25-4E-D0)
Apr 22 13:48:50 debug iprulesmgr  Received IPC LOGIN REQ for user (nas-port='1',framed-ip-address ='192.168.1.10',calling-station-id='00-1b-77-25-4e-do')

So I guess these radiusd messages aren't coming from my FreeRadius server's radiusd ?  
0
 
atrevidoCommented:
no these messages are coming from the radius service running in the MSM710, right, isn't that what you said above.  I believe radiusd refers to the sprocess on the MSM710
I still think that there is something configured wrong between the radius and the MSM but I suppose since your actual user database is in the sql server then I would have to see logs off the freeRadius
So, think of it this way
Best to keep authentication method/protocol the same throughout.
I would use mschap or eap as pap is not secure especially since this is wireless.
Set it the same throughout, MSM710, freeRadius and Radius <--> SQL server

So you are going from client to MSM710 to Radius to SQL and back again.
Everyone has to be communicating in the same language.
So in the network adapter settings on the laptop it also has to be set to the same protocol.

Just as a point of reference, in my environment we use 802.1x on a steel belted radius on Procurve switches.
On each procurve I set up a username and secret which I enter in the radius server, which you also have entries for.
I can see in the Radius logs if I mistyped that secret password when I try to authenticate my switch (this happens automatically) as it fails.
I have several logs, failed client requests and failed shared secret requests, the 2nd is obviously my switches.  I have about 100 switches so I like to see this empty.
clients fail all the time for a variety of reasons, we use AD authentication for company users, mac authentication for printers, static passowrd for VoIP phones and vlan assignment for guests.  It gets quite ugly sometimes.
So here is an attached screenshot of my network adapter config on a client.  Ensure your clients are set to the right protocol as well.
my-adapter.docx
0
 
atrevidoCommented:
I hope I've given you enough info to roll on as I'm going home for weekend.
I assume you are referencing chapter 6 of this document
http://cdn.procurve.com/training/Manuals/r531/MSM7xx-MCG-May09-5992-5929.pdf
0
 
sobrsuAuthor Commented:
Okay I got it figured out! I have another Virtual server running on the same netowkr adapter, and it was pulling the same address as my Ubuntu / FR server. I changed the Windows box's IP address, and then not only did FR get the request, but it was able to authenticate sucessfully!
Thank you so much for all your input and help Atrevido!
0
 
sobrsuAuthor Commented:
Accepted this as the solution, because this was the whole problem with my setup.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now