HP Procurve MSM710 using FreeRadius as a AAA server

Posted on 2011-04-20
Last Modified: 2012-05-11
Okay so i am starting with some back ground first. So What we are looking for is, a wifi network for all 12 of our terminal stations for our drivers to have WiFi access. We want to be able to have it setup pretty much like a WISP, but we want to lock down access to our driver (who already have logins (over 900 drivers). I purchased an HP Procurve MSM710 controller, with 2 (to start) MSM310-R access points. Since the maximum users allowed on the Controller was only 100 users, we setup FreeRadius (v.2.x) on a server running Ubuntu v 10.04.

So I have the Controller setup to redirect anyone that connect to the AP, to the captive portal, where it asks for a username and password. The Test user setup on the Controller (u -test p- test) and it works. I have configured the FreeRadius server according to this guide
In my radius DB in MySql, i have a user setup as sqltest and pass : testpwd. When i run the command: radtest sqltest testpwd 1812 testing123 I get an Access-Accept message.

So Where I am getting stuck is configuring the MSM710 to use my freeradius server. I have gone through the VSC, and authentication setup on the Controller, and pointed it to the FreeRadius server, but it is a no go. I also tested to make sure they could ping each other which they can. But i cannot authenticate users from the controller to the Freeradius server. attached in capture.jpg is part of the system log on the Controller and what it says happened. MSM710 system logWhen the Server is running in debug mode, i dont see anything come across. They are both running on the same Vlan as well (not sure if anything with that config would have anythign to do with it.)

So thats where im at, I'm Looking for any suggestions, and what i may have missed on configuring the Freeradius or controller. Any help would be greatly appreciated. Thank you very much for your time.
Question by:sobrsu
    LVL 12

    Expert Comment

    The radius server must have a client login for the HP710 itself setup and then you put that username/password in the HP710 with the following command

    #service controller ap authentication credentials <username> <password>

    When the RADIUS authentication source is selected, this option specifies the RADIUS username
    and password assigned to the controller.

    #no service controller ap authentication credentials

    Clears the RADIUS username/password.

    Or from the GUI
    Configure the Retrieve attributes using RADIUS options as follows:
    ¿ RADIUS profile: Select a RADIUS profile. The profile is used to establish the connection
    to a RADIUS server. RADIUS profiles are defined by selecting Controller >>
    Authentication > RADIUS profiles. ¿ RADIUS username: Specify the username of the RADIUS account assigned to the
    ¿ RADIUS password / Confirm password: Specify the password of the RADIUS account
    assigned to the controller.

    Author Comment

    Okay so I couldn't find the Username and Password in the Radius profile this is what i have in the GUI :
     Under Controller > Authentication > Radius profiles I started toying with the System tools (under Tools) in the MSM710 GUI, and found a tool called "Extra AD/Radius debug" and here is what comes up on the system log. Also toward the top you can see what happens when i try to authenticate. I dont see where this is going wrong exactly but hopefull you can shed some light on it.
    It looks like the procurve and the freeradius server are talking to each other though, and I just have something miss configured.

    Thanks so much for your help!
    LVL 12

    Expert Comment

    What is the IP address of the MSM710 and what is the IP address of the freeradius.

    Also, you have 2 passwords above

    The Test user setup on the Controller (u -test p- test)

    have a user setup as sqltest and pass : testpwd

    In your logs its using sqltest and failing to authenticate

    There is an entry in the log file stating:
    Apr 21 14:30:39 debug      radiusd      D:auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

    what authentication method are you using? CHAP? PEAP?

    Author Comment

    the Address of the Radius server is, and the address of the controller is

    I have the user test test setup on the controller local user accounts, and the local one is working. So if i put in sqltest and testpwd into the controller that one would work as well, but we don't want / can't use the local accounts because it only supports up to 100 users, hence the radius + SQL integration.

    If you noticed a second user account i was trying to authenticate, that was another account i had plugged into the Radius DB in mysql. (DWL account)

    And the Authorize and authentication types i have selected in etc/freeradius/sites-available/default file in sites available is as follows :

    Auth-Type PAP {

    Just noticed there was now option under Authenticate for SQL.. could that be our problem? And the authentication method i chose for the controller to use to communicate to radius is PAP. I choose the PAP Authentication because when i tried the radtest to make sure sql and freeradius were working together, i saw PAP said something along the lines of Authentication Accepted (for sqltest and testpwd). If I should use somthing else just let me know (im a total rookie at this)

    Again thanks for your time and help.


    Author Comment

    Okay so i just added the account on the controller of sqltest and testpwd, and when i tested the login, it worked of course, but what i noticed in the system log was a message coming from radiusd :

    Apr 22 13:48:51 debug radiusd  A:Login OK: [sqltest] (from client localhost port 1 cli 00-1B-77-25-4E-D0)
    Apr 22 13:48:50 debug iprulesmgr  Received IPC LOGIN REQ for user (nas-port='1',framed-ip-address ='',calling-station-id='00-1b-77-25-4e-do')

    So I guess these radiusd messages aren't coming from my FreeRadius server's radiusd ?  
    LVL 12

    Expert Comment

    no these messages are coming from the radius service running in the MSM710, right, isn't that what you said above.  I believe radiusd refers to the sprocess on the MSM710
    I still think that there is something configured wrong between the radius and the MSM but I suppose since your actual user database is in the sql server then I would have to see logs off the freeRadius
    So, think of it this way
    Best to keep authentication method/protocol the same throughout.
    I would use mschap or eap as pap is not secure especially since this is wireless.
    Set it the same throughout, MSM710, freeRadius and Radius <--> SQL server

    So you are going from client to MSM710 to Radius to SQL and back again.
    Everyone has to be communicating in the same language.
    So in the network adapter settings on the laptop it also has to be set to the same protocol.

    Just as a point of reference, in my environment we use 802.1x on a steel belted radius on Procurve switches.
    On each procurve I set up a username and secret which I enter in the radius server, which you also have entries for.
    I can see in the Radius logs if I mistyped that secret password when I try to authenticate my switch (this happens automatically) as it fails.
    I have several logs, failed client requests and failed shared secret requests, the 2nd is obviously my switches.  I have about 100 switches so I like to see this empty.
    clients fail all the time for a variety of reasons, we use AD authentication for company users, mac authentication for printers, static passowrd for VoIP phones and vlan assignment for guests.  It gets quite ugly sometimes.
    So here is an attached screenshot of my network adapter config on a client.  Ensure your clients are set to the right protocol as well.
    LVL 12

    Expert Comment

    I hope I've given you enough info to roll on as I'm going home for weekend.
    I assume you are referencing chapter 6 of this document

    Accepted Solution

    Okay I got it figured out! I have another Virtual server running on the same netowkr adapter, and it was pulling the same address as my Ubuntu / FR server. I changed the Windows box's IP address, and then not only did FR get the request, but it was able to authenticate sucessfully!
    Thank you so much for all your input and help Atrevido!

    Author Closing Comment

    Accepted this as the solution, because this was the whole problem with my setup.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now