?
Solved

HP Procurve MSM710 using FreeRadius as a AAA server

Posted on 2011-04-20
9
Medium Priority
?
3,727 Views
Last Modified: 2012-05-11
Okay so i am starting with some back ground first. So What we are looking for is, a wifi network for all 12 of our terminal stations for our drivers to have WiFi access. We want to be able to have it setup pretty much like a WISP, but we want to lock down access to our driver (who already have logins (over 900 drivers). I purchased an HP Procurve MSM710 controller, with 2 (to start) MSM310-R access points. Since the maximum users allowed on the Controller was only 100 users, we setup FreeRadius (v.2.x) on a server running Ubuntu v 10.04.

So I have the Controller setup to redirect anyone that connect to the AP, to the captive portal, where it asks for a username and password. The Test user setup on the Controller (u -test p- test) and it works. I have configured the FreeRadius server according to this guide
https://help.ubuntu.com/community/CategoryNetworking/daloRADIUS 
In my radius DB in MySql, i have a user setup as sqltest and pass : testpwd. When i run the command: radtest sqltest testpwd 127.0.0.1 1812 testing123 I get an Access-Accept message.

So Where I am getting stuck is configuring the MSM710 to use my freeradius server. I have gone through the VSC, and authentication setup on the Controller, and pointed it to the FreeRadius server, but it is a no go. I also tested to make sure they could ping each other which they can. But i cannot authenticate users from the controller to the Freeradius server. attached in capture.jpg is part of the system log on the Controller and what it says happened. MSM710 system logWhen the Server is running in debug mode, i dont see anything come across. They are both running on the same Vlan as well (not sure if anything with that config would have anythign to do with it.)

So thats where im at, I'm Looking for any suggestions, and what i may have missed on configuring the Freeradius or controller. Any help would be greatly appreciated. Thank you very much for your time.
0
Comment
Question by:sobrsu
  • 5
  • 4
9 Comments
 
LVL 12

Expert Comment

by:atrevido
ID: 35442844
The radius server must have a client login for the HP710 itself setup and then you put that username/password in the HP710 with the following command

#service controller ap authentication credentials <username> <password>

When the RADIUS authentication source is selected, this option specifies the RADIUS username
and password assigned to the controller.


#no service controller ap authentication credentials

Clears the RADIUS username/password.

Or from the GUI
Configure the Retrieve attributes using RADIUS options as follows:
¿ RADIUS profile: Select a RADIUS profile. The profile is used to establish the connection
to a RADIUS server. RADIUS profiles are defined by selecting Controller >>
Authentication > RADIUS profiles. ¿ RADIUS username: Specify the username of the RADIUS account assigned to the
controller.
¿ RADIUS password / Confirm password: Specify the password of the RADIUS account
assigned to the controller.
0
 

Author Comment

by:sobrsu
ID: 35444878
Okay so I couldn't find the Username and Password in the Radius profile this is what i have in the GUI :
 Under Controller > Authentication > Radius profiles I started toying with the System tools (under Tools) in the MSM710 GUI, and found a tool called "Extra AD/Radius debug" and here is what comes up on the system log. Also toward the top you can see what happens when i try to authenticate. I dont see where this is going wrong exactly but hopefull you can shed some light on it.
It looks like the procurve and the freeradius server are talking to each other though, and I just have something miss configured.

Thanks so much for your help!
system-unfiltered.log
0
 
LVL 12

Expert Comment

by:atrevido
ID: 35447872
What is the IP address of the MSM710 and what is the IP address of the freeradius.

Also, you have 2 passwords above

The Test user setup on the Controller (u -test p- test)

have a user setup as sqltest and pass : testpwd

In your logs its using sqltest and failing to authenticate

There is an entry in the log file stating:
Apr 21 14:30:39 debug      radiusd      D:auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

what authentication method are you using? CHAP? PEAP?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:sobrsu
ID: 35449964
the Address of the Radius server is 10.0.0.28, and the address of the controller is 10.0.0.3.

I have the user test test setup on the controller local user accounts, and the local one is working. So if i put in sqltest and testpwd into the controller that one would work as well, but we don't want / can't use the local accounts because it only supports up to 100 users, hence the radius + SQL integration.

If you noticed a second user account i was trying to authenticate, that was another account i had plugged into the Radius DB in mysql. (DWL account)

And the Authorize and authentication types i have selected in etc/freeradius/sites-available/default file in sites available is as follows :
Authorize:
Preprocess
Chap
mschap
suffix
eap
unix
files
sql
pap

Authenticate:
Auth-Type PAP {
pap
chap
mschap
unix
eap

Just noticed there was now option under Authenticate for SQL.. could that be our problem? And the authentication method i chose for the controller to use to communicate to radius is PAP. I choose the PAP Authentication because when i tried the radtest to make sure sql and freeradius were working together, i saw PAP said something along the lines of Authentication Accepted (for sqltest and testpwd). If I should use somthing else just let me know (im a total rookie at this)

Again thanks for your time and help.

0
 

Author Comment

by:sobrsu
ID: 35450587
Okay so i just added the account on the controller of sqltest and testpwd, and when i tested the login, it worked of course, but what i noticed in the system log was a message coming from radiusd :

Apr 22 13:48:51 debug radiusd  A:Login OK: [sqltest] (from client localhost port 1 cli 00-1B-77-25-4E-D0)
Apr 22 13:48:50 debug iprulesmgr  Received IPC LOGIN REQ for user (nas-port='1',framed-ip-address ='192.168.1.10',calling-station-id='00-1b-77-25-4e-do')

So I guess these radiusd messages aren't coming from my FreeRadius server's radiusd ?  
0
 
LVL 12

Expert Comment

by:atrevido
ID: 35450720
no these messages are coming from the radius service running in the MSM710, right, isn't that what you said above.  I believe radiusd refers to the sprocess on the MSM710
I still think that there is something configured wrong between the radius and the MSM but I suppose since your actual user database is in the sql server then I would have to see logs off the freeRadius
So, think of it this way
Best to keep authentication method/protocol the same throughout.
I would use mschap or eap as pap is not secure especially since this is wireless.
Set it the same throughout, MSM710, freeRadius and Radius <--> SQL server

So you are going from client to MSM710 to Radius to SQL and back again.
Everyone has to be communicating in the same language.
So in the network adapter settings on the laptop it also has to be set to the same protocol.

Just as a point of reference, in my environment we use 802.1x on a steel belted radius on Procurve switches.
On each procurve I set up a username and secret which I enter in the radius server, which you also have entries for.
I can see in the Radius logs if I mistyped that secret password when I try to authenticate my switch (this happens automatically) as it fails.
I have several logs, failed client requests and failed shared secret requests, the 2nd is obviously my switches.  I have about 100 switches so I like to see this empty.
clients fail all the time for a variety of reasons, we use AD authentication for company users, mac authentication for printers, static passowrd for VoIP phones and vlan assignment for guests.  It gets quite ugly sometimes.
So here is an attached screenshot of my network adapter config on a client.  Ensure your clients are set to the right protocol as well.
my-adapter.docx
0
 
LVL 12

Expert Comment

by:atrevido
ID: 35450723
I hope I've given you enough info to roll on as I'm going home for weekend.
I assume you are referencing chapter 6 of this document
http://cdn.procurve.com/training/Manuals/r531/MSM7xx-MCG-May09-5992-5929.pdf
0
 

Accepted Solution

by:
sobrsu earned 0 total points
ID: 35468793
Okay I got it figured out! I have another Virtual server running on the same netowkr adapter, and it was pulling the same address as my Ubuntu / FR server. I changed the Windows box's IP address, and then not only did FR get the request, but it was able to authenticate sucessfully!
Thank you so much for all your input and help Atrevido!
0
 

Author Closing Comment

by:sobrsu
ID: 35711370
Accepted this as the solution, because this was the whole problem with my setup.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question