Hello,
I am working on setting up a PMP 450 using 100 series radios to use a radiator aaa server. (https://www.open.com.au/) I noticed that this was not on the supported radiator server. Has anyone been able to successfully configure radiator to function with the PMP 450? It does appear to support the protocols needed to function. (http://www.open.com.au/radiator/technical.html)
Thanks for any insight!
Mike
I confess I have never heard of Radiator before... looks interesting.
It also appears to be a paid service, and their technical support should be able to help you get started using our equipment.
I am a little confused by your first statement
@mtipton wrote:
setting up a PMP 450 using 100 series radios to use a radiator aaa server.
Are you using both 450 and 100 equipment in the same network? Can you elaborate on the deployment scheme?
No worries I figured that was the case as I was unable to locate little to no information on the boards or via google on it.
It is a paid product that we bought licenses for a long time ago with no support time left. I can enage their mailing list, but I figured I would stop by here and see if anyone else might be using it or have in the past.
Sorry for the confusion. The 450, 100s, and radius server are all in the same network. I see Access-Requests coming in. Just having a tough time getting our radiator server to use the calling-station-id as the username and work out any EAP related items.
Unfortunately I do not have access to the 450 to view it's configuration, but I am working on getting that from the people who do have access into it.
My Access-Requests come through with the following attributes looking like this:
Attributes:
Code: Access-Request
Identifier: 0
Authentic: <9><163>N<149>><252>8h<225><181><158><233><220><189><232><246>
Calling-Station-Id = "0A-00-3E-00-00-00"
User-Name = "anonymous"
NAS-IP-Address = 192.168.123.100
NAS-Port = 5
NAS-Port-Type = Wireless-Other
Framed-MTU = 1020
EAP-Message = <2><1><0><15><1>anonymous<0>
Message-Authenticator = <255><12><153><138><235><216><154><149>c<239>S<167><148>~<241><178>
My radiator server reponds with the following and no attributes being sent back, I believe this maybe prart of the problem. Unfortunately I am rather green in this area as this was tossed into my lap recently to figure out.
Code: Access-Accept
Identifier: 0
Authentic: <213><215><153><166><170>n<204>Ox<164><180><178><160><230>_Z
Attributes:
This should not be sending back Accepts as the database does not contain an anonymous user, so I am left scartching my head.
This sounds like a RADIUS-type server. On my network, the freeradius server I am using sees the username of the PMP450 radios as the dash-delimited MAC address of the radios, and the default password is "password". The "anonymous" username is actually the phase 2 identity, and it can be changed (I wrote an perl script which uses SNMP to reprogram it to the MAC without dashes for the radacct table).
If your RADIUS database contains the proper values (normally stored in the radcheck table) for username and password, you'll get an Access-Accept response, but you'd need to have the appropriate responses for that username (typically stored in the radusergroup table, which references the plans defined in the radgroupreply table).
Do you have this working properly for the PMP100 radios? If so, it should be pretty simple to add new plans for the PMP450 models and define which radios get which plans.
I apologize for the delayed response, but appreciate any help. I havent gotten this working on any of these devices.
I have my users file with macs with dashes in it and the default password of "password".
The problem I am having is it appears they are set to use EAP-MD5, but the inner is tunneled via TTLS, would this understanding be correct?
Reading over the forums, it appears that I would need to have the certs from the client device as well? Sorry for being so new to this. I am use to DSL/PPP connections and configuring those.
But in the client settings for aaa auth enforcement is not enabled. What am I missing here? I've attached screenshots of current configuration in the cambium equipment.
I have eap-md5 working when using eapol_test, but I cant get it to work with the PMP 450s.
Note: In the screenshots I removed the device mac and nas IP.
Thanks for any help!
>This should not be sending back Accepts as the database does not contain an anonymous user, so I am left >scartching my head.
This is one important difference between TTLS and PEAP, TTLS doesnt expose username in outer tunnel while PEAP does.https://tools.ietf.org/html/rfc5281#page-38
>But in the client settings for aaa auth enforcement is not enabled. What am I missing here? I've attached screenshots of current configuration in the cambium equipment.
That is not required, that configuration means your want your SM to always do AAA auth irrespective what AP want. Leave that as disabled unless you absolutely want to SM dont talk without authentication.Typically AP decided whether SM authetication is required or not.
Web User Authnetication uses EAP-MD5^ while SM can use TTLS/PEAP+ MSCHAPv2 . To make SM auth work you should have installed same certificate in RADIUS server as in SM because the SM verifies certificate what RADIUS server send, if their is a mismatch it rejects auth.
EAP-MD5 doesn't need any certificate, it is challenge handshake protocol, so this should easily have worked.
Please check this guide
http://community.cambiumnetworks.com/t5/PMP-Configuration-Examples/Using-RADIUS-Server-with-PMP-450/m-p/52305
Try these trouble shooting steps to figure out your problem.
^: Our latest software 15.1 Open Beta for PMP 450 does support PEAP-MSCHAPv2 even for user authentciation , so you can configure your server for PEAP-MSCHAPv2 and then both SM and user auth works.
