Does anyone have freeRadius deployed on their network being used to authenticate 320 CPEs to the APs? Could you share what the reply attributes look like or help with what mine should look like? I have the following, but it is not working.
DAN-CPE-MAC-ADDRESS=$O:MAC
DAN-SF1-SFID=1
DAN-SF1-DIRECTION=0
DAN-SF1-QOS-PROF=3
DAN-SF1-CLS-PROF=0
DAN-SF1-SFID=2
DAN-SF1-DIRECTION=1
DAN-SF1-QOS-PROF=4
DAN-SF1-CLS-PROF=0
Thank you.
I should also mention that using a packet sniffer, I can see the access-request packet get sent, an access-accept packet sent to the AP with the attributes, but nothing further. I get a generic SNMP trap back (danGeneric) and quite a few messages to syslog that don’t make a whole lot of sense. I can copy and paste those in later if they would help.
Have you tried running “freeradius -X”? This puts it into debug mode and you can see what it’s doing, all the way down to the SQL queries and EAP/TTLS business.
Here’s the “guts” of a CPE coming online. The AP is 64:ed:57:20:18:32 and SM is 64ED57201832. I’ve eaten the EAP and CHAP business.
Initial request
User-Name = “@wimax.com”
NAS-IP-Address = 172.20.20.33
NAS-Identifier = “DAN”
Calling-Station-Id = “64:ed:57:20:18:32”
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.16
Connect-Info = “WiMAX authentication”
EAP-Message = (edit)
State = (edit)
Message-Authenticator = (edit)
Tunnelled request
User-Name = “64ED57305876”
MS-CHAP-Challenge = (edit)
MS-CHAP2-Response = (edit)
FreeRADIUS-Proxied-To = 127.0.0.1
Inner-tunnel request
User-Name = “64ED57305876”
MS-CHAP-Challenge = (edit)
MS-CHAP2-Response = (edit)
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = 172.20.20.33
NAS-Identifier = “DAN”
Calling-Station-Id = “64ED57201832”
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.16
Connect-Info = "WiMAX authentication"
Inner-tunnel response
DAN-SF1-SFID = 1
DAN-SF1-DIRECTION = 0
DAN-SF1-QOS-PROF = 3
DAN-SF1-CLS-PROF = 0
DAN-SF2-SFID = 2
DAN-SF2-DIRECTION = 1
DAN-SF2-QOS-PROF = 4
DAN-SF2-CLS-PROF = 0
MS-CHAP2-Success = (edit)
MS-MPPE-Recv-Key = (edit)
MS-MPPE-Send-Key = (edit)
MS-MPPE-Encryption-Policy = (edit)
MS-MPPE-Encryption-Types = (edit)
Tunnelled response
DAN-SF1-SFID = 1
DAN-SF1-DIRECTION = 0
DAN-SF1-QOS-PROF = 3
DAN-SF1-CLS-PROF = 0
DAN-SF2-SFID = 2
DAN-SF2-DIRECTION = 1
DAN-SF2-QOS-PROF = 4
DAN-SF2-CLS-PROF = 0
Final response
DAN-SF1-SFID = 1
DAN-SF1-DIRECTION = 0
DAN-SF1-QOS-PROF = 3
DAN-SF1-CLS-PROF = 0
DAN-SF2-SFID = 2
DAN-SF2-DIRECTION = 1
DAN-SF2-QOS-PROF = 4
DAN-SF2-CLS-PROF = 0
MS-MPPE-Recv-Key = (edit)
MS-MPPE-Send-Key = (edit)
EAP-Message = 0x03050004
Message-Authenticator = (edit)
User-Name = "@wimax.com"
The CPE the attributes should be applied to is tracked by the AP via the message authenticator and EAP business. I’m not familiar with “DAN-CPE-MAC-ADDRESS”, and never see it come from the AP.
Thanks for the reply. I was wondering if anyone hung out here any more. Haven’t seen a lot of activity.
I have adjusted the attributes to match, but am still not getting things to function. I can confirm that I am seeing basically the same process as you outline in your response. Although, it looks like I might be missing something in the inner tunnel. I’ll take a look at that again and see what comes.
Thanks again for the info.
I am by no means a freeradius expert, I just hacked at the config files until I found something that worked with my SQL deployment.
Here’s /etc/freeradius/sites-enabled/default with all the comments removed
authorize {
preprocess
rewrite_calling_station_id
chap
mschap
digest
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
sql
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
exec
Post-Auth-Type REJECT {
sql
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
And here’s /etc/freeradius/sites-enabled/inner-tunnel with all the comments removed
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
rewrite_calling_station_id
chap
mschap
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
sql
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
sql
}
post-auth {
sql
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
}
And here’s /etc/freeradius/eap.conf with all the comments removed
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = PMP320DemoCertificate
private_key_file = ${certdir}/pmp320server_key.pem
certificate_file = ${certdir}/pmp320server_cert.pem
dh_file = ${certdir}/dh
random_file = /dev/urandom
CA_path = ${cadir}
cipher_list = “DEFAULT”
make_cert_command = “${certdir}/bootstrap”
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = “inner-tunnel”
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = “inner-tunnel”
}
mschapv2 {
}
}
There’s a lot more if you’d like me to send via PM