New to Cambium, PMP450 AP/SM and RADIUS auth

Products PMP
1

We just started using Cambium as our 5Ghz PtMP solution. I have a lab set up with a single PMP450 AP and a SM. I currently have them all on the same subnet, but eventually will be using customer data VLANs to separate customers from management. I have a FreeRADIUS w/ daloradius frontend to use as our authentication. Would like to authenticate and then set traffic rates, etc on the SMs but one step at a time right? Working on authentication now and am unable to get this to work. I've been reading all the documentation since the beginning of summer and have been trying to sort it out but have not been having much luck.

I know the AP and RADIUS server are able to see each other, the RADIUS server can ping the AP. I have configured the AP and SM for AAA auth and have added the AP as a NAS in RADIUS.

Do any of you have a best practices process that you apply to our Cambium deployment for authentication and management? Where could I be going wrong? Maybe I'm overthinking?

Edit: THought I'd add that I have read the parts about configuring this in the Config and User Guide, and I also installed WISPToolbox from cambiumtools so that I could see an example of how the config should be.

2

Hi,

Welcome to the forum!

First check if SM authentication request is reaching radius server or not, to do that run radius server in debug mode (radius - X) or check radius logs.

If you don’t see any radius request from AP, this means AP and SM radio configuration are different and SM is not finding an AP based on it radio configuration.

Check these couple of thing and we will assist you further based in outcome.

Thanks

3

I'm using the daloradius appliance in my lab, as we use FreeRADIUS / Daloradius in our production environment. Our productions is 2.1.9, the Dalo appliance is 2.1.10. So radiusd -X doesn't work but freeradius -X does work. Same results (our production responds to radiusd -X). 

I do not see my AP at 10.10.10.50 added as a NAS in the debug output initially. I do get the end line saying "Ready to process requests". I rebooted my SM and got a whole bunch of information that I can post. What I basically saw was that my AP @ 10.10.10.50 made an attempt to authenticate with username anonymous and that the last couple lines say 

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WARNING: !! EAP session for state 0x7eae4d757caa582c did not finish!

WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 

I have configured as no realm and I am using the MAC address in the same format as the radios have in them, like this: 00-00-00-00-00-00. 

 

Here is a whole result after a SM reboot

 

User-Name = "anonymous"

State = 0xbb83067fba8013f77f980021d3764fa3

NAS-IP-Address = 10.10.10.50

NAS-Port = 5

NAS-Port-Type = Wireless-Other

Framed-MTU = 1020

EAP-Message = 0x0203004415800000003a1603010035010000310301046b33c4b68a42067623fcd719efae068f252c6f3671bc5d7229c59af8f0943600000a0035002f00040005000a0100

Message-Authenticator = 0xd299c2400830830c12668aabb95bc270

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

sql_xlat

expand: %{User-Name} -> anonymous

sql_set_user escaped user --> 'anonymous'

expand: select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}" -> select groupname from radhuntgroup where nasipaddress="10.10.10.50"

rlm_sql (sql): Reserving sql socket id: 4

SQL query did not return any results

rlm_sql (sql): Released sql socket id: 4

expand: %{sql:select groupname from radhuntgroup where nasipaddress="%{NAS-IP-Address}"} ->

++[request] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "anonymous", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 3 length 68

[eap] Continuing tunnel setup.

++[eap] returns ok

Found Auth-Type = EAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/ttls

[eap] processing type ttls

[ttls] Authenticate

[ttls] processing EAP-TLS

  TLS Length 58

[ttls] Length Included

[ttls] eaptls_verify returned 11

[ttls]     (other): before/accept initialization

[ttls]     TLS_accept: before/accept initialization

[ttls] <<< TLS 1.0 Handshake [length 0035], ClientHello 

[ttls]     TLS_accept: SSLv3 read client hello A

[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello 

[ttls]     TLS_accept: SSLv3 write server hello A

[ttls] >>> TLS 1.0 Handshake [length 01ad], Certificate 

[ttls]     TLS_accept: SSLv3 write certificate A

[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone 

[ttls]     TLS_accept: SSLv3 write server done A

[ttls]     TLS_accept: SSLv3 flush data

[ttls]     TLS_accept: Need to read more data&colon; SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode 

[ttls] eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 0 to 10.10.10.50 port 1234

EAP-Message = 0x010401f41580000001ea160301002a0200002603015636e17e4f2df0485934b9c20451f6e38e809b3fddaa558ed4103581c385be2f0000350016030101ad0b0001a90001a60001a33082019f30820108020900ce7733fd85110fbd300d06092a864886f70d0101050500301431123010060355040313096261636b7374616765301e170d3130313231393136353232375a170d3230313231363136353232375a301431123010060355040313096261636b737461676530819f300d06092a864886f70d010101050003818d0030818902818100b9c54033610743e5af338d1ac0ef27de34c5bf0f758d37f5cbe530a83db9cf70d46deb907474f1ff3a18

EAP-Message = 0xb49d8d5788f2bdbc77996c935c3e4c7d9f6839c81464ab0da32c92ac5425826d578884c443154cbee0da6797160221bdbf245745415f141b4e1415deb56bec9089644597a6b86fda7ce75fca34868113e574ebe668150203010001300d06092a864886f70d01010505000381810013df3f751002c434fc3713991e3944c76b5a4fbb44ccb3d7da8d30668b6cce6a6738954582bc017072b6d2c0f8bc288e4d4ca83c1643bd8f8ee1e16db170c7aa7851e55bfae266e16d41ec648108a7632ce17a99b2bb8c0591fdac7943da82effbb17486a7fdae44f55706b79917371d20fbc30ca97d953aa42bef26d218ea1716030100040e000000

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xbb83067fb98713f77f980021d3764fa3

Finished request 11.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 11 ID 0 with timestamp +662

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WARNING: !! EAP session for state 0xbb83067fb98713f7 did not finish!

WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4

Hi,

So indeed an authentication request comes from AP (that rules out radio config mismatch thing)

Next, it appears to be  outer tunnel  get created successfully.

The error you ae getting is a standard freeradius thing , check the wiki page for solution , it says decreasing MTU size.

Are you using default certificate provided by cambium ?

Tr restarting server, you can also try peap-mschapv2 instead of ttls and see if you get different result ?

Checkout this thread, this also has similar issue using Cambium AP-SM

http://freeradius.1045715.n5.nabble.com/Certificate-Compatibility-td4268420.html

5

I am using the default certificate as I figured that would be ok for testing, but thinking about it now I can see how that could be a possible issue due to the server not having those certs and the cambium radios trying to use them as part of the authentication right? I just need to generate a certificate on the RADIUS server, correct? I think I remember reading the required certificate info in one of these documents...

I will take a look at the link and also check out the freeradius wiki and post again. Thanks!

6

Hi, Have you copied cambium certificate to free-radius directory and changed eap.conf to point to them ? Ideally you should get some different error i.e. SP/SM reject certificate provided by free-radius because it trust only those which are configured on SM security Configuration page. Please try that option. You may also check wireshark packet capture for SSL message it must be showing error, Also you check SM/AP Logs -> eap radius log section to get more logs related to radius auth.

7

Right, I did not copy the certificates to the radius server, and I can see that definitely causing a problem. I'll try copying the cert from the SM first, and go from there.

8

I downloaded the certificate files for the version I'm testing with (13.2.1) from the support site and have them on my freeradius server in /etc/freeradius/certs. Now I need to edit eap.conf to look for those certificates correct? In the TLS section, specifically these lines?

private_key_password = whatever                  (password from the txt file)

private_key_file = ${certdir}/server.key          (aaasvr_key.pem)

certificate_file = ${certdir}/server.pem           (aaasvr_cert.pem)

CA_file = ${cadir}/ca.pem                                  (cacert_aaasvr.pem)

 

Am I missing any that need edited to reference the Cambium certs (aaasvr_cert.pem?

 

Also, I saw the fragment size in eap.conf, but I should wait until I have the correct certs before changing that I believe.

Also, our production freeradius is also used for another company's product. I should be able to support multiple products in freeradius right? If not, and I need a standalone RADIUS server for Cambium, I might as well just use WISPToolBox?

As I was getting the certificates, I also ran a test with the SM set to MSCHAP, and I get an auth reject "no known good password". I'm positive the password in the radius user account matches the SM's password, as it's just the word password (since this is just testing). Any idea why the reject?

9

Yes you can support multiple products with same server.
So now the configuration look OK and you don’t see earlier error right?
Post radius logs again, what auth type set? Should be PEAP MSCHAPv2 or ttls MSCHAPv2

10

My understanding was that it can support multiple products but something I read while learning the eap.conf file made me question if it could for a moment.

My SM is set for 

PHASE 1          eapttls

PHASE 2          MSCHAPV2

Realm is disabled, and I am using the default format of 00-00-00-00-00-00 MAC for the username in the SM and in FreeRADIUS. I have attached the response as a text file because it is long.

text files not a supported upload format?

11

Zip and attach

12

Where can I find the supported uploads?

I have zipped and attached.

13

Check this http://lists.freeradius.org/pipermail/freeradius-users/2012-May/061043.html basically you have to define User-Password in users.conf for that user name

14

I have to define a password for the MAC address username within that user file? I'd have to do that for each SM we would add?  Wouldn't the daloradius frontend do that, or is that just entering the username / password into the database (which the users file has nothing to do with I read). 

15

Cross check that , when you make changes in frontend it actually get reflected in users.conf or not

16

From what I've figured out reading that information, if I change to PAP instead of CHAP then I don't need users/passwords defined in the /etc/freeradius/users file. So I changed the SM to PAP as the Phase 2 and I now see username of the MAC and the password being sent from the SM to FreeRADIUS, but there are errors concerning the realm. I have realm disabled on the SM but it seems RADIUS is still looking for the realm?

I have attached another log after changing to PAP.

Why isn't there a Cambium document that shows how to set up FreeRADIUS or Aradial for use with the Cambium equipment?

17

I should also note that I copied the MAC address into the realm Identity instead of the default anonymous as I was seeing anonymous in the logs. Now I see just the MAC username and no anonymous.

Also, I wouldn't be against using the realm, I was just trying to find the shortest and easiest way to add a new user to RADIUS during installations. I also do not know how to add the realm into RADIUS config.  I do understand that the username would then need to be entered with @canopy.net (or whatever we changed it to in the radios) instead of just the 00-00-00-00-00-00

EDIT: Also, I checked our production FreeRADIUS, currently being used for WiMax deployment. It does have a realm, and we have to use the MAC@REALM format for usernames along with a password for users, but only in the database entries, which daloradius does. There is ZERO information in the users file on the production server.

18

Are you still working on this? If you like I can give you a copy of the configs I'm using with freeradius.

Using the default certificates w/ MSCHAPv2 etc and MySQL backend.

19

Hello Salad, can you help me with the copy of config files that are working on your server please.

20

Hi Raul,  did you figure out the radius setup?  I can help out depending on how you want to configure it.  Our setup uses freeradius with a postgresql database on linux servers.  On the Cambium device, we use eapttls and mschapv2.  Admin users are defined in the users file for all device access.