Radius EAP-TTLS setup

Roman_Shishkin · January 5, 2015, 4:03pm

Hello,

we are trying to configure radius setup. First question is there any operator running Radius wih epmp1000?

Second - we trying to do first authentication withouts success. Something wrong with tunnels. We are using freeradius-2.2.0

Here is Radius log:

Sun Jan 4 16:48:27 2015 Packet-Type = Access-Request User-Name = "test01" NAS-Identifier = "BS6c7cd3:000000" NAS-Port = 0 Called-Station-Id = "00-04-56-C4-51-C4:CWME" Calling-Station-Id = "00-04-56-C1-CB-95" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02e0000d150015030100020230 State = 0x2b7ac44f289ad124bb62d008294d7876 Message-Authenticator = 0xaaf098e5e9ce9088fab2e0c829706f3c NAS-IP-Address = 172.31.0.5

Sun Jan 4 16:48:27 2015
Packet-Type = Access-Reject
EAP-Message = 0x04e00004
Message-Authenticator = 0x00000000000000000000000000000000

In attach there is wireshark trace file.

ePMP1000-Radius-Auth.pcapng (8.64 KB)

Balaji_Grandhi · January 6, 2015, 5:19pm

Hi Roman,

The authentication is failing because you were using certificates which are invalid.

The certificates expired on 7th Nov, 2013.

Please refer to the screenshot attached.

Please use valid certificates and let us know if you have any issues.

Best Regards,

Balaji

Invalid Certificates.jpg (438 KB)

Roman_Shishkin · January 13, 2015, 2:11pm

Hello Balaji,

we've changed sertificate. Currently there is:

notAfter: utcTime: 16-01-12 16:07:36 (UTC)

But situation is the same. In CPE log there is a message

STA cannot be associated on AP... Reason 21. (CERTIFICATE FALIED)

Roman_Shishkin · January 13, 2015, 3:23pm

There are questions not covered by documentation.

1. Should we create separate sertificate for SM?

2. Should we upload sertificate for SM?

Balaji_Grandhi · January 15, 2015, 5:29am

Hi Roman,

I assume you have generated a new self-signed certificate, for Radius Server.
If that is the case,

1. You don't have to generate a seperate certificate for SM.

2. You have to upload the root CA certificate to the SM.

It should be the same root CA Certificate you have used to sign the new server certificate.

Roman_Shishkin · January 16, 2015, 10:10am

Balaji,

we upload root sertificate from radius (ca.pem) file into SM. It looks like TTLS is processing and and radius sending Access-Accept meassage.

Now SM has another error. Reason 49. INVALID SEKURITY KEY

BS shows error:

Jan 16 11:03:31 BS6c7cd3:020000 hostapd: ath0: STA 00:04:56:c1:cb:95 WPA: INITPMK - keyAvailable = false
Jan 16 11:03:31 BS6c7cd3:020000 kernel: STA[00:04:56:c1:cb:95] aid=1 disassociated. Reason: INVALID SECURITY KEY
Jan 16 11:03:31 BS6c7cd3:020000 hostapd: ath0: STA 00:04:56:c1:cb:95 IEEE 802.11: deauthenticated due to local deauth request

Balaji_Grandhi · January 17, 2015, 1:34am

Hi Roman,

Could you send me the config files of both AP and SM and the wireshark trace.

If you prefer, you can e-mail it to me at balaji.grandhi@cambiumnetworks.com.

Best Regards,

Balaji

Roman_Shishkin · January 21, 2015, 5:58pm

Hi Balaji

I sent files to you. We are using Radius with Wimax module to support EAP-TTLS for WIMAX equipment.

Roman_Shishkin · January 23, 2015, 10:15am

Just for the knolege base.

If you are using EAP-TTLS and Freeradius with wimax module compiled there is an configuration option:

delete_mppe_keys = yes

If you set it to "yes" Radius will remove this keys from the Access-Accept message and put WiMAX-MSK attribute which contains encoded keys.

Some of WiMAX devise requires to set this option to yes. Other devices can operat both way.

Here is reply with "yes" option

Packet-Type = Access-Accept
        EAP-MSK = 0x3c53e3b6bb79329a4f36577990cb181211738b9aeded8279b05775cdefeb0253b79deedd596839d84afd04020905f5
067e634ddfeabbcfbba7bfe1b4cf58730a
        EAP-EMSK = 0xcfeb6d7567b1a672f00b5e00bc1f0b3ede22c219a806e91681df823764e38ab9be2d6d3435f528f5c10d9c8ef0b5b
870f20f6c8797a0e6ebcf041926c7d56cc7
        EAP-Message = 0x03570004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test02"
        WiMAX-MSK = 0x3c53e3b6bb79329a4f36577990cb181211738b9aeded8279b05775cdefeb0253b79deedd596839d84afd04020905
f5067e634ddfeabbcfbba7bfe1b4cf58730a

Here is the reply with "no" option, whic is standart behaviour of Radius.

Packet-Type = Access-Accept
        MS-MPPE-Recv-Key = 0xf0d1c1e0be1c23c000cae76bb2643a98ac22e0731f49780b561b62b1d13e8f96
        MS-MPPE-Send-Key = 0xa207a797fd4526321968ed1b0d778702f6d2df40bbd772e73ed9d04240e87a45
        EAP-MSK = 0xf0d1c1e0be1c23c000cae76bb2643a98ac22e0731f49780b561b62b1d13e8f96a207a797fd4526321968ed1b0d7787
02f6d2df40bbd772e73ed9d04240e87a45
        EAP-EMSK = 0xe04ccfff3cb0fae8da986627be212c8e8a8a9393defc1586efe5b8a542694f4fd2293ebc4d2490aa86d8dec6642ff
cbf13807debfd6a52c65df979a56cdd56c5
        EAP-Message = 0x03fd0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test02"

Cambium print debug message INVALID SECURITY KEY if there are no MS-MPPE-* attributes in the message.