====== Using Aruba MPSK with FreeRADIUS ======

A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we figured out how to use it with the FreeRADIUS RADIUS Server.

==== Configure the SSID ====

From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server.

==== Configure the FreeRADIUS Server ====

When a client connects the controller will send a RADIUS request to the server. In the response you have to include the vendor-specific attribute ''Aruba-MPSK-Passphrase''. [[https://github.com/FreeRADIUS/freeRADIUS-server/blob/efba32e839caf5c276cef131b5f7d2ec3048f66a/share/dictionary/RADIUS/dictionary.aruba#L57|FreeRADIUS already includes this]] with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at ''/usr/share/freeRADIUS/dictionary.aruba'' (this applies to Debian)). Here is an configuration example, please note that "ClearTextPassphrase" is the clear text password for the requesting device: ''Aruba-MPSK-Passphrase := "ClearTextPassphrase"''.

If you operate a proxying RADIUS, like we do, your config could look like this:
<code>
post-proxy {
     update proxy-reply {
          Aruba-MPSK-Passphrase := "%{proxy-reply:Tunnel-Password}"
     }
}
</code>


==== Some Notes ====
Using MPSK without Clearpass is not officially supported and TAC probably won't help if any problem occurs. The controller will cache the password for a period of time (seems to be a couple of hours).

Most of the work explained here was done by [[https://fem.social/@netali|Jennifer Graul]] at [[https://fem.tu-ilmenau.de|FeM]], thanks!

----

If you have any feedback to this article, [[mailto:mail@v0tti.com | please let me know!]]