blog:aruba-mpsk-freeradius

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
blog:aruba-mpsk-freeradius [2020/03/01 11:59]
v0tti
blog:aruba-mpsk-freeradius [2024/02/08 10:31] (current)
v0tti
Line 1: Line 1:
 ====== Using Aruba MPSK with FreeRADIUS ====== ====== Using Aruba MPSK with FreeRADIUS ======
  
-A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we could figure out how to use it with the FreeRADIUS RADIUS Server.+A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we figured out how to use it with the FreeRADIUS RADIUS Server.
  
 ==== Configure the SSID ==== ==== Configure the SSID ====
  
-From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server+From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server.
  
 ==== Configure the FreeRADIUS Server ==== ==== Configure the FreeRADIUS Server ====
  
-When a client connects the controller will send a RADIUS request to the server. In the response you have to include the VSA "Aruba-MPSK-Passphrase". [[https://github.com/FreeRADIUS/freeRADIUS-server/blob/efba32e839caf5c276cef131b5f7d2ec3048f66a/share/dictionary/RADIUS/dictionary.aruba#L57|FreeRADIUS already includes the VSA]] with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at ''/usr/share/freeRADIUS/dictionary.aruba'' (this applies to Debian)). Here is an example, please note that "Tunnel-Password" is the clear text password for the requesting MAC.+When a client connects the controller will send a RADIUS request to the server. In the response you have to include the vendor-specific attribute ''Aruba-MPSK-Passphrase''. [[https://github.com/FreeRADIUS/freeRADIUS-server/blob/efba32e839caf5c276cef131b5f7d2ec3048f66a/share/dictionary/RADIUS/dictionary.aruba#L57|FreeRADIUS already includes this]] with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at ''/usr/share/freeRADIUS/dictionary.aruba'' (this applies to Debian)). Here is an configuration example, please note that "ClearTextPassphrase" is the clear text password for the requesting device: ''Aruba-MPSK-Passphrase := "ClearTextPassphrase"''. 
 + 
 +If you operate a proxying RADIUS, like we do, your config could look like this: 
 +<code> 
 +post-proxy { 
 +     update proxy-reply { 
 +          Aruba-MPSK-Passphrase := "%{proxy-reply:Tunnel-Password}" 
 +     } 
 +
 +</code>
  
-''Aruba-MPSK-Passphrase := "%{proxy-reply:Tunnel-Password}"'' 
  
 ==== Some Notes ==== ==== Some Notes ====
 +Using MPSK without Clearpass is not officially supported and TAC probably won't help if any problem occurs. The controller will cache the password for a period of time (seems to be a couple of hours).
 +
 +Most of the work explained here was done by [[https://fem.social/@netali|Jennifer Graul]] at [[https://fem.tu-ilmenau.de|FeM]], thanks!
  
-  * The controller seems to cache the password for an unknown period of time (seems to be a couple of hours)+----
  
 If you have any feedback to this article, [[mailto:mail@v0tti.com | please let me know!]] If you have any feedback to this article, [[mailto:mail@v0tti.com | please let me know!]]
  
  • blog/aruba-mpsk-freeradius.1583060393.txt.gz
  • Last modified: 2020/03/01 11:59
  • by v0tti