Differences

This shows you the differences between two versions of the page.

--- blog:aruba-mpsk-freeradius [2020/03/01 12:21]
v0tti [Some Notes]
+++ blog:aruba-mpsk-freeradius [2024/02/08 10:31] (current)
v0tti
@@ Line 1: / Line 1: @@
 ====== Using Aruba MPSK with FreeRADIUS ======
-A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we could figure out how to use it with the FreeRADIUS RADIUS Server.
+A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we figured out how to use it with the FreeRADIUS RADIUS Server.
 ==== Configure the SSID ====
-From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server
+From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server.
 ==== Configure the FreeRADIUS Server ====
-When a client connects the controller will send a RADIUS request to the server. In the response you have to include the vendor-specific attribute ''Aruba-MPSK-Passphrase''. [[https://github.com/FreeRADIUS/freeRADIUS-server/blob/efba32e839caf5c276cef131b5f7d2ec3048f66a/share/dictionary/RADIUS/dictionary.aruba#L57|FreeRADIUS already includes the this]] with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at ''/usr/share/freeRADIUS/dictionary.aruba'' (this applies to Debian)). Here is an configuration example, please note that "ClearTextPassphrase" is the clear text password for the requesting device: ''Aruba-MPSK-Passphrase := "ClearTextPassphrase"''.
+When a client connects the controller will send a RADIUS request to the server. In the response you have to include the vendor-specific attribute ''Aruba-MPSK-Passphrase''. [[https://github.com/FreeRADIUS/freeRADIUS-server/blob/efba32e839caf5c276cef131b5f7d2ec3048f66a/share/dictionary/RADIUS/dictionary.aruba#L57|FreeRADIUS already includes this]] with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at ''/usr/share/freeRADIUS/dictionary.aruba'' (this applies to Debian)). Here is an configuration example, please note that "ClearTextPassphrase" is the clear text password for the requesting device: ''Aruba-MPSK-Passphrase := "ClearTextPassphrase"''.
 If you operate a proxying RADIUS, like we do, your config could look like this:
@@ Line 23: / Line 23: @@
 ==== Some Notes ====
 Using MPSK without Clearpass is not officially supported and TAC probably won't help if any problem occurs. The controller will cache the password for a period of time (seems to be a couple of hours).
+Most of the work explained here was done by [[https://fem.social/@netali|Jennifer Graul]] at [[https://fem.tu-ilmenau.de|FeM]], thanks!
 ----