start

v0ttis wiki

This is my private wiki. It is also the home of my small “blog”.

For information about how to contact me please refer to my website.

A few months ago Aruba introduced the MPSK authentication feature for their WiFi systems. With MPSK it is possible to have a PSK protected SSID but with a per device/MAC password. Unfortunately it is only officially supported to work with the Clearpass Policy Manager from Aruba. However, we figured out how to use it with the FreeRADIUS RADIUS Server.

Configure the SSID

From the WebUI, create a new SSID with MPSK authentication. It is not possible to select an existing RADIUS server, just create a new dummy server. Now, edit the SSID profile and now change the dummy server to your (previously configured) FreeRADIUS server.

Configure the FreeRADIUS Server

When a client connects the controller will send a RADIUS request to the server. In the response you have to include the vendor-specific attribute Aruba-MPSK-Passphrase. FreeRADIUS already includes the this with correct encoding and encryption (check if your version already includes this VSA, otherwise place the linked file at /usr/share/freeRADIUS/dictionary.aruba (this applies to Debian)). Here is an configuration example, please note that “ClearTextPassphrase” is the clear text password for the requesting device: Aruba-MPSK-Passphrase := “ClearTextPassphrase”.

If you operate a proxying RADIUS, like we do, your config could look like this:

post-proxy {
     update proxy-reply {
          Aruba-MPSK-Passphrase := "%{proxy-reply:Tunnel-Password}"
     }
}
Some Notes

Using MPSK without Clearpass is not officially supported and TAC probably won't help if any problem occurs. The controller will cache the password for a period of time (seems to be a couple of hours).

Most of the work explained here was done by Maximilian Graul at FeM, thanks!


If you have any feedback to this article, please let me know!

2020/02/29 15:36 · v0tti
  • start.txt
  • Last modified: 2020/02/29 14:40
  • by v0tti