Controllerless Networks

Reply
Occasional Contributor I
Posts: 8
Registered: ‎10-30-2012

IAP -- WPA-Enterprise with Freeradius

Hi, 

I am a Radius newbie - so please excuse stupid questions / just skip this thread. 

I quickly read through O'Reilly's Freeradius book - it helped already but I still have problems to understand some links.

 

(1) In my FreeRadius I would like to define a "client" section for one exact IP - which should be the origin of the Radius requests.

But the requests seem to originate from each AP with the respective IP.

What I tried: In the definition of the external Radius I filled out the NAS-IP-Address. I also gave the VC a fixed IP.

I did not: change the "termination" setting nor define any radius proxy settings.

(I did not fully understand the difference between proxy and non-proxy: I though the virtual controller acts like a single NAS already? In a proxy based setup does the virtual controller act as a proxy for each of his IAPs - what is the difference?)

 

(2) In the VC dashboard I would like to display cleartext names sent back be Radius answer. (The login name is a member-ID and I would prefer to see the associated cleartext name from my database). Ist that possible?

 

(X) are there any example setups (showing both sides - the Instant settings and the fitting Freeradius configs?

 

Thanks in advance

Thomas

 

 

 

Moderator
Posts: 681
Registered: ‎04-16-2009

Re: IAP -- WPA-Enterprise with Freeradius

[ Edited ]

The Client IP is just that -- the client making the Auth request.   The problem is that you would need to enter an address for every client on Radius.   To avoid that you can create an entry for the VC IP address then enable Radius Proxy -- you will need to make sure you have statically assigned the VC IP address.  With that enabled all Auth requests will be sourced from the VC IP.   Enabling termination is not required but can offload your Radius server if it is a low-performing box or is seeing a very high number of requests in a short period and is getting overwhelmed.  Leave it off for now as it does require additional configuration and loading a Certificate on your VC.

 

Once authentication is configured, working, and your clients have logged-in you will see the client information with: Name, IP, MAC.

Occasional Contributor I
Posts: 8
Registered: ‎10-30-2012

Re: IAP -- WPA-Enterprise with Freeradius

Thanks, Marcus!

(my setup works "somewhat" but I feel unsure because I don't understand why it works ;)  - below you find an excerpt from the debug output of the Radius)

 

> "you can create an entry for the VC IP address"

You mean in the general section? I did assign .209 here and I already use it for GUI management.

Or do you mean in the Radius definition? I did set a NAS IP address (.208) and this is part of the Rad request, but as you said this does not influence the IP origin (.65 = an IAP). What are these optional two fields for?

 

> "then enable Radius Proxy"

Where? Do you mean in the Radius definition (4 fields DRP-IP, -mask, -VLAN, - GW)?  What should I put in there? Or am I in the wrong section?

 

New question: the below request comes again and again (with the ID increased by 1). Is this normal?

 

Thanks

Thomas

 

Just FYI:

rad_recv: Access-Request packet from host 192.168.100.65 port 49161, id=105, length=213
User-Name = "John Doe"
NAS-IP-Address = 192.168.100.208
NAS-Port = 0
NAS-Identifier = "100"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "68:96:7B:2F:8D:FC"
Called-Station-Id = "18:64:72:C0:64:66"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x020500061900
State = 0xb99bddaaba9ec435029562d4233ec38b
Aruba-Essid-Name = "Mitglied"
Aruba-Location-Id = "65-Revisionsklappe"
Aruba-AP-Group = "Instant-C0:64:D2"
Message-Authenticator = 0x1f23c9d07eb78e966a69bf25c2b7b860

 

Moderator
Posts: 681
Registered: ‎04-16-2009

Re: IAP -- WPA-Enterprise with Freeradius

Dynamic Radius Proxy is a feature on the InstantAP found under System -> General ->Dynamic Radius Proxy

 

Create an entry in FreeRadius for the InstantAP VC IP address (.209).

 

Not sure on your client but it may be failing auth and retrying.

Occasional Contributor I
Posts: 8
Registered: ‎10-30-2012

Re: IAP -- WPA-Enterprise with Freeradius

Thanks, no it looks much cleaner.

 

A nice-to-have thing:

I would like that the dashobard in the VC does not display the login-name as name but another string which is returned by the Radius.

Example: the login name is an ID, like "123456789", but the dashobard should display "Jon Doe".

I tried to set the attribute "User-Name = ...." in the response section but then the Authentication fails.

 

Thanks

Thomas

Search Airheads
Showing results for 
Search instead for 
Did you mean: