net.fail

A blog about building and running a larger network, with an IPv6-first mentality. And unrelated video/audio/tech-stuff.

Impressum

Aruba mPSK with Freeradius

2020-05-06

Many wifi-enabled devices intendet for home-users do not support 802.1x authentication. Some of those are increasingly used in enterprise wifi environments - be it universities, dormitories, or regular businesses with some nice shiny piece of IOT capable of wpa2-psk only. Some vendors solved this problem by implementing a proprietary authentication method to give each device a unique WPA2 preshared-key based on the mac address of the device, even allowing the use of a radius server to store these identities. Contrary to 802.1x (EAPOL) Authentication, both the client and ap need to be in possession of the correct PSK to associate and complete a 4-Way handshake. Therefore, the AP needs to know the exact PSK the client will use to connect. Some vendors store this information in the controllers or aps itself, others consult a radius server using the mac address of the client to retrieve the key. Another drawback of any private/multiple-PSK solution is that the PSK cannot be stored in a one-way hashed form, but needs to be available in plaintext.

Aruba recently caught up to other wifi vendors in offering a form of "private PSK" called mPSK (multiple PSK). It is advertised to be only usable using the Clearpass Policy Manager, however, it is implemented using the vendor specific radius attribute "Aruba-MPSK-Passphrase", and also works with freeradius (provided it is new enough). For details on this, see the entry on v0ttis wiki: Using Aruba MPSK with FreeRadius

Trying to implement it on ArubaOS 8.6, it did not work initially after adding a mpsk ssid in the browser and specifying the ip/secret of the freeradius server. As this wizzard does not allow adding a pre-exisiting radius server, I just entered any ip (it only accepted a legacy-IP address), and changed it to the correct IPv6 using the cli. The first test was not successful, though. Following a deep-dive into the configuration, I finally figured out the missing piece to get it working. This is an extract of the cli configuration for mpsk on aruba, using the ssid "internetofshit".

AAA profiles

aaa authentication mac "internetofshit_mac"
!
aaa authentication dot1x "internetofshit_dot1x"
!
aaa authentication-server radius "iot_radius_1"
    enable-ipv6
    host "{radius_ipv6}"
    key {radius_secret} authentication mac "internetofshit_mac"
	mac-lowercase
    mac-delimiter colon
!
aaa server-group "iot_radius_group"
    auth-server iot_radius_1 position 1
!

mac-lowercase and mac-delimiter are optional, but handy depending on the radius backend storage. The following aaa Profile is for deployments with a pefnd-license:

aaa profile "internetofshit_aaa"
    authentication-mac "internetofshit_mac"
    mac-default-role "authenticated"
    mac-server-group "iot_radius_group"
    authentication-dot1x "internetofshit_dot1x"
    dot1x-default-role "authenticated"
    dot1x-server-group "iot_radius_group"
!

If you do not have a pefng license, use this AAA Profile instead. It basically replaces the role 'authenticated' with 'logon':

aaa profile "internetofshit_aaa"
    authentication-mac "internetofshit_mac"
    mac-default-role "logon"
    mac-server-group "iot_radius_group"
    authentication-dot1x "internetofshit_dot1x"
    dot1x-default-role "logon"
    dot1x-server-group "iot_radius_group"
!

In my first attempt, the mac-server_group was set to default, which was, of course, not configured with any radius server. It is a good idea to leave the default profiles as-is, and create copies of them for modification.

VAP and SSID Profiles

wlan ssid-profile "internetofshit_ssid"
    essid "internetofshit"
    opmode mpsk-aes
!
wlan virtual-ap "internetofshit_vap"
    aaa-profile "internetofshit_aaa"
    vlan {default_vlan}
    ssid-profile "internetofshit_ssid"
!

Some useful commands for debugging (to be run on the controller):

show log user-debug 20
show ap client trail-info {mac}
aaa test-server pap iot_radius_1 {mac} {psk} verbose {mac}

I do like the method chosen by aruba: psks retrieved via radius for a specific mac. Some other manufacturers need to store all mac/psks in the ap, or have a single mac I have heard the controller caches entries for an amount of time.

Freeradius Config with Postgres-backend

Here are some excepts from the freeradius config.

policy.d/mpsk-vlan

mpsk-vlan {

    if ("%{sql:SELECT COUNT(*) FROM macauth WHERE mac='%{User-Name}'}" > 0) {
       update reply {
           Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM macauth WHERE mac='%{User-Name}'}"
           Tunnel-Type := VLAN
           Tunnel-Medium-Type := IEEE-802
           # https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.aruba
           # https://wiki.v0tti.com/doku.php?id=blog:aruba-mpsk-freeradius
           Aruba-MPSK-Passphrase := "%{sql:SELECT psk FROM macauth WHERE mac='%{User-Name}'}"
         }
        update {
            control:Auth-Type := Accept
         }
     }
     else {
        update request {
            Tmp-String-2 := "M2V|Mac Address not in Database"
        }
        reject
     }
}

sites-enabled/mpsk add mpsk-vlan to the authorize section

    authorize {
        mpsk-vlan
    }

The sql connection details are in mods-enabled/sql

excerpts from the ansible-generated config from this role by Klara Mall: ansible-freeradius

If you do not want to deploy it using ansible, or just run a quick'n'dirty poc, you can download a tar of the freeradius config dir generated by the ansible role. This was only tested in an ipv6-only environment.

Last updated 2020-05-25