freeradius with UNIFI APs

classic Classic list List threaded Threaded
10 messages Options
| Threaded
Open this post in threaded view
|

freeradius with UNIFI APs

Nawar Al Tarazi
I have a problem , My  freeradius Server works with Radtest , with  Normal
Home Router but not with UNIFI APs , he is the debug ,
The Server send the Access-Accept but the AP seems to not accept the
connection from the Server

my Hardware is Unifi

please Help

(0) Received Access-Request Id 4 from 192.168.1.6:44463 to
192.168.1.10:1812 length
245
(0)   User-Name = "[hidden email]"
(0)   NAS-IP-Address = 192.168.1.6
(0)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(0)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "9CDA00101279DBED"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027074
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message =
0x0216001e016f6b746172616469757340636f6e74656e7466756c2e636f6d
(0)   Message-Authenticator = 0xeec65192e2ddf53d4d33db8190adf232
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   authorize {
(0)     update control {
(0)       Proxy-To-Realm := LOCAL
(0)     } # update control = noop
(0) eap: Peer sent EAP Response (code 2) ID 22 length 30
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 23 length 6
(0) eap: EAP session adding &reply:State = 0xfaa47198fab36411
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(0) Sent Access-Challenge Id 4 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(0)   EAP-Message = 0x011700061520
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xfaa47198fab36411baefeb91c43d0602
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 5 from 192.168.1.6:44463 to
192.168.1.10:1812 length
394
(1)   User-Name = "[hidden email]"
(1)   NAS-IP-Address = 192.168.1.6
(1)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(1)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "9CDA00101279DBED"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027074
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message =
0x021700a115800000009716030100920100008e03035d5188828d15cd4d7a82bf0731e77373065ecf57a0bf3f4d4082633bee46876100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(1)   State = 0xfaa47198fab36411baefeb91c43d0602
(1)   Message-Authenticator = 0xbe4a540bc251f8055feaedc56f6d5fff
(1) session-state: No cached attributes
(1) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1)   authorize {
(1)     update control {
(1)       Proxy-To-Realm := LOCAL
(1)     } # update control = noop
(1) eap: Peer sent EAP Response (code 2) ID 23 length 161
(1) eap: Continuing tunnel setup
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xfaa47198fab36411
(1) eap: Finished EAP session with state 0xfaa47198fab36411
(1) eap: Previous EAP request found for state 0xfaa47198fab36411, released
from the list
(1) eap: Peer sent packet with method EAP TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Authenticate
(1) eap_ttls: Continuing EAP-TLS
(1) eap_ttls: Peer indicated complete TLS record size will be 151 bytes
(1) eap_ttls: Got complete TLS record (151 bytes)
(1) eap_ttls: [eaptls verify] = length included
(1) eap_ttls: (other): before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: TLS_accept: before SSL initialization
(1) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0092]
(1) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(1) eap_ttls: >>> send TLS 1.2  [length 003d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(1) eap_ttls: >>> send TLS 1.2  [length 03e8]
(1) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(1) eap_ttls: >>> send TLS 1.2  [length 014d]
(1) eap_ttls: TLS_accept: SSLv3/TLS write key exchange
(1) eap_ttls: >>> send TLS 1.2  [length 0004]
(1) eap_ttls: TLS_accept: SSLv3/TLS write server done
(1) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server
done
(1) eap_ttls: In SSL Handshake Phase
(1) eap_ttls: In SSL Accept mode
(1) eap_ttls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 24 length 1004
(1) eap: EAP session adding &reply:State = 0xfaa47198fbbc6411
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(1) Sent Access-Challenge Id 5 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(1)   EAP-Message =
0x011803ec15c00000058a160303003d02000039030349e81822793d24a35e670383027a3eada3f2f3378a72d3789a4e393459bb0f3600c030000011ff01000100000b0004030001020017000016030303e80b0003e40003e10003de308203da308202c2a003020102020101300d06092a864886f70d0101
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xfaa47198fbbc6411baefeb91c43d0602
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 6 from 192.168.1.6:44463 to
192.168.1.10:1812 length
239
(2)   User-Name = "[hidden email]"
(2)   NAS-IP-Address = 192.168.1.6
(2)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(2)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(2)   NAS-Port-Type = Wireless-802.11
(2)   Service-Type = Framed-User
(2)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(2)   Connect-Info = "CONNECT 0Mbps 802.11b"
(2)   Acct-Session-Id = "9CDA00101279DBED"
(2)   WLAN-Pairwise-Cipher = 1027076
(2)   WLAN-Group-Cipher = 1027074
(2)   WLAN-AKM-Suite = 1027073
(2)   Framed-MTU = 1400
(2)   EAP-Message = 0x021800061500
(2)   State = 0xfaa47198fbbc6411baefeb91c43d0602
(2)   Message-Authenticator = 0xd673ec1af4da37f49eee91a44fff135f
(2) session-state: No cached attributes
(2) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2)   authorize {
(2)     update control {
(2)       Proxy-To-Realm := LOCAL
(2)     } # update control = noop
(2) eap: Peer sent EAP Response (code 2) ID 24 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xfaa47198fbbc6411
(2) eap: Finished EAP session with state 0xfaa47198fbbc6411
(2) eap: Previous EAP request found for state 0xfaa47198fbbc6411, released
from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 25 length 434
(2) eap: EAP session adding &reply:State = 0xfaa47198f8bd6411
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(2) Sent Access-Challenge Id 6 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(2)   EAP-Message =
0x011901b215800000058a1243396539a2f1ad1b6a17603569def5a0794b3af441b40273fd27a0361b18742b5e898d798d94b85c2aaa4ede14cfe7c5f7406c7d5eb178bc1e609fbfefb1920ce1f720d4bbd7ea7e4c91a2b0160303014d0c0001490300174104c4784b7e2fc3e8cf21033a4766054d0266e0
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xfaa47198f8bd6411baefeb91c43d0602
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 7 from 192.168.1.6:44463 to
192.168.1.10:1812 length
369
(3)   User-Name = "[hidden email]"
(3)   NAS-IP-Address = 192.168.1.6
(3)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(3)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(3)   NAS-Port-Type = Wireless-802.11
(3)   Service-Type = Framed-User
(3)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(3)   Connect-Info = "CONNECT 0Mbps 802.11b"
(3)   Acct-Session-Id = "9CDA00101279DBED"
(3)   WLAN-Pairwise-Cipher = 1027076
(3)   WLAN-Group-Cipher = 1027074
(3)   WLAN-AKM-Suite = 1027073
(3)   Framed-MTU = 1400
(3)   EAP-Message =
0x0219008815800000007e1603030046100000424104c9371a045101d7c7d9563212df6bc5a5b2417a499869eeaa50453d1f81bc96938addc1a9bf0512021dfdf2091938b4da9646febec921b00a57a717e72e7155861403030001011603030028860b3611b6543395b1c6bbaaf83beea322054daf0beb35
(3)   State = 0xfaa47198f8bd6411baefeb91c43d0602
(3)   Message-Authenticator = 0xd8e7b2d6e17e721eda1f459d4d421864
(3) session-state: No cached attributes
(3) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3)   authorize {
(3)     update control {
(3)       Proxy-To-Realm := LOCAL
(3)     } # update control = noop
(3) eap: Peer sent EAP Response (code 2) ID 25 length 136
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xfaa47198f8bd6411
(3) eap: Finished EAP session with state 0xfaa47198f8bd6411
(3) eap: Previous EAP request found for state 0xfaa47198f8bd6411, released
from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer indicated complete TLS record size will be 126 bytes
(3) eap_ttls: Got complete TLS record (126 bytes)
(3) eap_ttls: [eaptls verify] = length included
(3) eap_ttls: TLS_accept: SSLv3/TLS write server done
(3) eap_ttls: <<< recv TLS 1.2  [length 0046]
(3) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(3) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(3) eap_ttls: <<< recv TLS 1.2  [length 0010]
(3) eap_ttls: TLS_accept: SSLv3/TLS read finished
(3) eap_ttls: >>> send TLS 1.2  [length 0001]
(3) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(3) eap_ttls: >>> send TLS 1.2  [length 0010]
(3) eap_ttls: TLS_accept: SSLv3/TLS write finished
(3) eap_ttls: (other): SSL negotiation finished successfully
(3) eap_ttls: SSL Connection Established
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 26 length 61
(3) eap: EAP session adding &reply:State = 0xfaa47198f9be6411
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) Post-Auth-Type sub-section not found.  Ignoring.
(3) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(3) Sent Access-Challenge Id 7 from 192.168.1.10:1812 to
192.168.1.6:44463 length
0
(3)   EAP-Message =
0x011a003d15800000003314030300010116030300286d3279646040945eb6f8d448620c0719de823b9e656e0260d632d35eacaa5fa8a16d89afdfad464c
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xfaa47198f9be6411baefeb91c43d0602
(3) Finished request
Waking up in 4.8 seconds.
(4) Received Access-Request Id 8 from 192.168.1.6:44463 to
192.168.1.10:1812 length
332
(4)   User-Name = "[hidden email]"
(4)   NAS-IP-Address = 192.168.1.6
(4)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(4)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "9CDA00101279DBED"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027074
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4)   EAP-Message =
0x021a00631580000000591703030054860b3611b65433960489141a64f3a8cb7c13b947583a4921f0806cd7acc46445465f35fb81bd6104f94599eefeb0d061f172f627a632af17613fac442a331cd9cb5030708bebf6dcf788682be55ac8c3f52b02ae
(4)   State = 0xfaa47198f9be6411baefeb91c43d0602
(4)   Message-Authenticator = 0xdfcd2b5cc81d4042154a25f616974409
(4) session-state: No cached attributes
(4) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)   authorize {
(4)     update control {
(4)       Proxy-To-Realm := LOCAL
(4)     } # update control = noop
(4) eap: Peer sent EAP Response (code 2) ID 26 length 99
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xfaa47198f9be6411
(4) eap: Finished EAP session with state 0xfaa47198f9be6411
(4) eap: Previous EAP request found for state 0xfaa47198f9be6411, released
from the list
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer indicated complete TLS record size will be 89 bytes
(4) eap_ttls: Got complete TLS record (89 bytes)
(4) eap_ttls: [eaptls verify] = length included
(4) eap_ttls: [eaptls process] = ok
(4) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(4) eap_ttls: Got tunneled request
(4) eap_ttls:   User-Name = "[hidden email]"
(4) eap_ttls:   User-Password = "BetAThetA135"
(4) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(4) eap_ttls: Sending tunneled request
(4) Virtual server inner-tunnel received request
(4)   User-Name = "[hidden email]"
(4)   User-Password = "BetAThetA135"
(4)   FreeRADIUS-Proxied-To = 127.0.0.1
(4)   NAS-IP-Address = 192.168.1.6
(4)   NAS-Identifier = "F09FC2307B82D74DA8A1"
(4)   Called-Station-Id = "F0-9F-C2-32-7B-82:Seko"
(4)   NAS-Port-Type = Wireless-802.11
(4)   Service-Type = Framed-User
(4)   Calling-Station-Id = "8C-85-90-C9-C4-A5"
(4)   Connect-Info = "CONNECT 0Mbps 802.11b"
(4)   Acct-Session-Id = "9CDA00101279DBED"
(4)   WLAN-Pairwise-Cipher = 1027076
(4)   WLAN-Group-Cipher = 1027074
(4)   WLAN-AKM-Suite = 1027073
(4)   Framed-MTU = 1400
(4) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(4) server inner-tunnel {
(4)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)     authorize {
(4)       update control {
(4)         Proxy-To-Realm := LOCAL
(4)       } # update control = noop
(4) eap: No EAP-Message, not doing EAP
(4)       [eap] = noop
(4)       [pap] = noop
(4)       if (User-Password) {
(4)       if (User-Password)  -> TRUE
(4)       if (User-Password)  {
(4)         update control {
(4)           Auth-Type := ldap
(4)         } # update control = noop
(4)       } # if (User-Password)  = noop
(4)     } # authorize = noop
(4)   Found Auth-Type = ldap
(4)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4)     authenticate {
rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 153
seconds
rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 152
seconds
rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 151
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 150
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 149
seconds
rlm_ldap (ldap): You probably need to lower "min"
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase
"spare"
rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots
used
rlm_ldap (ldap): Connecting to ldap://contentful.ldap.oktapreview.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(4) ldap: Login attempt by "[hidden email]"
(4) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(4) ldap:    --> (uid=[hidden email])
(4) ldap: Performing search in "ou=users,dc=contentful, dc=oktapreview,
dc=com" with filter "(uid=[hidden email])", scope "sub"
(4) ldap: Waiting for search result...
(4) ldap: User object found at DN "uid=[hidden email]
,ou=users,dc=contentful,dc=oktapreview,dc=com"
(4) ldap: Waiting for bind result...
(4) ldap: Bind successful
(4) ldap: Bind as user
"uid=[hidden email],ou=users,dc=contentful,dc=oktapreview,dc=com"
was successful
rlm_ldap (ldap): Released connection (5)
Need 2 more connections to reach min connections (3)
rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots
used
rlm_ldap (ldap): Connecting to ldap://contentful.ldap.oktapreview.com:636
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(4)       [ldap] = ok
(4)     } # authenticate = ok
(4)   # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) } # server inner-tunnel
(4) Virtual server sending reply
(4) eap_ttls: Got tunneled Access-Accept
(4) eap: Sending EAP Success (code 3) ID 26 length 4
(4) eap: Freeing handler
(4)     [eap] = ok
(4)   } # authenticate = ok
(4) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(4) Sent Access-Accept Id 8 from 192.168.1.10:1812 to 192.168.1.6:44463 length
0
(4)   MS-MPPE-Recv-Key =
0x8c05d9a6191d353cf4101fe02b866e7a91dc69e4192eacd39647f6167f7cfd41
(4)   MS-MPPE-Send-Key =
0x6e524da319bdd251d5f4b702316813dfed52e1ee2eb530ff93e742b8d1be8df4
(4)   EAP-Message = 0x031a0004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   User-Name = "[hidden email]"
(4) Finished request
Waking up in 2.1 seconds.
Waking up in 2.1 seconds.
(0) Cleaning up request packet ID 4 with timestamp +149
(1) Cleaning up request packet ID 5 with timestamp +149
(2) Cleaning up request packet ID 6 with timestamp +149
(3) Cleaning up request packet ID 7 with timestamp +149
Waking up in 7.7 seconds.
(4) Cleaning up request packet ID 8 with timestamp +149
Ready to process requests

--
Nawar Al Tarazi
IT Working Student

[hidden email]
+4915787991702

www.contentful.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

Alan DeKok-2
On Aug 12, 2019, at 11:47 AM, Nawar Al Tarazi <[hidden email]> wrote:
>
> I have a problem , My  freeradius Server works with Radtest , with  Normal
> Home Router but not with UNIFI APs , he is the debug ,
> The Server send the Access-Accept but the AP seems to not accept the
> connection from the Server

  If the AP is ignoring the Access-Accept, then you have to fix the AP.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

Koenraad Lelong
In reply to this post by Nawar Al Tarazi
Op 12/08/19 om 17:47 schreef Nawar Al Tarazi:
> I have a problem , My  freeradius Server works with Radtest , with  Normal
> Home Router but not with UNIFI APs , he is the debug ,
> The Server send the Access-Accept but the AP seems to not accept the
> connection from the Server
>
> my Hardware is Unifi
>
> please Help
>
FWIW, I use a Ubiquiti AP : UniFi AP-AC-LR, with a UniFi-server. It
works fine.
I set up a Radius-profile, simply give the correct IP-address and port
of Freeradius. And fill in the shared secret.
I don't have VLANs yet.

Koenraad.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

Gregory Sloop
+1
Unifi works fine with FR.

The config on Win10 is a bit confusing - but EAP-TLS does work. [The WPA-Radius setup that seemed most obvious (to me anyway) in W10 does not work for FR-EAP-TLS. I don't seem to have the exact correct config selection handy, but I know I got it working. Plus the new W10 wireless control panel doesn't do you any favors for tweaking configurations till you get them working.]


KL> Op 12/08/19 om 17:47 schreef Nawar Al Tarazi:
>> I have a problem , My  freeradius Server works with Radtest , with  Normal
>> Home Router but not with UNIFI APs , he is the debug ,
>> The Server send the Access-Accept but the AP seems to not accept the
>> connection from the Server

>> my Hardware is Unifi

>> please Help

KL> FWIW, I use a Ubiquiti AP : UniFi AP-AC-LR, with a UniFi-server. It
KL> works fine.

+1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

Nawar Al Tarazi
I use EAP-TTLS/PAP , is there anything different in the settings,
Certificate related thing ?
because as i said , the Server sends Access-Accept but it seems the AP just
ignore it

On Tue, Aug 13, 2019 at 7:57 PM Gregory Sloop <[hidden email]> wrote:

> +1
> Unifi works fine with FR.
>
> The config on Win10 is a bit confusing - but EAP-TLS does work. [The
> WPA-Radius setup that seemed most obvious (to me anyway) in W10 does not
> work for FR-EAP-TLS. I don't seem to have the exact correct config
> selection handy, but I know I got it working. Plus the new W10 wireless
> control panel doesn't do you any favors for tweaking configurations till
> you get them working.]
>
>
> KL> Op 12/08/19 om 17:47 schreef Nawar Al Tarazi:
> >> I have a problem , My  freeradius Server works with Radtest , with
> Normal
> >> Home Router but not with UNIFI APs , he is the debug ,
> >> The Server send the Access-Accept but the AP seems to not accept the
> >> connection from the Server
>
> >> my Hardware is Unifi
>
> >> please Help
>
> KL> FWIW, I use a Ubiquiti AP : UniFi AP-AC-LR, with a UniFi-server. It
> KL> works fine.
>
> +1
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Nawar Al Tarazi
IT Working Student

[hidden email]
+4915787991702

www.contentful.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

arr2036


> On 14 Aug 2019, at 06:06, Nawar Al Tarazi <[hidden email]> wrote:
>
> I use EAP-TTLS/PAP , is there anything different in the settings,
> Certificate related thing ?
> because as i said , the Server sends Access-Accept but it seems the AP just
> ignore it

Though I found in our setup we had to define the vlans as networks on the unifi controller before it'd let us assign them, and the kit exhibited that behaviour for undefined VLANs.

Maybe that's the issue here? Or some variant of it?

-Arran


Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

Elias Pereira
Arran, You can configure the vlans directly in freeradius and then in unifi
controller check "Enable RADIUS assigned VLAN for wireless network". We
have it here and it works perfectly.

/etc/freeradius/sites-available/default
ldap
if (Ldap-Group == "CN=ADM,OU=GRUPOS,DC=campus,DC=mycompany,DC=com") {
        update reply {
                &Tunnel-Type = VLAN
                &Tunnel-Medium-Type = IEEE-802
                &Tunnel-Private-Group-Id = "51"
        }
}
elsif (Ldap-Group == "CN=ALUNOS,OU=GRUPOS,DC=campus,DC=mycompany,DC=com") {
        update reply {
                &Tunnel-Type = VLAN
                &Tunnel-Medium-Type = IEEE-802
                &Tunnel-Private-Group-Id = "40"
        }
}
else {
        update reply {
                Reply-Message := "Sem acesso!"
        }
        reject
}

On Thu, Aug 15, 2019 at 2:54 PM Arran Cudbard-Bell <
[hidden email]> wrote:

>
>
> > On 14 Aug 2019, at 06:06, Nawar Al Tarazi <[hidden email]>
> wrote:
> >
> > I use EAP-TTLS/PAP , is there anything different in the settings,
> > Certificate related thing ?
> > because as i said , the Server sends Access-Accept but it seems the AP
> just
> > ignore it
>
> Though I found in our setup we had to define the vlans as networks on the
> unifi controller before it'd let us assign them, and the kit exhibited that
> behaviour for undefined VLANs.
>
> Maybe that's the issue here? Or some variant of it?
>
> -Arran
>
>
> Arran Cudbard-Bell <[hidden email]>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--
Elias Pereira
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

arr2036


> On 15 Aug 2019, at 14:22, Elias Pereira <[hidden email]> wrote:
>
> Arran, You can configure the vlans directly in freeradius and then in unifi
> controller check "Enable RADIUS assigned VLAN for wireless network". We
> have it here and it works perfectly.

This was for the FreeRADIUS/Network RADIUS office where all the octopuses live, we know how to do dynamic VLAN assignment ;)

"Enable RADIUS assigned VLAN for wireless network" was enabled for the SSID in question, but again, dynamic VLAN assignments only started working correctly after we'd added the VLANs as networks in the Unifi controller.

Maybe this was just a coincidence, and the APs just had to warm up to the fact they were going to be assigning VLANs dynamically, I've certainly had issues with them not passing traffic correctly when VLANs are assigned for the first time. It's probably something about how the VLAN interfaces are dynamically instantiated on the APs.  I've never looked into how hostapd actually does it... Maybe it doesn't and it's all proprietary Ubiquiti code.  I know for a long time they didn't even support dynamic VLAN assignment, which suggests it wasn't just a configuration option in hostapd.conf.

I'm glad they finally added it though, along with some of the accounting fixes I suggested.

-Arran

Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

Matthew Newton-3
On Thu, 2019-08-15 at 15:15 -0400, Arran Cudbard-Bell wrote:
> > On 15 Aug 2019, at 14:22, Elias Pereira <[hidden email]> wrote:
> >
> > Arran, You can configure the vlans directly in freeradius and then
> > in unifi controller check "Enable RADIUS assigned VLAN for wireless
> > network". We have it here and it works perfectly.
>
> This was for the FreeRADIUS/Network RADIUS office where all the
> octopuses live, we know how to do dynamic VLAN assignment ;)

Not _all_ the octopuses. I look after some here...

> Maybe this was just a coincidence, and the APs just had to warm up to
> the fact they were going to be assigning VLANs dynamically

Unifi seems a bit odd, and I can't explain its behaviour.

I've got four VLANs to the AP, let's say 7, 8, 9 and 10.

VLAN 7 is default, is defined in Unifi by network address range only
(the VLAN number isn't in the Unifi config), and dynamic assignment on
SSID1 works fine.

VLAN 8 is the static VLAN on SSID2 (no dynamic assignment). There is no
network covering it in the Unifi config. SSID2 works fine, but
dynamically assigning VLAN 8 on SSID1 doesn't.

VLAN 9 is not defined in Unifi anywhere. Dynamic assignment works fine.

VLAN 10 is defined in Unifi as a Network. Dynamic assignment doesn't
work.

AP has trunk - VLAN 7,8,9 are tagged, VLAN 10 is untagged (the AP
management is on 10).

(There's actually also another VLAN which is at another site on another
AP, and that's not defined anywhere either, but works fine dynamically
assigned.)

So that looks like the network must *not* be known to Unifi for it to
work. Except in my case for VLAN 8. But I have a feeling I read
somewhere that statically assigned VLANs for an SSID can't be
dynamically assigned for another SSID (grrr) which might explain that
one.

(I just added network 8 to the Unifi config and it still doesn't work
when dynamically assigned to a user. I also added network 9, and that
still *does* work. <sigh>)

I don't have a Unifi "security gateway", this is all normal switches
and routers.

My *guess* is that the "networks" list is irrelevant for dynamic
assignment: the untagged VLAN doesn't work, any static VLAN for another
SSID doesn't work, but all other VLANs do.

All rather weird. One thing is certain, though: FreeRADIUS is working
perfectly ;-)

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: freeradius with UNIFI APs

arr2036


> On 15 Aug 2019, at 17:09, Matthew Newton <[hidden email]> wrote:
>
> On Thu, 2019-08-15 at 15:15 -0400, Arran Cudbard-Bell wrote:
>>> On 15 Aug 2019, at 14:22, Elias Pereira <[hidden email]> wrote:
>>>
>>> Arran, You can configure the vlans directly in freeradius and then
>>> in unifi controller check "Enable RADIUS assigned VLAN for wireless
>>> network". We have it here and it works perfectly.
>>
>> This was for the FreeRADIUS/Network RADIUS office where all the
>> octopuses live, we know how to do dynamic VLAN assignment ;)
>
> Not _all_ the octopuses. I look after some here...

True :)

>
>> Maybe this was just a coincidence, and the APs just had to warm up to
>> the fact they were going to be assigning VLANs dynamically
>
> Unifi seems a bit odd, and I can't explain its behaviour.

"At the time of writing, one known limitation with RADIUS controlled VLANs is that you can't share a VLAN ID between RADIUS users and a static VLAN assignment on another SSID on that AP. So, if SSID1 has a static VLAN assignment of 10, and SSID2 is configured for RADIUS controlled VLANs, the users on SSID2 cannot use the VLAN ID of 10, but they can use any other VLAN ID. If you had a 3rd SSID, that also used RADIUS controlled VLANs, you can use the same VLAN IDs as you would for the users on SSID 2 (except for 10). This applies on a per-AP basis. Disabling the wireless network on the controller is sufficient means to avoid the static VLAN overlap while transitioning to dynamic VLAN."

https://help.ubnt.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Wireless-Routing-Switching-Hardware

That's what got us.  We had a "legacy" SSID for devices which couldn't do 802.1X, which had one of the VLANs we were assigning dynamically configured.

Setting the legacy network to mac-auth and removing the static VLAN assignment fixed it.

> My *guess* is that the "networks" list is irrelevant for dynamic
> assignment:

Yeah I agree, it was definitely this other issue.

> the untagged VLAN doesn't work, any static VLAN for another
> SSID doesn't work, but all other VLANs do.
> All rather weird. One thing is certain, though: FreeRADIUS is working
> perfectly ;-)

Indeed :)

-Arran


Arran Cudbard-Bell <[hidden email]>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html