Auth WPA2/PSK agaist radius server

hrober · June 2, 2008, 5:15pm

Today I use ‘Access List’ to specify a different WPA2/PSK keys to my custumers, Its so hard. Is there way of the use radius to store the keys ?

tneumann · June 2, 2008, 7:19pm

Not with PSK, but if you use EAP the keys will be generated and supplied automatically…

So you should use WPA2/EAP to solve this.

–Tom

hrober · June 2, 2008, 7:44pm

It’s a good ideia, but my wireless clients (the firmware) do not support EAP method.

I ask again,

why I cant auth PSK agaist radius ? are there technical problems that make it impossible ?

hilton · June 8, 2008, 10:11am

PSK is designed for the end user to enter the key, whilst using EAP method (mostly) it’s designed to be pushed out from a RADIUS server.

There is something called EAP-PSK which uses a combination but I’m not well read on this.

Sorry.

rucevzhuru · June 13, 2008, 1:50pm

Hello,
this function is very important for us. We have almost 50 routers running StarOs and plan to migrate to Mikrotik or Madwifi. So that I would like to know if Mikrotik developers will implement different WPA2 keys for various users over radius protocol. If not we will choose Madwifi becouse it has open source code and we can add it. We have users information system and it controls access to network via radius so that adding WPA2 keys to access list is too much additional work.

tneumann · June 18, 2008, 7:25pm

What would be the advantage of your implementation compared to EAP with certificates, which is a standards-based technology that already works on RouterOS today?

–Tom

uldis · June 19, 2008, 2:21pm

Use this attribute:
Mikrotik-Wireless-Psk

hrober · June 20, 2008, 1:00pm

Use this attribute:
Mikrotik-Wireless-Psk

Will is avaiable on next release/beta version ?

sergejs · June 20, 2008, 1:13pm

It is available from the beginning of version3.

hrober · June 20, 2008, 2:15pm

I need to update my MkT Radius Dictionary to use this ? I’m trying here but radius says:

Failed to create the pair: Unknown attribute "Mikrotik-Wireless-Psk"

uldis · June 25, 2008, 10:31am

Please update your Radius dictionary with new attribute

ATTRIBUTE       Mikrotik-Wireless-PSK               16       string

hrober · June 25, 2008, 1:52pm

uldis,

Great! It works now!

I updated my Radius dictonary with this new attribute and added a new row in my radreply table.

Thanks

andersonmachado · April 27, 2009, 3:48pm

Users are connecting and then the connection is closed.

NAS-Port-Id = “wlan1 - mar_teste1”
User-Name = “00:16:44: AD: 92:18”
Acct-Session-Id = “8,230,003th”
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
Acct-Terminate-Cause = Port-Error

0 ) Dicionario

/usr/local/share/freeradius/dictionary.mikrotik

ATTRIBUTE Mikrotik-Wireless-PSK 16 string

1 ) Registro no Radius

INSERT INTO radcheck VALUES(1, ‘machado’, ‘Password’, ‘==’, ‘machado’, ‘’, ‘’);
INSERT INTO radcheck VALUES(2, ‘00:16:44:ad:92:18’, ‘Password’, ‘==’, ‘00:16:44:ad:92:18’, ‘’, ‘’);

INSERT INTO radgroupcheck VALUES(1, ‘128’, ‘Simultaneous-Use’, ‘:=’, ‘1’);
INSERT INTO radgroupcheck VALUES(2, ‘wireless’, ‘Auth-Type’, ‘:=’, ‘Local’);

INSERT INTO radgroupreply VALUES(1, ‘128’, ‘Mikrotik-Rate-Limit’, ‘:=’, ‘128k/128k’, 0);
INSERT INTO radgroupreply VALUES(2, ‘128’, ‘Framed-Pool’, ‘:=’, ‘liberado’, 0);

INSERT INTO radreply VALUES(1, ‘00:16:44:ad:92:18’, ‘Mikrotik-Wireless-PSK’, ‘=’, ‘12121212’);

INSERT INTO usergroup VALUES(1, ‘machado’, ‘128’);
INSERT INTO usergroup VALUES(2, ‘00:16:44:AD:92:18’, ‘wireless’);

2 ) Autenticação

2.1 )

Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.

2.2 )

rad_recv: Access-Request packet from host 189.xxx.xxx.xxx:43263, id=130, length=173
Service-Type = 2
NAS-Port-Id = “wlan1 - mar_teste1”
User-Name = “00:16:44:AD:92:18”
Acct-Session-Id = “8230003a”
Calling-Station-Id = “00-16-44-AD-92-18”
Called-Station-Id = “00-02-6F-53-53-C7:mar_teste”
Password = “00:16:44:AD:92:18”
NAS-Identifier = “MikroTik”
NAS-IP-Address = 10.0.0.3

2.3 )

rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [00:16:44:ad:92:18/00:16:44:ad:92:18] (from client mar port 0 cli 00-16-44-AD-92-18)
Processing the post-auth section of radiusd.conf

2.4 )

modcall[post-auth]: module “sql” returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 130 to 189.xxx.xxx.xxx port 43263
Mikrotik-Wireless-PSK = “12121212”
Finished request 0

2.5 )

Service-Type = 2
NAS-Port-Id = “wlan1 - mar_teste1”
User-Name = “00:16:44:AD:92:18”
Acct-Session-Id = “8230003a”
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Identifier = “MikroTik”
NAS-IP-Address = 10.0.0.3
Acct-Delay-Time = 0

Service-Type = 2
NAS-Port-Id = “wlan1 - mar_teste1”
User-Name = “00:16:44:AD:92:18”
Acct-Session-Id = “8230003a”
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
Acct-Terminate-Cause = Port-Error
Acct-Session-Time = 5
Acct-Input-Octets = 0
Acct-Input-Gigawords = 0
Acct-Input-Packets = 0
Acct-Output-Octets = 645
Acct-Output-Gigawords = 0
Acct-Output-Packets = 5
NAS-Identifier = “MikroTik”
NAS-IP-Address = 10.0.0.3
Acct-Delay-Time = 0

PackElend · January 1, 2022, 10:14pm

can this be used to set up dynamic VLAN assignments based on used Private-PSK?

bpwl · January 5, 2022, 11:34pm

If I read well in the following links, then …

It’s not yet the Ruckus DPSK (https://data.kommago.nl/files/pdf/byod-ruckus.pdf)
The user identification is still by the MAC address and not the (D)PSK. (see pages 38 till 46 in: https://mdbrasil.com.br/academy/wp-content/uploads/2019/02/MUM_Czech_2009_Maia.pdf )

So the VLAN id for the user is linked to the MAC address, not just to the PSK used when connecting with the same or for any other MAC address
But the “access-list” with “MAC address, PSK, VLANid” is moved from the AP’s or CAPsMAN to the RADIUS server.