WPA2 PSK + DaloRadius + Freeradius

nitrium · June 7, 2010, 6:53pm

Hi there! First of all, I know there are other posts about this problem but they didnt solve my issue, so Im posting here to see if we can make my config work

Right now I have a FreeRadius daemon running on a CentOS distribution in a virtual machine on a XenServer. I have DaloRadius configured on the same VM also. I have a RouterOS working as a hotspot server in a interface connected to a RB532. This server is also a PPPoE concentrator using UserManager, wich I will try to migrate to FreeRadius also. Well, My problem is that:

My FreeRadius gets the call from the RB when a client try to connect, I use Mikrotik-Wireless-PSK = “PSK” as a reply attribute using the := op and I see in the logs that the RADIUS send to my RB the info, but for some reason My RB shows “last failure, received deauth”. I think maybe I misplaced some info on the DaloRadius database, but I want the opinion of you guys so I can get WPA2 PSK to authenticate using Radius for the key!

X86 |Wired| X86 |Wired| RB532 |Wireless|
RADIUS ----------->PPPoE and HotSpot Server ------------> WPA2 + RADIUS auth---------------->Clients

Anyway, I wanna know how exactly can I do to make WPA2 PSK on RouterOS to authenticate using a Freeradius with MySQL(wich is already configured). I hope I made myself clear about the problem, any info needed just ask!

sergejs · June 8, 2010, 10:03am

I hope that you are not using PSK as preshared-key for WPA configuration, it should be at least 8 symbols long.

Configuration required on MikroTik router for the PSK authentication/authorization over RADIUS.
/radius add address=server_IP service=wireless secret

/interface wireless security-profile configuration for WPA2-PSK.

nitrium · June 8, 2010, 1:00pm

Hi there, Actually Im using for WPA and WPA2 but all my PSK are longer than 8 digits. The config you suggest is already done in my RouterOS, the problem isnt that… As I see, the RB refuses to authenticate when the reply comes from the RADIUS server. I run FreeRadius on debug mode and can see the requests and the Access-Accept reply, but on the RB logs it only shows “got from RADIUS” when its an Access-Reject. And when its Access-Accept, the MAC dont auth returning the message I told earlier. Its really strange why that is happenning! Still looking for a solution, any feedback would be nice, if I got any solutions I will post here as well.

nitrium · June 10, 2010, 8:53pm

Hi again, so.. any ideas? I dont think its a complicated thing to do because a lot of people already use this method, I just wanna know why my system isnt working right. When it goes to the RADIUS server it dont auth. Correct me if Im wrong. First, if I have a wlan interface without WPA2 active, i dont have to put MAC on the address-list if I want the system to search on the RADIUS database right? And in a WPA2 scheme I just have to register the MAC and the Mikrotik-Wireless-Psk info on the RADIUS database to auth right? The Mikrotik-Wireless-Psk is a check or a reply attribute? Do I use :=, = or == to set the attribute on the RADIUS server? Any advice will be welcomed.. thx guys!

sergejs · June 11, 2010, 1:40pm

Enable ‘radius,debug’ logs at /system logging and post here the output, when wireless client is trying to connect to the router.

nitrium · June 11, 2010, 5:24pm

As requested, Im sending the file with the logs. Just for the record, its telling that it got timeout but I checked the Server and its with radiusd running and also receiving the packets from my RouterOS! Any help would be great
log.1.txt (78.4 KB)

sergejs · June 15, 2010, 11:47am

What configuration do you have at /radius print at the router?

nitrium · June 15, 2010, 5:18pm

[xxxx@BrNet - POP Principal] /radius> print
Flags: X - disabled

SERVICE CALLED-ID DOMAIN ADDRESS SECRET

0 wireless 192.168.1.2 idp4206
[xxxx@BrNet - POP Principal] /radius>

Thats it, the IP is from an address I have in a interface connected directly with my radius server. This config above is from a RB532 witch is connected to a X86 PC with RouterOS, the X86 PC has the direct connection with the radius server.

sergejs · June 16, 2010, 8:27am

Ok, /radius export is needed.

nitrium · June 22, 2010, 2:14pm

/radius
add accounting-backup=no accounting-port=1813 address=192.168.1.2
authentication-port=1812 called-id=“” comment=“” disabled=no domain=“”
realm=“” secret=xxxxxx service=wireless timeout=300ms
/radius incoming
set accept=yes port=1700

Sorry for the delay to answer!

nitrium · June 29, 2010, 11:16pm

Hi there, Im still trying here but without success… any ideas so far?

nitrium · July 19, 2010, 12:07pm

Hi, so any ideas? Im still stuck!

sergejs · August 13, 2010, 6:47am

/radius configuration is correct.
Just one thought, do you have any masquerade rules?
You should look what is wrong on the RADIUS.