Meraki Access Points Login incorrect for SHA-Password

danodemano danodemano at gmail.com
Sat Dec 4 15:33:16 CET 2010


Alright, I'm going to try my best to explain what's going on here.  I have a
Meraki wireless access point I am trying to get configured to work with
RADIUS.  I have my freeradius server up and running with two other access
points just fine.  However, I cannot get it to work right with the Meraki
one.  It's set up to us MySQL for all the authentication and such and as I
mentioned it works fine with the other two access points.  However, when the
Meraki access point tries to authenticate using SHA-Password credentials in
the MySQL database I get a Login incorrect.  Here is a bit from the radius
log file:

Sat Dec  4 09:21:54 2010 : Auth: Login OK: [testing] (from client Meraki
port 0 via TLS tunnel)
Sat Dec  4 09:21:54 2010 : Auth: Login OK: [testing] (from client Meraki
port 0 cli 00-00-00-00-00-02)
Sat Dec  4 09:22:24 2010 : Auth: Login incorrect: [test2] (from client
Meraki port 0 via TLS tunnel)
Sat Dec  4 09:22:24 2010 : Auth: Login incorrect: [test2] (from client
Meraki port 0 cli 00-00-00-00-00-02)

Both users are in the MySQL database, the only difference is the 'testing'
has a 'Cleartext-Password' while the 'test2' user has an 'SHA-Password'  If
I try to use the 'test2' user from command line with a radtest it works
fine:

Sat Dec  4 09:23:28 2010 : Auth: Login OK: [test2] (from client localhost
port 10)

It also works correctly with my Untangle box:

Sat Dec  4 09:29:23 2010 : Auth: Login OK: [test2] (from client Untangle
port 0)

I contacted Meraki about it and among other things they said: "It may be
failing because your RADIUS server policy is configured to use the EAP-TLS
authentication method and our test simulates a supplicant using
PEAP-MSCHAPv2."

Honestly I know very little about freeradius.  I have set it up using some
how-to guides on the Internet and it seems to be functioning correctly for
the other two access points.  The record in the 'nas' table for the Meraki
access point is identical to the records for the other access points other
than the IP/shortname.  I have made copies of (I think) all the used config
files if that's helpful.  You can find them all here: 
http://dbunyard.homeip.net/stuff/raddb/
http://dbunyard.homeip.net/stuff/raddb/   Any help in configuring this would
be greatly appreciated!  If you need any additional information or logs let
me know.
Thanks!
--
Dan
-- 
View this message in context: http://freeradius.1045715.n5.nabble.com/Meraki-Access-Points-Login-incorrect-for-SHA-Password-tp3292174p3292174.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list