Greetings to all who are part of this forum.
I have a question about the authentication methods available to the RocketM5, and I am going to see if you can help me.
Basically I have a platform mounted plates WISP Mikrotik and Ubiquiti XR5 cards mini pci on the side of the base radio, and client-side story with Ubiquiti equipment and mikrotik.

Everything works super well, but seeing the great benefits offered by the 2 antennas have gained AirMax AirMax-5G20-90 and two RocketM5, my problem arises when glancing at the RocketM5 Airos I realize that does not have or I found I a way to authenticate via an external radius.

My query lies in the possibility of doing this with teams RocketM5 or not, if there is not whether there is any news to include this feature in future updates included in RocketM5 Airos.



Thank you very much from Asunción - Paraguay

Nicolas Coronel

PS: My English is not very good please know how to forgive

Greetings to all who are part of this forum.
I have a question about the authentication methods available to the RocketM5, and I am going to see if you can help me.
Basically I have a platform mounted plates WISP Mikrotik and Ubiquiti XR5 cards mini pci on the side of the base radio, and client-side story with Ubiquiti equipment and mikrotik.

Everything works super well, but seeing the great benefits offered by the 2 antennas have gained AirMax AirMax-5G20-90 and two RocketM5, my problem arises when glancing at the RocketM5 Airos I realize that does not have or I found I a way to authenticate via an external radius.

My query lies in the possibility of doing this with teams RocketM5 or not, if there is not whether there is any news to include this feature in future updates included in RocketM5 Airos.

While it is not currently possible to configure these for external radius auth in the web interface, it IS possible to configure them using ssh. (If you dig around enough in the forum you should find instructions...)

In summary, you configure the web interface as security=none, then ssh into the box, cd into /etc/persistant, create a wpasupplicant file with the correct options, and create a rc.poststart file that runs wpasupplicant using that config file, then save the settings with "cfgmtd -w -p /etc".

I even have a sample wpasupplicant.conf file:

interface=ath0
bridge=br0
driver=madwifi
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
nas_identifier=ap5.ubnt
auth_server_addr=192.168.3.80
auth_server_port=1812
auth_server_shared_secret=testing123
ieee8021x=1

(that is from a working test unit)


PS: My English is not very good please know how to forgive
Ah, don't worry about it--most of us Americans don't speak very good English. We speak American--not the same language. :icon_lol:

I very much appreciate your help, but I'm doing something wrong because I do not this running the recipe you left me.

Basically what I need to do is:

Set my AP so as to authenticate the connection through the Mac Address of the CPE.
I have this configuration running on an ISP with many customers, and seeing the performance of AirMax want to use this platform, but with this limitation, I think it will be impossible to migrate because the administrative burden will be very complicated.

If anyone has a success story and wants to share with me I'll be most grateful.


; I am currently running Mikrotik equipment as base stations and CPE Ubiquiti

Thank you very much.

I would like to know how to get this to work as well. There is another radius post on this forum that I have not been able to get to work. I have created the rc.poststart as well as teh hostapd.conf with no success. your config files has some different settings than the other post as far as what driver you are using and so on. What is the name of the config file you are creating? is it wpasupplicant.conf ?

RocketMan I have configured the following in the /etc/persistent/hostapd.conf:

interface=ath0
bridge=br0
driver=wext
ieee8021x=1
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
own_ip_addr=192.168.0.25
auth_server_addr=192.168.0.187
auth_server_shared_secret=testkey



Then I created another file /etc/persistent/rc.poststart containing:

/bin/hostapd -B /etc/persistent/hostapd.conf


Then run this command:

cfgmtd -w -p /etc/


Radius side use a Centos server 5.3, running FreeRadius and MySql, this setup works now with Mikrotik equipment I use.

If possible the configuration I want to make it more likely that I'm doing things wrong, I very much appreciate the support received.

Or perhaps the client side teams need some configuration that I'm not able to perform.

Dayas,

Im in the same boat as you with that earlier radius post... it will prevent clients from associating but the radius packets never get forwarded...

some more info on the above config would be great!

I think that does not understand me, because I talk about authentication, when actually what I'd do is the following:
Basically follow the theme of the MAC ACLs, but how to use the tool provided Ubiquiti firmware is not enough time to have an extensive network of what I have configured a MySQL database in which the table radcheck UserName column is loaded the Mac Address of the CPE (for example NanoStation5) that we need to be connected, and in the Password column is left blank when trying to access the CPE to the AP access point queries the Radius server, which in see checks the database.
At the time of having the list of customers who wish to cancel for failure to pay the server performs a query to the corresponding tables and customers in arrears will add a password in the table and radcheck which completely denied the connection to the AP .

Basically I want to continue doing this with RocketM5 already have two pairs of antennae and RocketM5, and if I can do this I think the team does not help, he would have to modify my procedures, and system validation.

Ubiquiti I also think you should add this feature in the short term in their firmware as this product is presented as a solution for companies providing services.

cd into /etc/persistant, create a wpasupplicant file with the correct options, and create a rc.poststart file that runs wpasupplicant using that config file, then save the settings with "cfgmtd -w -p /etc".

How? What I mast type in command line of ssh terminal? (Sorry, I don't know linux)

Ah, don't worry about it--most of us Americans don't speak very good English. We speak American--not the same language. :icon_lol:

Your humility is refreshing.

Signed

a European

We are a company that operates in Paraguay to provide Internet access service, corporate networks and network gaming.
Our entire platform is mounted in its entirety in the base stations with motherboards Mikrotik Ubiquiti XR5 with wireless interfaces, and both clients (CPE) the nanostation5 and in some cases the bullet.

Our entire infrastructure is supported by these facilities on a physical level, in what sense our management system proceeds to give high and low to the user through the MAC - address from the CPE because each client is assigned a CPE, which has a MAC - ADDRESS and through a base equipment Radius access the database of our system.

This architecture work is very comfortable to us by allowing us to be secure, and saves administrative tasks. With this technology operate for over 3 ½ years.

AirMax When we received news that we were very excited to market this revolutionary platform providing more benefits and best operating conditions.

Acquired two and two antennas RocketMan AirMax 5G20-90 and 20 NanostationM for testing and perform installation and EPC technology M if the tests are positive.

Indeed we were very pleased with the performance of AirMax equipment, but unfortunately we have a very delicate problem to apply to our infrastructure, not supported for authentication of the CPE by using as username Radius MAC-address.

To have this function to migrate all our business base stations to AirMax technology to exploit the benefits it offers.

Our question is what suggestions or solution can recommend you as manufacturers of the product, and we try as many things with little success, even I am working with the SDK a few days to see if I can add that function, but unfortunately, a role which I must devote much time and I do not have much time to delve into this subject.

Thank you very much for taking my question in mind.


---------------------------------------------------------------------Español--------------------------------------------------------------

Somos una empresa que opera en Paraguay brindando servicio de acceso a internet, redes corporativas y redes de videojuegos.

Toda nuestra plataforma esta montada en su totalidad en las estaciones bases con placas base Mikrotik con interfases inalámbricas ubiquiti xr5, y tanto en los clientes (CPE) los nanostation5 y en algunos casos el bullet.


Toda nuestra infraestructura esta sostenida por dichos equipamientos a nivel físico, en cuanto a lo lógico nuestro sistema de gestión procede a dar de alta y baja a los usuario a travez de las MAC – ADDRESS de los CPE ya que a cada cliente se le asigna un CPE, el cual posee un MAC – ADDRESS y por medio de un Radius los equipos base acceden a la base de datos de nuestro sistema.


Esta arquitectura de trabajo nos resulta muy cómoda ya que nos permite tener la red segura, y nos ahorra las tareas administrativas. Con esta tecnología operamos hace ya mas de 3 años y medio.


Cuando recibimos noticias del AirMax quedamos muy entusiasmados de que esta plataforma revolucionaria el mercado brindando mas prestaciones y mejores condiciones operativas.


Adquirimos dos RocketM y dos antenas AirMax 5G20-90 y 20 NanostationM para realizar pruebas y realizar ya la instalación de los CPE con tecnología M en caso de que las pruebas sean positivas.


Verdaderamente quedamos muy contentos con el desempeño del equipamiento AirMax, pero lastimosamente nos encontramos con un problema muy delicado para aplicarlo a nuestra infraestructura, no cuenta con soporte para autenticación de los CPE por Radius tomando como username el MAC-ADDRESS.


De contar con esta función nuestra empresa migraría la totalidad de las estaciones bases a tecnología AirMax para poder aprovechar los beneficios que esta ofrece.


Nuestra Pregunta es que sugerencias o que solución puede recomendarnos Ustedes como fabricantes del Producto, ya que intentamos ya muchas cosas con poco éxito, incluso me encuentro trabajando con el SDK hace unos días para ver si puedo agregarle esa función, pero lastimosamente es una tarea a la cual debo dedicarle mucho tiempo y no cuento con mucho tiempo para ahondar en dicho tema .


Muchas Gracias por tomar en cuenta mi pregunta.

Dear Zehd or anyone who can help,

I am trying to use EAP autentication via FreeRadius on NS2 Access Point. I need to authenticate my wireless clients somehow. I followed your instructions and get this log when a client try to connect:

Jun 25 19:23:00 cnett-teste daemon.warn hostapd: ath0: STA 00:24:2c:3f:ae:07 IEEE 802.1X: authentication failed - EAP type: 4 (MD5-Challenge)
Jun 25 19:23:00 cnett-teste daemon.info hostapd: ath0: STA 00:24:2c:3f:ae:07 IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)

Can you help me find the problem? On radius I do not see any request and I think its some about EAP type 4/3/2... I just cant say what is this types.

While it is not currently possible to configure these for external radius auth in the web interface, it IS possible to configure them using ssh. (If you dig around enough in the forum you should find instructions...)

In summary, you configure the web interface as security=none, then ssh into the box, cd into /etc/persistant, create a wpasupplicant file with the correct options, and create a rc.poststart file that runs wpasupplicant using that config file, then save the settings with "cfgmtd -w -p /etc".

I even have a sample wpasupplicant.conf file:

interface=ath0
bridge=br0
driver=madwifi
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
nas_identifier=ap5.ubnt
auth_server_addr=192.168.3.80
auth_server_port=1812
auth_server_shared_secret=testing123
ieee8021x=1

(that is from a working test unit)


Ah, don't worry about it--most of us Americans don't speak very good English. We speak American--not the same language. :icon_lol: