Tuesday, September 6, 2016

Aerohive ID Manager (IDM) private pre shared key (PPSK), how does it work ?

Aerohive IDM is a AAA server, it use radsec protocol. Usually if you authenticate against a AAA server like RADIUS the users need to enter a username and password,

Whats interesting with Aerohive PPSK+IDM is that you can create a PSK (WPA2-Personal) SSID and provide PSK per user. And these PSKs can be authenticated against a PSK list in IDM, so how does this work ?





For this the SSID should be configured in the HiveManager as below,






Lets say you pushed this configuration to 3 access points or more, two of the access points will become IDM proxy. All the access points talk to IDM through the two APs which are elected to be the radsec proxy,






Lets say the client is connecting to the AP with hostname AH-016e80 (172.16.1.55), how does the authentication pkts flow through ?  AH-016e80 (172.16.1.55) communicate to AH-0168c0 (172.16.1.56) using RADIUS and AH-0168c0 (172.16.1.56) autheticate the user with IDM using radsec ,


client --- AH-016e80 (172.16.1.55) ----- RADIUS ---- AH-0168c0 (172.16.1.56) --- radsec ----IDM






Pkt capture : https://drive.google.com/open?id=0B3ctVg8ubiwUdmd0T0FKM0Z2S2M

Pkt capture : Client --- AH-016e80 (172.16.1.55) 



Pkt capture : AH-016e80 (172.16.1.55) ----- RADIUS ---- AH-0168c0 (172.16.1.56)




Pkt capture : AH-0168c0 (172.16.1.56) --- radsec ----IDM





How would you see this process in Aerohive _debug messages, 


_debug auth all 

Tech data : https://drive.google.com/open?id=0B3ctVg8ubiwUX0YySndaOElWMnM

---- First connection log @ AH-016e80 (172.16.1.55)  -----

[auth_info]: received EAPOL-Key frame (4/4 Pairwise)

[auth_info]: sending 3/4 msg of 4-Way Handshake

[auth_basic]: Obtain PPSK PMK: 451F***
[auth_basic]: Query PPSK success for sta 286a:ba44:1de4, username: ruwanindika+user2@gmail.com, session-timeout: 
notice  ah_auth: authentication OK, username '28-6A-BA-44-1D-E4', service (unknown)

[auth_basic]: Sending PPSK request to external server for sta 286a:ba44:1de4

[auth_info]: ah_wpa_gen_ptk: wpa_verify_key_mic failed

[auth_basic]: try PMK stored in roaming cache, username ruwanindika+user1@gmail.com

[auth_fsm]: WPA: 286a:ba44:1de4 WPA_PTK entering state PTKCALCNEGOTIATING
[auth_info]: received EAPOL-Key frame (2/4 Pairwise)

[auth_info]: WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=8 kde_len=0 keyidx=0 encr=0)
[auth_info]: sending 1/4 msg of 4-Way Handshake

--------------------------------------------------------


Tech data : https://drive.google.com/open?id=0B3ctVg8ubiwUNm5Qdk5GTmZyTGM

---- After first connection (authenticate from cache) log @ AH-016e80 (172.16.1.55)  -----

[auth_info]: received EAPOL-Key frame (4/4 Pairwise)


[auth_info]: sending 3/4 msg of 4-Way Handshake


[auth_basic]: STA(286a:ba44:1de4) successfully match PPSK user(ruwanindika+user2@gmail.com)
[auth_info]: wpa_verify_key_mic: data_len 121, sizeof(*hdr) + sizeof(*key) 99
[auth_dump]: PTK - hexdump(len=48): 7a bf ** **
[auth_dump]: PMK - hexdump(len=32): 45 1f ** **
[auth_info]: WPA: PTK derivation - A1=9c5d:1201:6ea4 A2=286a:ba44:1de4
[auth_info]: wpa_derive_ptk: pmk pointer 1101200632, sm->wpa_key_mgmt 2, sm->wpa_auth->addr 9c5d:1201:6ea4 sm->addr 286a:ba44:1de4
[auth_basic]: try PMK stored in roaming cache, username ruwanindika+user2@gmail.com


[auth_fsm]: WPA: 286a:ba44:1de4 WPA_PTK entering state PTKCALCNEGOTIATING
[auth_info]: received EAPOL-Key frame (2/4 Pairwise)

[auth_info]: WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=8 kde_len=0 keyidx=0 encr=0)
[auth_info]: sending 1/4 msg of 4-Way Handshake

--------------------------------------------------------



No comments: