My mistake, thanks for clarifying Andreas. I'm just jumping into all this and it's been a lot to take in in a very short period of time. Ideally I was after the encryption of WPA and the simple yet secure user authentication offered by LEAP and freeradius without the complications of cert management. As you point out though, they are mutually exclusive.
Anyhow, thanks again for all the help, it's much appreciated. Sean. -----Original Message----- From: Andreas Wolf [mailto:[EMAIL PROTECTED] Sent: December 4, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: Re: Airport Extreme , WPA Enterprise and LEAP On Dec 4, 2003, at 1:31 PM, Sean Page wrote: > Ah, well, that's surprising. All the documentation and config screens > seem > to indicate that LEAP is supported. No, if you read the documentations you'll find that LEAP is not supported in WPA and LEAP (it cannot work as WPA and LEAP are inherently incompatible). Even without WPA, LEAP is not supported on the Base Station side, ie. it only works with Cisco Access Points (LEAP is a Cisco thing). What is supported is to use LEAP on the MacOS X _client_ with a third party access point that supports LEAP. Anyway, if you have WPA, why bother with a proprietary protocol? -Andreas > I hadn't really wanted to muck about > with certs and cert management, but, what the heck. This looks like a > great > how-to, I'll give it a shot tonight and see how it works out. > Thanks Andreas, much appreciated! > > Sean. > > -----Original Message----- > From: Andreas Wolf [mailto:[EMAIL PROTECTED] > Sent: December 3, 2003 5:08 PM > To: [EMAIL PROTECTED] > Subject: Re: Airport Extreme , WPA Enterprise and LEAP > > > On Dec 3, 2003, at 3:20 PM, Sean Page wrote: > >> Hi, >> >> First of all let me start with the standard "I am new to RADIUS, be >> patient >> with me" disclaimer. :) >> I'm trying to get WPA Enterprise LEAP support running using Aiport >> Extreme, >> FreeRADIUS v0.9.2 on FreeBSD 4.9p1 > > WPA Enterprise does not support LEAP, at least not with AirPort > Extreme. > >> When I try to authenticate, the wireless client machine times out and >> no >> authentication occurs. >> It looks to me like the radius server is behaving properly, but I >> might be >> blindly missing something, perhaps someone can give me a hand. > > AirPort Extreme's WPA implementation supports the following EAP types: > TLS, TTLS and PEAP. > So I don't know if you depend on WPA Enterprise or LEAP. If you need > LEAP then > I think you need a different Access Point (NAS). > If you need WPA Enterprise then you can find an example WPA Enterprise > configuration > of freeRADIUS at: > > http://homepage.mac.com/andreaswolf/public/wpaeap.html#radiusd.conf > > It also contains info on how to configure your AirPort Extreme. > > -Andreas > >> Second question, do I need to manually set a timeout on the radius >> server >> for key expiry? >> Any help would be greatly appreciated. >> >> Thanks >> Sean. >> >> Clients.conf: >> >> client 192.168.0.250 { >> secret = XXXXXXXXX >> shortname = AirWolf >> nastype = other >> } >> >> >> In radiusd.conf >> >> Pam is commented out >> default_eap_type = leap >> Md5 is commented out >> Passwd and ldap support also commented out. >> Proxy disabled >> >> Users is simply: >> >> thewolf User-Password == "testing" >> >> Output from radius d -X is as follows: >> >> Starting - reading configuration files ... >> reread_config: reading radiusd.conf >> Config: including file: /usr/local/etc/raddb/clients.conf >> Config: including file: /usr/local/etc/raddb/snmp.conf >> Config: including file: /usr/local/etc/raddb/sql.conf >> main: prefix = "/usr/local" >> main: localstatedir = "/var" >> main: logdir = "/var/log" >> main: libdir = "/usr/local/lib" >> main: radacctdir = "/var/log/radacct" >> main: hostname_lookups = no >> main: max_request_time = 30 >> main: cleanup_delay = 5 >> main: max_requests = 1024 >> main: delete_blocked_requests = 0 >> main: port = 0 >> main: allow_core_dumps = no >> main: log_stripped_names = no >> main: log_file = "/var/log/radius.log" >> main: log_auth = no >> main: log_auth_badpass = no >> main: log_auth_goodpass = no >> main: pidfile = "/var/run/radiusd/radiusd.pid" >> main: bind_address = 192.168.0.1 IP address [192.168.0.1] >> main: user = "(null)" >> main: group = "(null)" >> main: usercollide = no >> main: lower_user = "no" >> main: lower_pass = "no" >> main: nospace_user = "no" >> main: nospace_pass = "no" >> main: checkrad = "/usr/local/sbin/checkrad" >> main: proxy_requests = no >> security: max_attributes = 200 >> security: reject_delay = 1 >> security: status_server = no >> main: debug_level = 0 >> read_config_files: reading dictionary >> read_config_files: reading naslist >> Using deprecated naslist file. Support for this will go away soon. >> read_config_files: reading clients >> Using deprecated clients file. Support for this will go away soon. >> read_config_files: reading realms >> Using deprecated realms file. Support for this will go away soon. >> radiusd: entering modules setup >> Module: Library search path is /usr/local/lib >> Module: Loaded expr >> Module: Instantiated expr (expr) >> Module: Loaded PAP >> pap: encryption_scheme = "crypt" >> Module: Instantiated pap (pap) >> Module: Loaded CHAP >> Module: Instantiated chap (chap) >> Module: Loaded MS-CHAP >> mschap: use_mppe = yes >> mschap: require_encryption = no >> mschap: require_strong = no >> mschap: passwd = "(null)" >> mschap: authtype = "MS-CHAP" >> Module: Instantiated mschap (mschap) >> Module: Loaded System >> unix: cache = no >> unix: passwd = "(null)" >> unix: shadow = "(null)" >> unix: group = "(null)" >> unix: radwtmp = "/var/log/radwtmp" >> unix: usegroup = no >> unix: cache_reload = 600 >> Module: Instantiated unix (unix) >> Module: Loaded eap >> eap: default_eap_type = "leap" >> eap: timer_expire = 60 >> rlm_eap: Loaded and initialized the type leap >> Module: Instantiated eap (eap) >> Module: Loaded preprocess >> preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" >> preprocess: hints = "/usr/local/etc/raddb/hints" >> preprocess: with_ascend_hack = no >> preprocess: ascend_channels_per_line = 23 >> preprocess: with_ntdomain_hack = no >> preprocess: with_specialix_jetstream_hack = no >> preprocess: with_cisco_vsa_hack = no >> Module: Instantiated preprocess (preprocess) >> Module: Loaded realm >> realm: format = "suffix" >> realm: delimiter = "@" >> Module: Instantiated realm (suffix) >> Module: Loaded files >> files: usersfile = "/usr/local/etc/raddb/users" >> files: acctusersfile = "/usr/local/etc/raddb/acct_users" >> files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" >> files: compat = "no" >> Module: Instantiated files (files) >> Module: Loaded Acct-Unique-Session-Id >> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, >> Client-IP-Address, NAS-Port-Id" >> Module: Instantiated acct_unique (acct_unique) >> Module: Loaded detail >> detail: detailfile = >> "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" >> detail: detailperm = 384 >> detail: dirperm = 493 >> detail: locking = no >> Module: Instantiated detail (detail) >> Module: Loaded radutmp >> radutmp: filename = "/var/log/radutmp" >> radutmp: username = "%{User-Name}" >> radutmp: case_sensitive = yes >> radutmp: check_with_nas = yes >> radutmp: perm = 384 >> radutmp: callerid = yes >> Module: Instantiated radutmp (radutmp) >> Listening on IP address 192.168.0.1, ports 1812/udp and 1813/udp. >> Ready to >> process requests. >> >> rad_recv: Access-Request packet from host 192.168.0.250:1024, id=1, >> length=180 >> Framed-MTU = 1466 >> NAS-IP-Address = 10.0.1.1 >> NAS-Identifier = "AirWolf" >> User-Name = "thewolf" >> Service-Type = Framed-User >> NAS-Port = 256 >> NAS-Port-Type = Ethernet >> NAS-Port-Id = "wl0" >> Called-Station-Id = "00-03-93-ee-f0-2e" >> Calling-Station-Id = "00-0a-95-f4-a2-35" >> Connect-Info = "CONNECT Ethernet 54Mbps Half duplex" >> EAP-Message = 0x0201000c01746865776f6c66 >> Message-Authenticator = 0x6a3e34afd8a4094e1af3f640291f3d03 >> modcall: entering group authorize for request 0 >> modcall[authorize]: module "preprocess" returns ok for request 0 >> modcall[authorize]: module "chap" returns noop for request 0 >> rlm_eap: EAP packet type notification id 1 length 12 >> rlm_eap: EAP Start not found >> modcall[authorize]: module "eap" returns updated for request 0 >> rlm_realm: No '@' in User-Name = "thewolf", looking up realm NULL >> rlm_realm: No such realm "NULL" >> modcall[authorize]: module "suffix" returns noop for request 0 >> users: Matched thewolf at 97 >> modcall[authorize]: module "files" returns ok for request 0 >> modcall[authorize]: module "mschap" returns noop for request 0 >> modcall: group authorize returns updated for request 0 >> rad_check_password: Found Auth-Type EAP >> auth: type "EAP" >> modcall: entering group authenticate for request 0 >> rlm_eap: EAP packet type notification id 1 length 12 >> rlm_eap: EAP Start not found >> rlm_eap: EAP Identity >> rlm_eap: processing type leap >> rlm_eap_leap: Stage 2 >> rlm_eap_leap: Issuing AP Challenge >> rlm_eap_leap: Successfully initiated >> modcall[authenticate]: module "eap" returns ok for request 0 >> modcall: group authenticate returns ok for request 0 >> Sending Access-Challenge of id 1 to 192.168.0.250:1024 >> EAP-Message = 0x0102001711010008b69ccbda0b6f58d0746865776f6c66 >> Message-Authenticator = 0x00000000000000000000000000000000 >> State = >> 0x0a832a6825413d5827738852723d53dbd44ace3fb7d36766ccb904b90ad5ba71343f >> 7 >> 0ae >> Finished request 0 >> Going to the next request >> --- Walking the entire request list --- >> Waking up in 6 seconds... >> --- Walking the entire request list --- >> Cleaning up request 0 ID 1 with timestamp 3fce4ad4 >> Nothing to do. Sleeping until we see a request. >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > -------------- > Andreas Wolf > Apple Computer, Inc. > Technologies, AirPort Engineering > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -------------- Andreas Wolf Apple Computer, Inc. Technologies, AirPort Engineering - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
