Try putting a test user in the users file like this:
localpeap User-Password == "test"
See if you can authenticate as that user.
On Apr 23, 2004, at 2:03 PM, Clayton Dukes wrote:
That did the trick... I'm connecting now but getting an Auth failure. I see where I can set a different username in XP, but where do I set a password?
Here's my output: Waking up in 4 seconds... rad_recv: Access-Request packet from host 16.19.20.5:59342, id=99, length=147 User-Name = "cdukes" Framed-MTU = 1400 Called-Station-Id = "000f.8f76.2e20" Calling-Station-Id = "0006.25a9.8594" Message-Authenticator = 0x9fe1634ba1f815346a56cf48a7dd3d59 EAP-Message = 0x02010014016364756b65733a6931323639753131 NAS-Port-Type = Wireless-802.11 NAS-Port = 263 Service-Type = Framed-User NAS-IP-Address = 10.100.10.10 NAS-Identifier = "ap-noc" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 35 modcall[authorize]: module "preprocess" returns ok for request 35 rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 35 rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 35 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 218 modcall[authorize]: module "files" returns ok for request 35 modcall: group authorize returns updated for request 35 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 35 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 35 modcall: group Auth-Type returns invalid for request 35 auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 99 to 16.19.20.5:59342 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 34 ID 98 with timestamp 4089758b Waking up in 3 seconds...
TIA! Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
Here's a config template I use for Cisco 1120 AP's. Try this and see if it works for you.
!#########################################
! Basic config template for Cisco IOS Access Points ! 4/20/2004 - BDM -
I've tested it with 1120's but should work with 1200's
!#########################################
!
!
!###############################
! Remove some junk from the default config that we don't want/need
!##################################
no ip dhcp excluded-address 10.0.0.1 10.0.0.10 no ip dhcp pool
local-default-pool no aaa group server radius rad_mac no aaa group server
radius rad_acct no aaa group server radius rad_admin no aaa group server
tacacs+ tac_admin no aaa group server radius rad_pmip no aaa group server
radius dummy no aaa authentication login mac_methods local no aaa
authorization ipmobile default group rad_pmip no ip http server no ip http
help-path !
!
!###########################
! AAA config for EAP authentication and some radius accounting
!############################# aaa new-model aaa authentication login
eap_methods group rad_eap aaa authorization exec default local aaa
accounting network acct_methods start-stop group rad_acct aaa session-id
common !
aaa group server radius rad_eap
server <ipaddress> auth-port 1812 acct-port 1813 !
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
! ##### Require wep128 encryption
encryption mode ciphers wep128
! ##### rotate broadcast wep key every 10 minutes
broadcast-key change 600
! ##### Create an SSID named "wifi"
! ##### Require EAP authentication
! ##### broadcast the SSID
ssid wifi
authentication open eap eap_methods
guest-mode
! ###### set the data rates support and/or required by the AP ! ###### These
are the rates recommended by Cisco for best throughput ! ###### for
supporting both 802.11.b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0 !
rts threshold 2312
station-role root
no cdp enable
! ###### Tell the AP to honor the Session-Timeout returned by the Radius
server
dot1x reauth-period server
!
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disable
!
interface FastEthernet0
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
! interface BVI1 ip address <ip address> <subnetmask>
!
ip tacacs source-interface BVI1
ip radius source-interface BVI1
radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <key>
radius-server attribute 32 include-in-access-req format %h radius-server
authorization permit missing Service-Type radius-server vsa send accounting
bridge 1 route ip
On Apr 23, 2004, at 1:15 PM, Clayton Dukes wrote:
I can see from searching the mailing list that this has been asked
many times, but what I can't seem to locate are config examples or a
good howto on setting everything up.
I have the radius server set up -- and it appears to work on, but I am
not sure what I am lacking/doing wrong on the AP.
I have followed the instructions from the following URL:
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
It's a very good guide -- although outdated, I was still able to get
the radius and client side configured.
What I see now are no requests from the AP to the radius server when I
boot up the laptop. The laptop is not able to get to the AP either.
I also have LDAP auth turned on, when I telnet to the AP the LDAP
piece communicates fine with the radius server so I know the comms are ok.
Does anyone have an example 1100AP config that I can use?
Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
!DSPAM:40895da5181201762219590!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
