On Apr 23, 2004, at 2:22 PM, Clayton Dukes wrote:
As far as I can tell, the username is getting accepted, but there's nowhere
for me to put the user's password in.
Does anyone know where the password gets set? I tried setting the password
on my laptop thinking it may pull it from the windows account, but no dice.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 3:13 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
I don't know much about the the LDAP module, but it sure looks like it's not
returning a password for the user.
Try putting a test user in the users file like this:
localpeap User-Password == "test"
See if you can authenticate as that user.
On Apr 23, 2004, at 2:03 PM, Clayton Dukes wrote:
That did the trick... I'm connecting now but getting an Auth failure. I see where I can set a different username in XP, but where do I set a password?
Here's my output: Waking up in 4 seconds... rad_recv: Access-Request packet from host 16.19.20.5:59342, id=99, length=147 User-Name = "cdukes" Framed-MTU = 1400 Called-Station-Id = "000f.8f76.2e20" Calling-Station-Id = "0006.25a9.8594" Message-Authenticator = 0x9fe1634ba1f815346a56cf48a7dd3d59 EAP-Message = 0x02010014016364756b65733a6931323639753131 NAS-Port-Type = Wireless-802.11 NAS-Port = 263 Service-Type = Framed-User NAS-IP-Address = 10.100.10.10 NAS-Identifier = "ap-noc" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 35 modcall[authorize]: module "preprocess" returns ok for request 35 rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 35 rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 35 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 218 modcall[authorize]: module "files" returns ok for request 35 modcall: group authorize returns updated for request 35 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 35 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 35 modcall: group Auth-Type returns invalid for request 35 auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 99 to 16.19.20.5:59342 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 34 ID 98 with timestamp 4089758b Waking up in 3 seconds...
TIA! Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
Here's a config template I use for Cisco 1120 AP's. Try this and see
if it works for you.
!######################################### ! Basic config template for Cisco IOS Access Points ! 4/20/2004 - BDM - I've tested it with 1120's but should work with 1200's !######################################### ! ! !############################### ! Remove some junk from the default config that we don't want/need !################################## no ip dhcp excluded-address 10.0.0.1 10.0.0.10 no ip dhcp pool local-default-pool no aaa group server radius rad_mac no aaa group server radius rad_acct no aaa group server radius rad_admin no aaa group server tacacs+ tac_admin no aaa group server radius rad_pmip no aaa group server radius dummy no aaa authentication login mac_methods local no aaa authorization ipmobile default group rad_pmip no ip http server no ip http help-path ! ! !########################### ! AAA config for EAP authentication and some radius accounting !############################# aaa new-model aaa authentication login eap_methods group rad_eap aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common ! aaa group server radius rad_eap server <ipaddress> auth-port 1812 acct-port 1813 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ##### Require wep128 encryption encryption mode ciphers wep128 ! ##### rotate broadcast wep key every 10 minutes broadcast-key change 600 ! ##### Create an SSID named "wifi" ! ##### Require EAP authentication ! ##### broadcast the SSID ssid wifi authentication open eap eap_methods guest-mode ! ###### set the data rates support and/or required by the AP ! ###### These are the rates recommended by Cisco for best throughput ! ###### for supporting both 802.11.b and 802.11g speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 ! rts threshold 2312 station-role root no cdp enable ! ###### Tell the AP to honor the Session-Timeout returned by the Radius server dot1x reauth-period server ! bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disable ! interface FastEthernet0 no ip address no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled
! interface BVI1 ip address <ip address> <subnetmask>
! ip tacacs source-interface BVI1 ip radius source-interface BVI1 radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <key> radius-server attribute 32 include-in-access-req format %h radius-server authorization permit missing Service-Type radius-server vsa send accounting bridge 1 route ip
On Apr 23, 2004, at 1:15 PM, Clayton Dukes wrote:
I can see from searching the mailing list that this has been asked many times, but what I can't seem to locate are config examples or a good howto on setting everything up. I have the radius server set up -- and it appears to work on, but I am not sure what I am lacking/doing wrong on the AP. I have followed the instructions from the following URL: http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm It's a very good guide -- although outdated, I was still able to get the radius and client side configured. What I see now are no requests from the AP to the radius server when I boot up the laptop. The laptop is not able to get to the AP either. I also have LDAP auth turned on, when I telnet to the AP the LDAP piece communicates fine with the radius server so I know the comms are ok.
Does anyone have an example 1100AP config that I can use?
Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
!DSPAM:40896916206621774497321!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
