There is a big ugly ramp up time to learn all the standards and the ins-and-outs of getting 802.1x authentication working. Just stick with it.. you'll get there, and you'll be glad you did.
I haven't heard from you whether or not you've taken my advice and tried authentication with a local test user account. If you haven't, I'd like to STRONGLY encourage you to do so. It's the best way that you (and us) can be sure you don't have any problems with certificates, client configs, etc. If it works with a local user account, you'll be able to focus your attention directly at the LDAP to EAP interaction.
I would also VERY strongly encourage you to listen to any configuration advice you get from Alan Dekok. His replies may be a bit... err.. abrupt, but the man really, really, really knows Freeradius. I know I'd still be lost without his help getting my config working.
On Apr 23, 2004, at 5:20 PM, Clayton Dukes wrote:
Thanks for the help guys, I'm taking off for the weekend (it's 7:15pm here)
For now, I have restored my original config which allows ldap auth for my
routers and switches (I need my config backups to run over the weekend).
I'll contimue this on Monday, but I do have a parting question:
Is there some way that I can just have a wireless user authenticate directly
to the radius/ldap server using ldap authentication? I really don't care
about certificates. My ideal situation would be for a wireless user to be
prompted for their ldap username/pass and it authenticates based on that.
This way I can keep my configuration on all the routers and switches as
well.
Thanks for all the help!
Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clayton
Dukes
Sent: Friday, April 23, 2004 6:11 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco 1100 AP and XP Client using tls (PEAP)
Here's my latest error... TLS_accept:error in SSLv3 read client certificate A
Did I screw up the certificates?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
If it's working you should get something like this at the end of the debugs:
modcall: group authenticate returns ok for request 8 Sending Access-Accept
of id 47 to 10.140.24.12:21666
Session-Timeout := 300
MS-MPPE-Recv-Key =
0xa11d483cf9aba48bfab9540fd61d804c7237c5eda0b4dc05c54135d87943895f
MS-MPPE-Send-Key =
0xe5318527f167aed0bc874c07f301c966c58b3e93747df14a44b5f67477caaf35
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "bobm"
Finished request 8
Going to the next request
I'm not seeing that in *your* debugs, so unless you left it out, it ain't
working.
Can you post the contents of your users file?
On Apr 23, 2004, at 4:28 PM, Clayton Dukes wrote:
That's what I would have thought -- but the debugs seem to indicate that the laptop is connecting. Any ideas for a next step?
Here's my AP debug:
Apr 23 18:25:05 EST: RADIUS(0000028A): Using existing nas_port 384 Apr 23 18:25:05 EST: RADIUS: Pick NAS IP for uid=650 tableid=0 cfg_addr=10.100.10.10 best_addr=0.0.0.0 Apr 23 18:25:05 EST: RADIUS: Pick NAS IP for uid=650 tableid=0 cfg_addr=10.100.10.10 best_addr=0.0.0.0 Apr 23 18:25:05 EST: RADIUS(0000028A): Send Access-Request to 16.19.20.133:1812 id 21647/105, len 147 Apr 23 18:25:05 EST: RADIUS: Received from id 21647/105 16.19.20.133:1812, Access-Challenge, len 82 Apr 23 18:25:05 EST: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
And here's the associated radius debug:
Cleaning up request 53 ID 105 with timestamp 408997c2 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 16.19.20.5:59475, id=106, length=147 User-Name = "cdukes" Framed-MTU = 1400 Called-Station-Id = "000f.8f76.2e20" Calling-Station-Id = "0006.25a9.8594" Message-Authenticator = 0x9b684a21fff2d3e1a47467fd3f363ee2 EAP-Message = 0x0211000b016364756b6573 NAS-Port-Type = Wireless-802.11 NAS-Port = 384 State = 0x7ef8020751e4e748b152c0a9060b4c2d Service-Type = Framed-User NAS-IP-Address = 10.100.10.10 NAS-Identifier = "ap-noc" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 54 modcall[authorize]: module "preprocess" returns ok for request 54 modcall[authorize]: module "chap" returns noop for request 54 modcall[authorize]: module "mschap" returns noop for request 54 rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 54 rlm_eap: EAP packet type response id 17 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 54 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched cdukes at 215 modcall[authorize]: module "files" returns ok for request 54 modcall: group authorize returns updated for request 54 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 54 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 54 modcall: group authenticate returns handled for request 54 Sending Access-Challenge of id 106 to 26.19.20.5:59475 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x011200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa934524327fc14393c93048971b9574c Finished request 54 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 54 ID 106 with timestamp 408997e0 Nothing to do. Sleeping until we see a request.
#######END
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, April 23, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
"Clayton Dukes" <[EMAIL PROTECTED]> wrote:somewhere?Well, I have it working, at least it appears to be, but I am still not getting an ip on the laptop -- do I need to pass the dhcp server
No. The client should send a broadcast DHCP request, and the dhcp server should pick that up.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
!DSPAM:4089922b301591837919995!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html