Re: Cisco 1100 AP and XP Client using tls (PEAP)

[Bob McCormick]

Actually, you do care about certificates if you care at all about 
security.   The only EAP types I know of that don't use certificates 
are Cisco LEAP and the new Cisco FAST.   Cisco LEAP is ludicrously 
insecure (do a google search for the LEAP cracking tool asLeap if you 
don't believe me) and I'm dubious that FAST will fare much better in 
the long term.   One of the great things about EAP-TTLS and EAP-PEAP  
(IMHO) is that they build on existing tried and true TLS (essential 
SSL) technology to protect the authentication exchange.  But as I'm 
sure you know from surfing the web, SSL means server side certificates.

There is a big ugly ramp up time to learn all the standards and the 
ins-and-outs of getting 802.1x authentication working.   Just stick 
with it.. you'll get there, and you'll be glad you did.

I haven't heard from you whether or not you've taken my advice and 
tried authentication with a local test user account.   If you haven't, 
I'd like to STRONGLY encourage you to do so.   It's the best way that 
you (and us) can be sure you don't have any problems with certificates, 
client configs, etc.   If it works with a local user account, you'll be 
able to focus your attention directly at the LDAP to EAP interaction.

I would also VERY strongly encourage you to listen to any configuration 
advice you get from Alan Dekok.  His replies may be a bit... err.. 
abrupt, but the man really, really, really knows Freeradius.   I know 
I'd still be lost without his help getting my config working.

On Apr 23, 2004, at 5:20 PM, Clayton Dukes wrote:

Thanks for the help guys, I'm taking off for the weekend (it's 7:15pm 
here)
For now, I have restored my original config which allows ldap auth for 
my
routers and switches (I need my config backups to run over the 
weekend).

I'll contimue this on Monday, but I do have a parting question:

Is there some way that I can just have a wireless user authenticate 
directly
to the radius/ldap server using ldap authentication? I really don't 
care
about certificates. My ideal situation would be for a wireless user to 
be
prompted for their ldap username/pass and it authenticates based on 
that.
This way I can keep my configuration on all the routers and switches as
well.

Thanks for all the help!

Regards,
Clayton Dukes
CCNA, CCDA, CCNP, CCDP
Sr. Network Engineer
E Solutions Corp.
http://www.esnet.com
813.301.2620 (o)
813.545.7373 (c)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
Clayton
Dukes
Sent: Friday, April 23, 2004 6:11 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco 1100 AP and XP Client using tls (PEAP)

Here's my latest error...
TLS_accept:error in SSLv3 read client certificate A
Did I screw up the certificates?



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob
McCormick
Sent: Friday, April 23, 2004 5:40 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
If it's working you should get something like this at the end of the
debugs:
modcall: group authenticate returns ok for request 8 Sending 
Access-Accept
of id 47 to 10.140.24.12:21666
         Session-Timeout := 300
         MS-MPPE-Recv-Key =
0xa11d483cf9aba48bfab9540fd61d804c7237c5eda0b4dc05c54135d87943895f
         MS-MPPE-Send-Key =
0xe5318527f167aed0bc874c07f301c966c58b3e93747df14a44b5f67477caaf35
         EAP-Message = 0x03090004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "bobm"
Finished request 8
Going to the next request

I'm not seeing that in *your* debugs, so unless you left it out, it 
ain't
working.
Can you post the contents of your users file?

On Apr 23, 2004, at 4:28 PM, Clayton Dukes wrote:

That's what I would have thought -- but the debugs seem to indicate
that the laptop is connecting.
Any ideas for a next step?
Here's my AP debug:

Apr 23 18:25:05 EST: RADIUS(0000028A): Using existing nas_port 384 Apr
23 18:25:05 EST: RADIUS: Pick NAS IP for uid=650 tableid=0
cfg_addr=10.100.10.10 best_addr=0.0.0.0 Apr 23 18:25:05 EST: RADIUS:
Pick NAS IP for uid=650 tableid=0 cfg_addr=10.100.10.10
best_addr=0.0.0.0 Apr 23 18:25:05 EST: RADIUS(0000028A): Send
Access-Request to
16.19.20.133:1812 id 21647/105, len 147 Apr 23 18:25:05 EST: RADIUS:
Received from id 21647/105 16.19.20.133:1812, Access-Challenge, len 82
Apr 23 18:25:05 EST: RADIUS/DECODE: EAP-Message fragments, 6, total 6
bytes
And here's the associated radius debug:

Cleaning up request 53 ID 105 with timestamp 408997c2 Nothing to do.
Sleeping until we see a request.
rad_recv: Access-Request packet from host 16.19.20.5:59475, id=106,
length=147
        User-Name = "cdukes"
        Framed-MTU = 1400
        Called-Station-Id = "000f.8f76.2e20"
        Calling-Station-Id = "0006.25a9.8594"
        Message-Authenticator = 0x9b684a21fff2d3e1a47467fd3f363ee2
        EAP-Message = 0x0211000b016364756b6573
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 384
        State = 0x7ef8020751e4e748b152c0a9060b4c2d
        Service-Type = Framed-User
        NAS-IP-Address = 10.100.10.10
        NAS-Identifier = "ap-noc"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 54
  modcall[authorize]: module "preprocess" returns ok for request 54
  modcall[authorize]: module "chap" returns noop for request 54
  modcall[authorize]: module "mschap" returns noop for request 54
    rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 54
  rlm_eap: EAP packet type response id 17 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 54
    users: Matched DEFAULT at 152
    users: Matched DEFAULT at 171
    users: Matched cdukes at 215
  modcall[authorize]: module "files" returns ok for request 54
modcall: group authorize returns updated for request 54
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 54
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 54
modcall: group authenticate returns handled for request 54 Sending
Access-Challenge of id 106 to 26.19.20.5:59475
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x011200060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa934524327fc14393c93048971b9574c
Finished request 54
Going to the next request
--- Walking the entire request list --- Waking up in 6 seconds...
--- Walking the entire request list --- Cleaning up request 54 ID 106
with timestamp 408997e0 Nothing to do.  Sleeping until we see a
request.
#######END

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Friday, April 23, 2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
"Clayton Dukes" <[EMAIL PROTECTED]> wrote:
Well, I have it working, at least it appears to be, but I am still
not getting an ip on the laptop -- do I need to pass the dhcp server
somewhere?

  No.  The client should send a broadcast DHCP request, and the dhcp
server should pick that up.
  Alan DeKok.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html






-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html






-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
!DSPAM:4089922b301591837919995!



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html