I have Cisco Aironet 1100's that I am setting up on a private LAN that
go through a Firewall to get to the internal LAN. The FreeRadius server
is on the internal LAN.
Ok, so what works: I can connect the client (supplicant) to the
Wireless G Aironet that authenticates to the FreeRadius Server. I can
then connect to the VPN (which also authenticates to the Radius
server). Everything there is happy.
What does not work: The Aironet's use a system called WDS to allow
roaming between the access points. I set up one unit to be the primary
WDS, and configure a second Aironet to use WDS. The Aironets use the
Radius server for authentication, but they never are able to
authenticate with the WDS.
What I think I am doing wrong: I believe that I need to activate peap
for the Cisco Aironets to authenticate. I have tried to set this up per
documentation, but I get the following error when I now try to activate
the FreeRadius server using "radiusd -A -X", cut to just show the eap
module failure:
******************************************
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "(null)"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
9616:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: CERTICATE
9616:error:0200100E:system library:fopen:Bad
address:bss_file.c:259:fopen('','r')
9616:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
9616:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
lib:ssl_rsa.c:513:
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[9]: eap: Module instantiation failed.
***************************************************
I have tried to use CA.all to create a certificate, but it gives an
error during the certificate creation. I have created a certificate
manually using openssl, and moved it into the /usr/local/etc/raddb/certs
folders (and DemoCA folders), but the server still fails.
I am running RedHat 9, kernel 2.4.20-8smp; openssl-0.9.7a-2;
freeradius-0.9.3-1.1
Does anyone know if the peap is even needed with the Aironets? If so,
is there another howto or other docs I can RTFM to resolve this
certificate issue, or do I just need to hack all of the config files,
CA.all, etc... Has anyone got this type of setup working (Cisco
Aironet's running WDS and FreeRadius)?
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
