Hi folks, I have some Aironet 1100s and a WLSE on eval loan and am trying to make sense of how Cisco's WDS (and the WLSE!) use RADIUS to authenticate themselves. We got user authentication going, but the infrastructure devices are a bit confusing.
Thought I'd ask here as there have been some discussions in the past about this subject, and notably this patch... http://lists.cistron.nl/pipermail/freeradius-users/2004-September/035796.html I don't seem to be having much luck with or without this patch, with FreeRADIUS 1.0.1 or the CVS snapshot - so am (hopefully!) doing something stupid :-) I defined a RADIUS user for my WDS slave APs, per: myslaveap Auth-Type := Accept, User-Password == "mypassword" And set my WDS "slave" APs up per... (IOS config:) wlccp ap username myslaveap password 0 mypassword Their WLCCP/WDS requests are successfully being converted into RADIUS requests by the WDS master AP, and the RADIUS server has all sorts of nice things to say like so: rad_recv: Access-Request packet from host XXXXXX:1645, id=219, length=140 User-Name = "myslaveap" Framed-MTU = 1400 Called-Station-Id = "000deddf77b8" Calling-Station-Id = "000dedb88cd2" Service-Type = Login-User Message-Authenticator = 0x9896853fe08e222a1567d74ab645f328 EAP-Message = 0x0202000b01666c72332d32 NAS-Port-Type = Wireless-802.11 NAS-Port = 474 NAS-IP-Address = XXXXXX NAS-Identifier = "myslaveap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 2 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry myslaveap at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Sending Access-Accept of id 219 to XXXXXX:1645 However my APs don't get further than this: mymasterap#sh wlccp wds ap MAC-ADDR IP-ADDR STATE LIFETIME 000d.edb8.8cd2 XXXXXX AUTH IN PROGRESS - Looking at the Cisco debugging output (IOS 12.3(2)JA2) I'm wondering if the request/response IDs are out of whack as per the WLSE - i.e. the response that's coming back doesn't have the ID that the WDS master AP is expecting. Feb 11 14:26:56: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = 000d.edb8.8cd2, Rsp = 000d.eddf.77b8, Req 000d.edb8.8cd2, id 3 auth 0 key 0 Feb 11 14:26:56: dot11_auth_parse_client_pak: Received EAPOL packet from 000d.edb8.8cd2 Feb 11 14:26:56: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response Feb 11 14:26:56: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = 000d.edb8.8cd2, Rsp = 000d.eddf.77b8, Req 000d.edb8.8cd2, id 4 auth 0 key 0 Feb 11 14:26:56: dot11_auth_parse_client_pak: Received EAPOL packet from 000d.edb8.8cd2 Feb 11 14:26:56: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 000d.edb8.8cd2 Feb 11 14:26:56: dot11_auth_dot1x_send_response_to_server: Sending client 000d.edb8.8cd2 data to server Feb 11 14:26:56: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds Feb 11 14:26:56: dot11_auth_dot1x_parse_aaa_resp: Received server response: PASS Feb 11 14:26:56: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 000d.edb8.8cd2 Feb 11 14:26:56: dot11_auth_dot1x_send_client_fail: Authentication failed for 000d.edb8.8cd2 Feb 11 14:26:56: dot11_auth_send_msg: sending data to requestor status 0 Feb 11 14:26:56: dot11_auth_send_msg: client FAILED to authenticate 000d.edb8.8cd2, node_type 1 for application 0x1 Feb 11 14:26:56: dot11_auth_delete_client_entry: 000d.edb8.8cd2 is deleted for application 0x1 Feb 11 14:26:56: WDS: DOT11_AAA_FAILURE ... Feb 11 14:26:56: WDS: WLCCP_TYPE_AAA (FINISH) sent with Source IP = XXXXXX, Org = 000d.eddf.77b8, Rsp = 000d.edb8.8cd2, Req 000d.edb8.8cd2, auth 4, key 0 This master WDS AP has a config which looks like this: wlccp authentication-server infrastructure FOO wlccp wds priority 254 interface BVI1 aaa group server radius FOO server-private YYYYYY auth-port 1812 acct-port 1813 key 0 foo aaa authentication login FOO group FOO aaa authorization network FOO group FOO and the FreeRADIUS clients.conf says: client XXXXXX { secret = foo shortname = mymasterap nastype = cisco } eap.conf says: eap { default_eap_type = leap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } mschapv2 { } } radiusd.conf says: modules { $INCLUDE ${confdir}/eap.conf files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } [...] preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = yes } } instantiate { exec expr } authorize { preprocess eap files } authenticate { eap } I've tried tweaking the values of "cisco_accounting_username_bug" and "with_cisco_vsa_hack", but to no avail. Just wondering how other people have fared in getting WDS working against FreeRADIUS! Thanks in advance for any thoughts on this... Cheers, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
