Hi folks, just to report back that I did eventually get this working.
Thanks again for your suggestions/advice!
Here's a summary of what I had to do... Not saying that this is all
necessary or correct, but it worked for me :-)
First you need to have your APs talking Cisco WDS to each other. I
made one of my loaned APs into a WDS master, so my config looked like
this on the WDS slave APs:
wlccp ap username slave1 password 7 XXXXXX
And this on the WDS master AP:
aaa group server radius FOO
server-private 1.2.3.4 auth-port 1812 acct-port 1813 key 7 XXXX
aaa authentication login FOO group FOO
aaa authorization network FOO group FOO
wlccp ap username slave1 password 7 XXXXXX
wlccp authentication-server infrastructure FOO
wlccp wds priority 254 interface BVI1
wlccp wnm ip address 4.3.2.1
The master WDS will try to authenticate the slave APs and the WLSE
via the RADIUS server and secret specified in FOO. It seems that
you need to put the "wlccp ap username" clause in on the master. I
don't see the slave APs or the WLSE contacting the RADIUS server,
although I think you can do WLSE Web user interface authentication
via RADIUS if you really want to.
The APs and the WLSE have entries in the 'users' file on the RADIUS
server which look like this:
slave1 User-Password == "XXXXX"
I actually put a separate user name and password in for each of the
APs and the WLSE, but you probably don't need to do this. If you're
having problems, it should be easier to debug this way.
You'll need to include your WDS master AP(s) in the RADIUS
clients.conf, as per:
client 1.2.3.4 {
secret = XXXXX
shortname = XXXXXX
nastype = other
}
I'm not sure whether the 'shortname' field has to be filled in. I
set this to be the same as my AP hostname as configured in IOS.
My eap.conf looks like this:
eap {
default_eap_type = leap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
mschapv2 {
}
}
And my radiusd.conf has:
instantiate {
exec
expr
}
authorize {
preprocess
eap
files
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
I also defined "with_cisco_vsa_hack = yes" in the preprocess section.
Now, the above is fine for the WDS side of things, but the WLSE side
needs the hack from Richard Timsit, i.e.
http://lists.cistron.nl/pipermail/freeradius-users/2004-September/035796.html
But note Richard's advice that it may need to be tweaked a little for
your installation:
> Once the patch applied, see the log an find such lines :
> rlm_eap_leap: Stage 6
> rlm_eap: RT Modif EAP-Type = 17 EAP-LENGTH = XX
>
> If XX not equal to 30, modify the test of the patch eap.c accordingly.
Will see if my contacts at Cisco can pass on this info to the developers
of the WLSE, as they should be able to fix the problem easily...
Cheers,
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
