What do these "radius.log" entries mean?
Hi all, We are having minor problems with a cluster of Cisco AP1200 access points. We use MAC Address Authentication to redundant Freeradius 0.9 servers for security. I think the error messages below (from the radius.log file) might give me a clueCould someone please explain what they mean? Tue Sep 2 06:02:24 2003 : Error: rlm_radutmp: Logout entry for NAS NorthGate-D2 port 37 has wrong ID Tue Sep 2 06:43:48 2003 : Error: rlm_radutmp: Login entry for NAS NorthGate-D2 port 38 wrong order Thanks! Mike Hall --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Point Errors
Could someone please tell me what these errors mean: Tue Sep 2 06:02:24 2003 : Error: rlm_radutmp: Logout entry for NAS NorthGate-D2 port 37 has wrong ID Tue Sep 2 06:43:48 2003 : Error: rlm_radutmp: Login entry for NAS NorthGate-D2 port 38 wrong order I get them constantly from our Cisco AP1200 access points and would like to know if this is a problem. Thanks! Mike Hall --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP 1200 Errors
Hi all, We are having a problem with a cluster of Cisco AP1200's which are all on the same subnet. They all have identical configurations and are set to do Static WEP and MAC Authentication to a Freeradius 0.9 server. When I turn MAC Auth off they all work finebut when I turn it on, certain APs will not let clients get an address. I am thinking that these errors might give me a clue. Could someone please explain what they mean? Tue Sep 2 06:02:24 2003 : Error: rlm_radutmp: Logout entry for NAS NorthGate-D2 port 37 has wrong ID Tue Sep 2 06:43:48 2003 : Error: rlm_radutmp: Login entry for NAS NorthGate-D2 port 38 wrong order Thanks! Mike Hall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject) - Cisco AP 1200 MAC Auth works!...now what?
Alan, it was not documented...obviously. Further, we use WEP+ encryption to extend the security of our wireless network (+ is Avaya's stronger hashing). I am well aware of the problems with WEP. If someone wants access badly enough to 1. Find a MAC that's in our database 2. Spoof their MAC address 3. Crack a 128 bit WEP+ key (have you tried? Its not easy) 4. Risk being caught through accounting reports/logs they can find plenty of open ethernet ports in one of our buildings without going through all that trouble. Our more important networks are protected by vpn gateways. As for this comment: >Huh? Why? Managing passwords isn't difficult. So for one AP, you add >(by hand) the password which just happens to be the MAC address. For >another AP, you add a different password. That is by far and away too >complicated. We have more than 12,000 users and 100's of access points. Do you think we could add all the MAC's into each AP? That's the worst management nightmare I can imagine. Modifying one SQL query in the sql.conf file is hardly complicated. The only problem is I don't know how to make radius differentiate between AP requests. I know there people on this list who can answer that in their sleep. I would really appreciate some help from one of you radius gurus (not Alan). -- Mike Hall - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Howto FreeRadius --Cisco350 --client win98/2k/xp
The clients give their MAC address and it acts as their Username in radius. The password is the radius password sent by the AP. Is a very convenient method because the authentication is transparent to the end user. I set it up over a year ago so my memory is a little hazy ...Try google: "freeradius mysql" -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Hansen Sent: Tuesday, August 12, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: Howto FreeRadius --Cisco350 --client win98/2k/xp Yes. I now that howto, but i dont want the clients to install certificate. Only want them to join the wireless network with a simple username and password. I dont think that howto is the question i want. Mike: How to you use the mysql? How have you setup this? With username and passwords when the clients joins the network? Or with certificate on all clients? Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet - MAC auth logs
d,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00022d11' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00022d11' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql: Pairs do not match [00022d11] rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound modcall[authorize]: module "files" returns notfound modcall: group authorize returns ok auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Output of the CISCO accounting log: Thu Aug 7 14:36:41 2003 Acct-Status-Type = Start User-Name = "00022d11" Acct-Session-Id = " 500001" Acct-Authentic = Local NAS-Port = 37 Calling-Station-Id = "00022d11" NAS-Identifier = "udp001617uds" NAS-IP-Address = XXX.XX.XX.XX Cisco-AVPair = "0" Cisco-AVPair = "" Cisco-AVPair = "open" Cisco-AVPair = "northgate_wireless" Acct-Delay-Time = 0 Client-IP-Address = XXX.XX.XX.XX Acct-Unique-Session-Id = "2c817f6a9cb3342f" Timestamp = 1060285001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, August 08, 2003 11:17 AM To: [EMAIL PROTECTED]; Mike Hall Subject: Re: Cisco Aironet - MAC authentication problems On Fri August 8 2003 19:01, Mike Hall wrote: > Hi, > > I work for a major University and we have been using Freeradius to do > MAC authentication with Orinoco (Avaya,Proxim) based access point for > about 2 years. We have had no problems, and loved our decision to > implement Freeradius instead of a commercial package. > > Now, many departments want to use the Cisco Aironet line. To our > dismay, we have discovered that they do not authenticate in the same > way as the Orinoco units. I think it has something to do with the > Cisco-AVPair string which is sent to the radius server and/or the > Attribute Value fields. I also think it has related to the Auth-Type > string and/or the dictionary.cisco file. We use a Mysql database to > store the user-names (MAC Addresses). The little info I have found on > the internet is very unclear on what I should to fix this. I have all > the output of mysql/freeradius, but it has been a nightmare trying to > decipher it. > > Has anyone ran across this problem, and if so, could you please tell > what I can do to make Freeradius compatible with Cisco Aironet access > points? I can send you any info/logs about our setup that you need. > I cannot begin to tell you how much I will appreciate any help you can > give us. If you send us the debug output of when an Orinoco unit authenticates and when a cisco tries to authenticate we will try to help you. Maybe others have cisco AP's and can help you, but I don't unfortunately. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet - MAC auth logs
I am definitely authenticating against mysql!! I have been working with this system for over a year and it has worked great...if the user's MAC isn't in there then they can't authenticate.Matches "local" User-Password :: Doesn't that tell you im authenticating? Please advise.. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulrich Walcher Sent: Tuesday, August 12, 2003 3:11 AM To: [EMAIL PROTECTED] Subject: RE: Cisco Aironet - MAC auth logs See the differnece?! > Output of the ORINOCO from radiusd -X: > rlm_sql: Released sql socket id: 4 > modcall[authorize]: module "sql" returns ok > modcall[authorize]: module "files" returns notfound > modcall: group authorize returns ok > auth: type Local Auth-Type := Local > auth: user supplied User-Password matches local User-Password Matches "local" User-Password > Sending Access-Accept of id 31 to XXX.XX.XX.XX:6001 > Finished request 1 > Output of the CISCO from radiusd -X: > rlm_sql: Pairs do not match [00022d11] ! > rlm_sql: Released sql socket id: 4 > modcall[authorize]: module "sql" returns notfound > modcall[authorize]: module "files" returns notfound > modcall: group authorize returns ok > auth: No Auth-Type configuration for the request, rejecting the user No Auth-Type > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 AFAIS you're not authenticating against mysql... in none of the two cases! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco vs. Orinoco - MAC Authentication
Your first suggestion, to duplicate users, is not possible using a sql
database according to the documentation.
The third suggestion, to use the /etc/passwd file, is not feasible
because of the large ammount of users we have, and because this machine
serves other purposes which might be comprimised.
The second & fourth suggestions:
>Or, you can update the SQL database, and use User-Password as a key,
adding it to the
>SQL query. So user "bob" with password "bob", will be different than
user "bob" with
>password "hello". It will mean massively duplicate crap in the DB, but
it will work.
.
>create a new SQL table to hold the shared secrets for each AP, and do:
>DEFAULT User-Password == `%{sql:SELECT stuff by
%{Client-IP-Address}:-%{User-Name}}`
>List the AP's that use the shared secret in the SQL database, and don't
list the others.
>If the SQL query returns nothing, then the password will be set to the
User-Name,
>which will work for the other AP's.
Sound like a great ideas, though I don't quite understand the last one.
My problem here is I cannot find the sql statement which compares
'Value' field to the User-Password string sent from the AP. It is not
in the sql.conf file.
Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, August 13, 2003 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco vs. Orinoco - MAC Authentication
"Mike Hall" <[EMAIL PROTECTED]> wrote:
> The two access point authenticate differently. The Orinoco sends the
> Value as the SharedSecret & the Cisco sends the Value as the
> MacAddress.
You've said that before.
> What can I do to make this work? I could create two entries like
> this:
...
> But this just confuses the Radius server and auth fails.
So edit the SQL table definition & queries, so it selects by
User-Password, too.
> Please offer some suggestions on what we can do. Thanks again.
I thought I had 3 suggestions in my last email. Did you try any of
them?
Here's another suggestion: create a new SQL table to hold the shared
secrets for each AP, and do:
DEFAULT User-Password == `%{sql:SELECT stuff by
%{Client-IP-Address}:-%{User-Name}}`
List the AP's that use the shared secret in the SQL database, and
don't list the others. If the SQL query returns nothing, then the
password will be set to the User-Name, which will work for the other
AP's.
That's 4 solutions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco vs. Orinoco - Authenticating regardless of password
I need to authenticate a user if there Username (MAC Address) is in the radcheck table, regardless of the password that is sent. The Freeradius FAQ says this: 5.5 How do I permit access to any user regardless of password? DEFAULT Auth-Type = Accept I do not understand where I would put this in mysql. Is this in the usergroup table? Could I put it into one of the files and tell radius to look at that instead of mysql? Someone please help me here... Thanks, Mike Hall -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey C. Ollie Sent: Wednesday, August 13, 2003 10:01 PM To: [EMAIL PROTECTED] Subject: RE: Cisco vs. Orinoco - MAC Authentication On Wed, 2003-08-13 at 16:46, Mike Hall wrote: > What I really need is this: > > A way to make the radius server think the User-Password string (sent > from any AP) is our 'shared secret'. I can make it work if there is a > way to do this. Here the Cisco AP will send the MAC as the > 'User-Password' but radius will change it (before processing) to be > our 'shared secret'. Any Suggestion? Please... Why bother with checking the password anyway? Here's what I use on my Cisco 350's: Auth-Type == Accept, NAS-Port-Type == Wireless-802.11 Actually checking the password sent from a Cisco AP during MAC address authentication is kind of pointless since it's such a weak password. I know less about how the Orinoco handles MAC address authentication but it doesn't sound like Orinoco's scheme is much of an improvement. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet - MAC auth logs
How do I define and Auth-Type for the user? Is it the Attribute field in my radcheck table? That has 'User-Password' for everyone in the system. The Value field also has our 'radius password' for all users. I have read some about the hints file...do I need to do something like this: Default Prefix = "Cisco-AVPair", Strip-User-Name = Yes Hint = "CISCO" Auth-Type = Local ...Or am I totally on the wrong track here? Another idea is to create a two separate 'radcheck' tables, one for Cisco Aps and one for Orinoco APs. What do yall think of that (there must be an easier way)? When it say "module sql returns notfound" what does that mean? Sorry for all the questions, I really appreciate your help. --Mike Hall -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulrich Walcher Sent: Tuesday, August 12, 2003 1:01 PM To: [EMAIL PROTECTED] Subject: RE: Cisco Aironet - MAC auth logs "auth: user supplied User-Password matches local User-Password" says that the user matches a password in raddb/users file. You are authenticating -> yes, but against a password-file. Authorization is done in this case via sql. With the Cisco box you get an error message saying: "Pairs do not match [00022d11]". Unfortunately I can't tell you why... and: "auth: No Auth-Type configuration for the request, rejecting the user" You have not defined an Auth-Type for the user. Uli Am Die, 2003-08-12 um 15.32 schrieb Mike Hall: > I am definitely authenticating against mysql!! I have been working > with this system for over a year and it has worked great...if the user's MAC > isn't in there then they can't authenticate. Matches "local" > User-Password :: Doesn't that tell you im authenticating? Please > advise.. > > Mike > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ulrich > Walcher > Sent: Tuesday, August 12, 2003 3:11 AM > To: [EMAIL PROTECTED] > Subject: RE: Cisco Aironet - MAC auth logs > > > See the differnece?! > > > Output of the ORINOCO from radiusd -X: > > rlm_sql: Released sql socket id: 4 > > modcall[authorize]: module "sql" returns ok > > modcall[authorize]: module "files" returns notfound > > modcall: group authorize returns ok > > auth: type Local > > Auth-Type := Local > > > auth: user supplied User-Password matches local User-Password > > Matches "local" User-Password > > > Sending Access-Accept of id 31 to XXX.XX.XX.XX:6001 Finished request > > 1 > > > > > Output of the CISCO from radiusd -X: > > rlm_sql: Pairs do not match [00022d11] > > ! > > > > rlm_sql: Released sql socket id: 4 > > modcall[authorize]: module "sql" returns notfound > > modcall[authorize]: module "files" returns notfound > > modcall: group authorize returns ok > > auth: No Auth-Type configuration for the request, rejecting the user > > No Auth-Type > > > auth: Failed to validate the user. > > Delaying request 0 for 1 seconds > > Finished request 0 > > AFAIS you're not authenticating against mysql... in none of the two > cases! > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Howto FreeRadius --Cisco350 --client win98/2k/xp
I seems that this is a very common problem with Cisco APs. What about doing the same using MAC Auth instead of EAP-TLS. Is there any documentation out there? I must use mysql instead of the flat fileanyone know of a how-to like that? -- Mike Hall Telecom Analyst -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Artur Hecker Sent: Tuesday, August 12, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: Re: Howto FreeRadius --Cisco350 --client win98/2k/xp www.freeradius.org/doc/EAPTLS.pdf Kent Hansen wrote: > Hi > > Is there anyone who can tell me howto setup a freeradius with a cisco > 350 > client, and clients on the ap authentication to the wireless network with a > username and password on the freeradius server. > > Example: > > Client with xp, wants to join the wireless network, and they need to > type in > username and password, then OK, and at the end, they are joined the network. > > How do i setup the freeradius server to do this, and the cisco ap 350. > > Kent - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco vs. Orinoco - MAC Authentication
Hello again,
The two access point authenticate differently. The Orinoco sends the
Value as the SharedSecret & the Cisco sends the Value as the MacAddress.
Example:
ORINOCO AP
+-+--+---+--+-+
| id | UserName| Attribute |Value | op |
+-+--+---+--+-+
| 1 | MacAddress | User-Password | SharedSecret | == |
+-+--+---+--+-+
CISCO AP
+-+--+---+-+-+
| id | UserName| Attribute |Value| op |
+-+--+---+-+-+
| 1 | MacAddress | User-Password | MacAddress | == |
+-+--+---+-+-+
What can I do to make this work? I could create two entries like this:
+-+--+---+--+-+
| id | UserName| Attribute |Value | op |
+-+--+---+--+-+
| 1 | MacAddress | User-Password | MacAddress | == |
+-+--+---+--+-+
| 2 | MacAddress | User-Password | SharedSecret | == |
+-+--+---+--+-+
But this just confuses the Radius server and auth fails. Please offer
some suggestions on what we can do. Thanks again.
--
Mike Hall
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet - MAC auth logs
Hi all, sorry I forgot to run the other queries. The AP is a Cisco Aironet 1200 (1220b) Here are the queries: > SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = > '00062541e359' ORDER BY id +-+--+---+--+--+ | id | UserName | Attribute | Value| op | +-+--+---+--+--+ | 215 | 00062541e359 | User-Password | ourpaswd | == | +-+--+---+--+--+ 1 row in set (0.00 sec) > SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgr > ou > pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = '00062541e359' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id Empty set (0.00 sec) > SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = > '00062541e359' ORDER BY id Empty set (0.00 sec) > SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgr > ou > pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = '00022d11' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id Empty set (0.00 sec) > SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgr > ou > preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = '00062541e359' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id Empty set (0.00 sec) > SELECT Value,Attribute FROM radcheck WHERE UserName = '00062541e359' > AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR > Attribute = > 'Crypt-Password') ORDER BY Attribute DESC +--+---+ | Value| Attribute | +--+---+ | ourpaswd | User-Password | +--+---+ 1 row in set (0.00 sec) > SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = > '00022d11' ORDER BY id +-+--+---+--+--+ | id | UserName | Attribute | Value| op | +-+--+---+--+--+ | 215 | 00022d11 | User-Password | ourpaswd | == | +-+--+---+--+--+ 1 row in set (0.00 sec) > SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgr > ou > pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = '00022d11' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id Empty set (0.00 sec) > SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = > '00022d11' ORDER BY id Empty set (0.00 sec) > SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgr > ou > preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = '00022d11' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id Empty set (0.00 sec) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco vs. Orinoco - MAC Authentication
Do you use mysql or a users file? Where would I put this: Auth-Type == Accept, NAS-Port-Type == Wireless-802.11 Into mysql? If I put it into the radcheck table it will not authenticate (b/c the Attribute is not Username-Password). Please help... -Mike Hall -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey C. Ollie Sent: Wednesday, August 13, 2003 10:01 PM To: [EMAIL PROTECTED] Subject: RE: Cisco vs. Orinoco - MAC Authentication On Wed, 2003-08-13 at 16:46, Mike Hall wrote: > What I really need is this: > > A way to make the radius server think the User-Password string (sent > from any AP) is our 'shared secret'. I can make it work if there is a > way to do this. Here the Cisco AP will send the MAC as the > 'User-Password' but radius will change it (before processing) to be > our 'shared secret'. Any Suggestion? Please... Why bother with checking the password anyway? Here's what I use on my Cisco 350's: Auth-Type == Accept, NAS-Port-Type == Wireless-802.11 Actually checking the password sent from a Cisco AP during MAC address authentication is kind of pointless since it's such a weak password. I know less about how the Orinoco handles MAC address authentication but it doesn't sound like Orinoco's scheme is much of an improvement. Jeff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject) - Cisco AP 1200 MAC Auth works!...now what?
Its alive!! Using your radcheck configuration the Cisco 1200 APs work
with freeradius . But of course, I have another
problem...the Orinoco APs don't work with this configuration! Some
debugging brought me to this conclusion on what will work for the
different access points:
ORINOCO AP
+-+--+---+--+-+
| id | UserName| Attribute |Value | op |
+-+--+---+--+-+
| 123 | MacAddress | User-Password | SharedSecret | == |
+-+--+---+--+-+
CISCO AP
+-+--+---+-+-+
| id | UserName| Attribute |Value| op |
+-+--+---+-+-+
| 123 | MacAddress | User-Password | MacAddress | == |
+-+--+---+-+-+
So what now? I could create 2 different tables, then use something
(please help me here, huntgroups?) to tell freeradius which type of AP
is making the request, then use the correct sql statement to select on
mysql. Fun, Fun. Another option is to modify the modcall[authorize]
sql statement to say something like if "Username = MacAddress OR
Username = SharedSecret". The problem is that "Username will never equal
SharedSecret"! Im almost there...Please Help!
--
Mike Hall
Telecom Analyst
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 12, 2003 3:36 PM
To: [EMAIL PROTECTED]
Subject:(no subject)
On a Cisco AP 340 or better, MAC-based Auth. uses the
MAC-address of the client as both the user and password.
In your radcheck table, UserName is MAC-address, Attribute is
'Password', op is '==' and Value is MAC-address.
Works great and you do not have to restart radius when you add
MAC-addresses.
Hope this helps.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: VSA in freeRadius
Title: Message Sound like your having the same problem as me. We have just purchased Cisco 1200 APs and I can not get it to work. Are you using mysql or a flat file (users)? -- Mike Hall Telecom Analyst -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Israel Cardenas RomeroSent: Tuesday, August 12, 2003 12:14 PMTo: [EMAIL PROTECTED]Subject: VSA in freeRadius Hi! I'm using freeRadius with EAP/TLS to secure my wireless network. It works fine, but now I wan't to use two or more different SSIDs in the network. I've bought a Cisco 1100 AP, with support wireless VLANs associated with SSIDs. It support a Vender-Specific attribute to get from the Radius Server a list of valid SSID for each user, but I don't know how to get FreeRadius send to AP a Vender-Specific attribute. Israel Cárdenas Romero SGI - Soluciones Globales Internet Delegación Regional Sur EMail: [EMAIL PROTECTED] Tlfno: 954088060 <>
RE: Cisco Aironet - MAC auth logs
d,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgrou pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00022d11' ORDER BY id' SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '00022d11' ORDER BY id radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrou preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '00022d11' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql: Pairs do not match [00022d11] rlm_sql: Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound modcall[authorize]: module "files" returns notfound modcall: group authorize returns ok auth: No Auth-Type configuration for the request, rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Output of the CISCO accounting log: Thu Aug 7 14:36:41 2003 Acct-Status-Type = Start User-Name = "00022d11" Acct-Session-Id = " 500001" Acct-Authentic = Local NAS-Port = 37 Calling-Station-Id = "00022d11" NAS-Identifier = "udp001617uds" NAS-IP-Address = XXX.XX.XX.XX Cisco-AVPair = "0" Cisco-AVPair = "" Cisco-AVPair = "open" Cisco-AVPair = "northgate_wireless" Acct-Delay-Time = 0 Client-IP-Address = XXX.XX.XX.XX Acct-Unique-Session-Id = "2c817f6a9cb3342f" Timestamp = 1060285001 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, August 08, 2003 11:17 AM To: [EMAIL PROTECTED]; Mike Hall Subject: Re: Cisco Aironet - MAC authentication problems On Fri August 8 2003 19:01, Mike Hall wrote: > Hi, > > I work for a major University and we have been using Freeradius to do > MAC authentication with Orinoco (Avaya,Proxim) based access point for > about 2 years. We have had no problems, and loved our decision to > implement Freeradius instead of a commercial package. > > Now, many departments want to use the Cisco Aironet line. To our > dismay, we have discovered that they do not authenticate in the same > way as the Orinoco units. I think it has something to do with the > Cisco-AVPair string which is sent to the radius server and/or the > Attribute Value fields. I also think it has related to the Auth-Type > string and/or the dictionary.cisco file. We use a Mysql database to > store the user-names (MAC Addresses). The little info I have found on > the internet is very unclear on what I should to fix this. I have all > the output of mysql/freeradius, but it has been a nightmare trying to > decipher it. > > Has anyone ran across this problem, and if so, could you please tell > what I can do to make Freeradius compatible with Cisco Aironet access > points? I can send you any info/logs about our setup that you need. > I cannot begin to tell you how much I will appreciate any help you can > give us. If you send us the debug output of when an Orinoco unit authenticates and when a cisco tries to authenticate we will try to help you. Maybe others have cisco AP's and can help you, but I don't unfortunately. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco vs. Orinoco - MAC Authentication
What I really need is this:
A way to make the radius server think the User-Password string (sent
from any AP) is our 'shared secret'. I can make it work if there is a
way to do this. Here the Cisco AP will send the MAC as the
'User-Password' but radius will change it (before processing) to be our
'shared secret'. Any Suggestion? Please...
Thanks, Mike
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: Wednesday, August 13, 2003 2:55 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco vs. Orinoco - MAC Authentication
"Mike Hall" <[EMAIL PROTECTED]> wrote:
> The two access point authenticate differently. The Orinoco sends the
> Value as the SharedSecret & the Cisco sends the Value as the
> MacAddress.
You've said that before.
> What can I do to make this work? I could create two entries like
> this:
...
> But this just confuses the Radius server and auth fails.
So edit the SQL table definition & queries, so it selects by
User-Password, too.
> Please offer some suggestions on what we can do. Thanks again.
I thought I had 3 suggestions in my last email. Did you try any of
them?
Here's another suggestion: create a new SQL table to hold the shared
secrets for each AP, and do:
DEFAULT User-Password == `%{sql:SELECT stuff by
%{Client-IP-Address}:-%{User-Name}}`
List the AP's that use the shared secret in the SQL database, and
don't list the others. If the SQL query returns nothing, then the
password will be set to the User-Name, which will work for the other
AP's.
That's 4 solutions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet - MAC auth logs
Hi, Sorry, it comes back with the same thing: > mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = '00022d11' ORDER BY id; > +-+--+---+--+--+ > | id | UserName | Attribute | Value| op | > +-+--+---+--+--+ > | 215 | 00022d11 | User-Password | ourpaswd | == | > +-+--+---+--+--+ > 1 row in set (0.00 sec) Thanks!! -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 11, 2003 9:05 AM To: [EMAIL PROTECTED] Subject: Re: Cisco Aironet - MAC auth logs Hi, > Here it isThanks for the help! Please let me know what you find, > time is running out! > > mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE > Username = '00062541e359' ORDER BY id; > +-+--+---+--+--+ > | id | UserName | Attribute | Value| op | > +-+--+---+--+--+ > | 205 | 00062541e359 | User-Password | ourpaswd | == | > +-+--+---+--+--+ > 1 row in set (0.00 sec) you havent done this for the other one...which is decidedly different! >SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = >'00022d11' ORDER BY id - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet - MAC authentication problems
Hi, I work for a major University and we have been using Freeradius to do MAC authentication with Orinoco (Avaya,Proxim) based access point for about 2 years. We have had no problems, and loved our decision to implement Freeradius instead of a commercial package. Now, many departments want to use the Cisco Aironet line. To our dismay, we have discovered that they do not authenticate in the same way as the Orinoco units. I think it has something to do with the Cisco-AVPair string which is sent to the radius server and/or the Attribute Value fields. I also think it has related to the Auth-Type string and/or the dictionary.cisco file. We use a Mysql database to store the user-names (MAC Addresses). The little info I have found on the internet is very unclear on what I should to fix this. I have all the output of mysql/freeradius, but it has been a nightmare trying to decipher it. Has anyone ran across this problem, and if so, could you please tell what I can do to make Freeradius compatible with Cisco Aironet access points? I can send you any info/logs about our setup that you need. I cannot begin to tell you how much I will appreciate any help you can give us. Thanks, Mike Hall Telecom Analyst - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Aironet - MAC auth logs
Here it isThanks for the help! Please let me know what you find, time is running out! mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '00062541e359' ORDER BY id; +-+--+---+--+--+ | id | UserName | Attribute | Value| op | +-+--+---+--+--+ | 205 | 00062541e359 | User-Password | ourpaswd | == | +-+--+---+--+--+ 1 row in set (0.00 sec) Ourpaswd is actully the shared for the radius server. Thank You -Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey C. Ollie Sent: Saturday, August 09, 2003 11:33 PM To: [EMAIL PROTECTED] Subject: RE: Cisco Aironet - MAC auth logs Mike, Could you run the following queries manually against your MySQL database and post the results? > SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = > '00062541e359' ORDER BY id > SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgr > ou > pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = 'user' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id > SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = > '00062541e359' ORDER BY id > SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgr > ou > preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = '00062541e359' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id > SELECT Value,Attribute FROM radcheck WHERE UserName = '00062541e359' > AND ( Attribute = 'User-Password' OR Attribute = 'Password' OR > Attribute = > 'Crypt-Password') ORDER BY Attribute DESC > SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = > '00022d11' ORDER BY id > SELECT > radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgr > ou > pcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE > usergroup.Username = '00022d11' AND usergroup.GroupName = > radgroupcheck.GroupName ORDER BY radgroupcheck.id > SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = > '00022d11' ORDER BY id > SELECT > radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgr > ou > preply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE > usergroup.Username = '00022d11' AND usergroup.GroupName = > radgroupreply.GroupName ORDER BY radgroupreply.id - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
