Re: Cisco LEAP and FreeRadius
On Thu, May 29, 2003 at 09:41:56PM +1000, Luke Walshe wrote: test Auth-Type := Local, User-Password == pass, Service-Type = Framed-User Try test Auth-Type := eap, User-Password == pass Service-Type = Login-User It works. Thank you. -- /* Miroslav Petricek [EMAIL PROTECTED] UNIS COMPUTERS, spol. s r.o. Systemovy inzenyr - UNIX -- http://www.petricek.cz/ -- ICQ: 56183467 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco LEAP and FreeRadius
Hi, all I would like to configure FreeRadius to allow LEAP based authentication between Cisco client, Cisco AP350 ans FreeRadius server. My configuration: freeradius-snapshot-20030528, compiled on Red Hat Linux 7.3 raddb/users file: test Auth-Type := Local, User-Password == pass, Service-Type = Framed-User raddb/clients.conf file: client 127.0.0.1 { secret = pass shortname = localhost nastype = other } client 192.168.1.254 { secret = pass shortname = ap350 nastype = cisco } I have default_eap_type = leap in the eap section of the radiusd.conf. When I try to connect to the radius server, everything seems to be working fine: # radtest test pass localhost 1813 pass Sending Access-Request of id 100 to 127.0.0.1:1812 User-Name = test User-Password = pass NAS-IP-Address = rambo.uniscomp.cz NAS-Port = 1813 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=100, length=32 Service-Type = Framed-User Framed-IP-Netmask = 255.255.255.0 But when I try to connect from Cisco 350 NAS, i'm getting following: Auth: Login OK: [test/no User-Password attribute] (from client ap350 port 37 cli 000c304c1aa0) Info: rlm_eap_leap: No User-Password or NT-Password configured for this user How should I correctly specify User-Password? -- /* Miroslav Petricek [EMAIL PROTECTED] UNIS COMPUTERS, spol. s r.o. Systemovy inzenyr - UNIX -- http://www.petricek.cz/ -- ICQ: 56183467 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco LEAP and FreeRadius
test Auth-Type := Local, User-Password == pass, Service-Type = Framed-User Try testAuth-Type := eap, User-Password == pass Service-Type = Login-User -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miroslav Petricek Sent: Thursday, 29 May 2003 8:49 PM To: [EMAIL PROTECTED] Subject: Cisco LEAP and FreeRadius Hi, all I would like to configure FreeRadius to allow LEAP based authentication between Cisco client, Cisco AP350 ans FreeRadius server. My configuration: freeradius-snapshot-20030528, compiled on Red Hat Linux 7.3 raddb/users file: test Auth-Type := Local, User-Password == pass, Service-Type = Framed-User raddb/clients.conf file: client 127.0.0.1 { secret = pass shortname = localhost nastype = other } client 192.168.1.254 { secret = pass shortname = ap350 nastype = cisco } I have default_eap_type = leap in the eap section of the radiusd.conf. When I try to connect to the radius server, everything seems to be working fine: # radtest test pass localhost 1813 pass Sending Access-Request of id 100 to 127.0.0.1:1812 User-Name = test User-Password = pass NAS-IP-Address = rambo.uniscomp.cz NAS-Port = 1813 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=100, length=32 Service-Type = Framed-User Framed-IP-Netmask = 255.255.255.0 But when I try to connect from Cisco 350 NAS, i'm getting following: Auth: Login OK: [test/no User-Password attribute] (from client ap350 port 37 cli 000c304c1aa0) Info: rlm_eap_leap: No User-Password or NT-Password configured for this user How should I correctly specify User-Password? -- /* Miroslav Petricek [EMAIL PROTECTED] UNIS COMPUTERS, spol. s r.o. Systemovy inzenyr - UNIX -- http://www.petricek.cz/ -- ICQ: 56183467 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email has been scanned and protected by Inflex Sophos -- ** Privileged or confidential information is contained in this electronic message. If this message is not addressed to you, or if you are not responsible for the delivery of this message to the addressee, you may not download, copy or forward this message to any other person. If you do not immediately delete this message you may be liable for a breach of confidentiality. We would be grateful if you would notify us of your receipt and deletion of this message. It is your responsibility to maintain an up to date virus detection system and to scan this message and any attachment to it for computer viruses or other defects. If you download a file attached to this message, you do so at your own risk. In no circumstances does Radio Terminal Systems Pty Ltd accept liability for any loss or damage (including any indirect or consequential losses) which may result, directly or indirectly, from your receipt of this message or any attachment to it. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instructions on howto setup Cisco LEAP with FreeRadius
david tran [EMAIL PROTECTED] wrote: So how would I set the users file so that LEAP will work since the way I am doing it is NOT what you recommended. should I configure the user to be like this: dtran Auth-Type := local, User-Password == 123456 No. You're telling it to ignore EAP, and to authenticate the user locally. You don't need to set an Auth-Type. If the packet has EAP, then the EAP module will set it for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instructions on howto setup Cisco LEAP with FreeRadius
Hi Alan, So how would I set the users file so that LEAP will work since the way I am doing it is NOT what you recommended. should I configure the user to be like this: dtran Auth-Type := local, User-Password == 123456 Please advise. Thanks. David --- Alan DeKok [EMAIL PROTECTED] wrote: david tran [EMAIL PROTECTED] wrote: This is the instruction on how to setup Cisco LEAP with FreeRadius. I am NOT an expert with FreeRadius so I am sure this howto has shortcomings in it. Please feel to make comments and changes to the documentation. I've taken a look at the default 'radiusd.conf', and updated it so that LEAP will work by default. 8) in the users file, specify a test account. For example: dtran Auth-Type := EAP, User-Password == 123456 I would recommend NOT doing that. That will tell the server to do LEAP authentication, even if there's no LEAP in the request. Uncomment the passwd and shadow: This has nothing to do with LEAP, and should not be in the same document. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instructions on howto setup Cisco LEAP with FreeRadius
david tran [EMAIL PROTECTED] wrote: This is the instruction on how to setup Cisco LEAP with FreeRadius. I am NOT an expert with FreeRadius so I am sure this howto has shortcomings in it. Please feel to make comments and changes to the documentation. I've taken a look at the default 'radiusd.conf', and updated it so that LEAP will work by default. 8) in the users file, specify a test account. For example: dtran Auth-Type := EAP, User-Password == 123456 I would recommend NOT doing that. That will tell the server to do LEAP authentication, even if there's no LEAP in the request. Uncomment the passwd and shadow: This has nothing to do with LEAP, and should not be in the same document. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Instructions on howto setup Cisco LEAP with FreeRadius
This is the instruction on how to setup Cisco LEAP with FreeRadius. I am NOT an expert with FreeRadius so I am sure this howto has shortcomings in it. Please feel to make comments and changes to the documentation. I just know that this instruction works for me. Last but not least, many thanks to everyone in this group that has made it possible. Equipments: 1) Xupplicant: Win2k (SP3)/WinXP (SP1) with Cisco Aironet Control Utility (ACU) software. Aironet Wirless Card. 2) Authenticator: Cisco Wireless Access Point (WAP) AP340 model. 3) Authentication Server: FreeRadius snapshot version freeradius-snapshot-20030324.tar.gz (I think any version after March 8 will support Cisco LEAP). Instructions: 1) download the freeradius-snapshot-20030324.tar.gz file, 2) tar xzpf freeradius-snapshot-20030324.tar.gz 3) cd to the freeradius-snapshot-20030324 directory 4) ./configure --sysconfdir=/etc 5) make 6) make install 7) in the /etc/raddb/clients.conf file, include the IP address of the WAP 8) in the users file, specify a test account. For example: dtran Auth-Type := EAP, User-Password == 123456 9) In the radiusd.conf, change the following: from: default_eap_type = md5 to: default_eap_type = leap # Supported EAP-types from: md5 { to: leap { Uncomment the eap below: # The chap module will set 'Auth-Type := CHAP' if we are # handling a CHAP request and Auth-Type has not already been set # chap # counter # attr_filter # eap Again, uncomment the eap below: # Uncomment it if you want to use ldap for authentication # authtype LDAP { # ldap # } # mschap # eap Uncomment the passwd and shadow: # To force the module to use the system password functions, # instead of reading the files, comment out the 'passwd' # and 'shadow' configuration entries. This is required # for some systems, like FreeBSD, and Mac OSX. # # passwd = /etc/passwd # shadow = /etc/shadow group = /etc/group 10) for testing purposes, start radiusd in debug mode: radiusd -X -A 11) Setup your WAP to use FreeRadius. Specify port 1812 instead of 1645 in the WAP. From Win2k or XP, setup your wireless to use LEAP. If everything is working right, you will see on the radius server the following message: [EMAIL PROTECTED] root]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = leap eap: timer_expire = 60 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess