Re: Cisco LEAP and FreeRadius
On Thu, May 29, 2003 at 09:41:56PM +1000, Luke Walshe wrote: test Auth-Type := Local, User-Password == pass, Service-Type = Framed-User Try test Auth-Type := eap, User-Password == pass Service-Type = Login-User It works. Thank you. -- /* Miroslav Petricek [EMAIL PROTECTED] UNIS COMPUTERS, spol. s r.o. Systemovy inzenyr - UNIX -- http://www.petricek.cz/ -- ICQ: 56183467 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco LEAP and FreeRadius
Hi, all
I would like to configure FreeRadius to allow LEAP based
authentication between Cisco client, Cisco AP350 ans FreeRadius
server.
My configuration:
freeradius-snapshot-20030528, compiled on Red Hat Linux 7.3
raddb/users file:
test Auth-Type := Local, User-Password == pass,
Service-Type = Framed-User
raddb/clients.conf file:
client 127.0.0.1 {
secret = pass
shortname = localhost
nastype = other
}
client 192.168.1.254 {
secret = pass
shortname = ap350
nastype = cisco
}
I have default_eap_type = leap in the eap section of the radiusd.conf.
When I try to connect to the radius server, everything seems to be
working fine:
# radtest test pass localhost 1813 pass
Sending Access-Request of id 100 to 127.0.0.1:1812
User-Name = test
User-Password = pass
NAS-IP-Address = rambo.uniscomp.cz
NAS-Port = 1813
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=100, length=32
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.0
But when I try to connect from Cisco 350 NAS, i'm getting following:
Auth: Login OK: [test/no User-Password attribute] (from client ap350 port 37 cli
000c304c1aa0)
Info: rlm_eap_leap: No User-Password or NT-Password configured for this user
How should I correctly specify User-Password?
--
/* Miroslav Petricek [EMAIL PROTECTED]
UNIS COMPUTERS, spol. s r.o. Systemovy inzenyr - UNIX
-- http://www.petricek.cz/ -- ICQ: 56183467 --
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco LEAP and FreeRadius
test Auth-Type := Local, User-Password == pass,
Service-Type = Framed-User
Try
testAuth-Type := eap, User-Password == pass
Service-Type = Login-User
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Miroslav Petricek
Sent: Thursday, 29 May 2003 8:49 PM
To: [EMAIL PROTECTED]
Subject: Cisco LEAP and FreeRadius
Hi, all
I would like to configure FreeRadius to allow LEAP based
authentication between Cisco client, Cisco AP350 ans FreeRadius
server.
My configuration:
freeradius-snapshot-20030528, compiled on Red Hat Linux 7.3
raddb/users file:
test Auth-Type := Local, User-Password == pass,
Service-Type = Framed-User
raddb/clients.conf file:
client 127.0.0.1 {
secret = pass
shortname = localhost
nastype = other
}
client 192.168.1.254 {
secret = pass
shortname = ap350
nastype = cisco
}
I have default_eap_type = leap in the eap section of the
radiusd.conf.
When I try to connect to the radius server, everything seems
to be working fine:
# radtest test pass localhost 1813 pass
Sending Access-Request of id 100 to 127.0.0.1:1812
User-Name = test
User-Password = pass
NAS-IP-Address = rambo.uniscomp.cz
NAS-Port = 1813
rad_recv: Access-Accept packet from host 127.0.0.1:1812,
id=100, length=32
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.0
But when I try to connect from Cisco 350 NAS, i'm getting following:
Auth: Login OK: [test/no User-Password attribute] (from
client ap350 port 37 cli 000c304c1aa0)
Info: rlm_eap_leap: No User-Password or NT-Password
configured for this user
How should I correctly specify User-Password?
--
/* Miroslav Petricek [EMAIL PROTECTED]
UNIS COMPUTERS, spol. s r.o. Systemovy inzenyr - UNIX
-- http://www.petricek.cz/ -- ICQ: 56183467 --
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This email has been scanned
and protected by Inflex Sophos
--
**
Privileged or confidential information is contained in this electronic
message.
If this message is not addressed to you, or if you are not responsible
for the delivery of this message to the addressee, you may not
download, copy or forward this message to any other person. If you do
not immediately delete this message you may be liable for a breach of
confidentiality. We would be grateful if you would notify us of your
receipt and deletion of this message.
It is your responsibility to maintain an up to date virus detection
system and to scan this message and any attachment to it for computer
viruses or other defects. If you download a file attached to this
message, you do so at your own risk.
In no circumstances does Radio Terminal Systems Pty Ltd accept
liability for any loss or damage (including any indirect or
consequential losses) which may result, directly or indirectly, from
your receipt of this message or any attachment to it.
**
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instructions on howto setup Cisco LEAP with FreeRadius
david tran [EMAIL PROTECTED] wrote: So how would I set the users file so that LEAP will work since the way I am doing it is NOT what you recommended. should I configure the user to be like this: dtran Auth-Type := local, User-Password == 123456 No. You're telling it to ignore EAP, and to authenticate the user locally. You don't need to set an Auth-Type. If the packet has EAP, then the EAP module will set it for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instructions on howto setup Cisco LEAP with FreeRadius
Hi Alan, So how would I set the users file so that LEAP will work since the way I am doing it is NOT what you recommended. should I configure the user to be like this: dtran Auth-Type := local, User-Password == 123456 Please advise. Thanks. David --- Alan DeKok [EMAIL PROTECTED] wrote: david tran [EMAIL PROTECTED] wrote: This is the instruction on how to setup Cisco LEAP with FreeRadius. I am NOT an expert with FreeRadius so I am sure this howto has shortcomings in it. Please feel to make comments and changes to the documentation. I've taken a look at the default 'radiusd.conf', and updated it so that LEAP will work by default. 8) in the users file, specify a test account. For example: dtran Auth-Type := EAP, User-Password == 123456 I would recommend NOT doing that. That will tell the server to do LEAP authentication, even if there's no LEAP in the request. Uncomment the passwd and shadow: This has nothing to do with LEAP, and should not be in the same document. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instructions on howto setup Cisco LEAP with FreeRadius
david tran [EMAIL PROTECTED] wrote: This is the instruction on how to setup Cisco LEAP with FreeRadius. I am NOT an expert with FreeRadius so I am sure this howto has shortcomings in it. Please feel to make comments and changes to the documentation. I've taken a look at the default 'radiusd.conf', and updated it so that LEAP will work by default. 8) in the users file, specify a test account. For example: dtran Auth-Type := EAP, User-Password == 123456 I would recommend NOT doing that. That will tell the server to do LEAP authentication, even if there's no LEAP in the request. Uncomment the passwd and shadow: This has nothing to do with LEAP, and should not be in the same document. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Instructions on howto setup Cisco LEAP with FreeRadius
This is the instruction on how to setup Cisco LEAP
with FreeRadius.
I am NOT an expert with FreeRadius so I am sure this
howto has
shortcomings in it. Please feel to make comments and
changes
to the documentation. I just know that this
instruction works for me. Last but not least, many
thanks to everyone in this group that has made it
possible.
Equipments:
1) Xupplicant: Win2k (SP3)/WinXP (SP1) with Cisco
Aironet Control
Utility (ACU) software. Aironet Wirless Card.
2) Authenticator: Cisco Wireless Access Point (WAP)
AP340 model.
3) Authentication Server: FreeRadius snapshot version
freeradius-snapshot-20030324.tar.gz (I think any
version after March 8
will support Cisco LEAP).
Instructions:
1) download the freeradius-snapshot-20030324.tar.gz
file,
2) tar xzpf freeradius-snapshot-20030324.tar.gz
3) cd to the freeradius-snapshot-20030324 directory
4) ./configure --sysconfdir=/etc
5) make
6) make install
7) in the /etc/raddb/clients.conf file, include the IP
address of the
WAP
8) in the users file, specify a test account. For
example:
dtran Auth-Type := EAP, User-Password == 123456
9) In the radiusd.conf, change the following:
from:
default_eap_type = md5
to:
default_eap_type = leap
# Supported EAP-types
from:
md5 {
to:
leap {
Uncomment the eap below:
# The chap module will set 'Auth-Type := CHAP'
if we are
# handling a CHAP request and Auth-Type has
not already been set
#
chap
# counter
# attr_filter
# eap
Again, uncomment the eap below:
# Uncomment it if you want to use ldap for
authentication
# authtype LDAP {
# ldap
# }
# mschap
# eap
Uncomment the passwd and shadow:
# To force the module to use the
system password functions,
# instead of reading the files,
comment out the 'passwd'
# and 'shadow' configuration entries.
This is required
# for some systems, like FreeBSD, and
Mac OSX.
#
# passwd = /etc/passwd
# shadow = /etc/shadow
group = /etc/group
10) for testing purposes, start radiusd in debug mode:
radiusd -X -A
11) Setup your WAP to use FreeRadius. Specify port
1812 instead of
1645 in the WAP.
From Win2k or XP, setup your wireless to use LEAP.
If everything is working right, you will see on the
radius server the
following message:
[EMAIL PROTECTED] root]# radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir =
/usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
/usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
/usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = leap
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess
