RE: Cisco AP350 series - Freeradius authentication warning.
Vinc, You are right . Most 350s have the Vx *&^%$ stuff in them all thought I believe there are two tools up on the CISCO site to change them to CISCO IOS. Wayne T Work, Sr. CISSP (Work) 203.217.5004 (Fax) 208-545-4365 Owner and Sr. Information Systems Security Consultant Security Gauntlet Consulting HIPAA Compliance Resource Group www.securitygauntlet.com www.hipaact.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 14, 2003 2:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco AP350 series - Freeradius authentication warning. [EMAIL PROTECTED] wrote on 07/14/2003 01:04:37 PM: > I think the problem is the AP configuration too, but since it is on > service right now, and it is set for MAC address authentication, it is > suppossed to send the request to the FR when the MAC is not found in > its database. Casually perusing the 350 docs, it appears as though what you're trying to do _should_ be possible with the 350. Then again, the 350's run that awful VxWorst operating system, so who knows. ;) > Do you think that maybe that setting (I mean forward requests to the > FR) should work right? Can the authentication be shared between the AP > and th > FR? or is it an exclusive job for just one, the FR or the AP? So > should I > try to disable the MAC authentication at the AP just to see if that works? I'd try that, but that basically means you're taking the AP out of service for a while. (You're kind of stuck between a rock and a hard place here.) Why can't you just take all the MAC addresses that are on the access points, put them in FR, and then have the AP _only_ check FR? Wouldn't that eliminate an unnecessary layer of uncertainty? Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden." -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html BEGIN:VCARD VERSION:2.1 N:Work;Wayne FN:Wayne T Work (E-mail) ORG:Security Gauntlet Consulting TITLE:Sr. Information Security Consultant TEL;WORK;VOICE:(203) 217-5004 TEL;CELL;VOICE:(203) 217-5004 ADR;WORK:;;56 Applewood Lane;Naugatuck;CT;06770;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:56 Applewood Lane=0D=0ANaugatuck, CT 06770=0D=0AUnited States of America EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20021023T141508Z END:VCARD
RE: Cisco AP350 series - Freeradius authentication warning.
I do not think that the AP will forward the MAC auth request to the FR and will try to do it all internally. Wayne T Work, Sr. CISSP (Work) 203.217.5004 (Fax) 208-545-4365 Owner and Sr. Information Systems Security Consultant Security Gauntlet Consulting HIPAA Compliance Resource Group www.securitygauntlet.com www.hipaact.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Barrera Sent: Monday, July 14, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: Re: Cisco AP350 series - Freeradius authentication warning. Thank you Vincent and Wayne for your answers. I think the problem is the AP configuration too, but since it is on service right now, and it is set for MAC address authentication, it is suppossed to send the request to the FR when the MAC is not found in its database. Do you think that maybe that setting (I mean forward requests to the FR) should work right? Can the authentication be shared between the AP and th FR? or is it an exclusive job for just one, the FR or the AP? So should I try to disable the MAC authentication at the AP just to see if that works? I am still checking the configuration, and it seems to be right, unless that "shared" authentication does not work well. I will check with cisco if there is a "work around" for this configuration. Thank you, Ivan Dario Barrera Graduate Student ECE - University of Delaware - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html BEGIN:VCARD VERSION:2.1 N:Work;Wayne FN:Wayne T Work (E-mail) ORG:Security Gauntlet Consulting TITLE:Sr. Information Security Consultant TEL;WORK;VOICE:(203) 217-5004 TEL;CELL;VOICE:(203) 217-5004 ADR;WORK:;;56 Applewood Lane;Naugatuck;CT;06770;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:56 Applewood Lane=0D=0ANaugatuck, CT 06770=0D=0AUnited States of America EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20021023T141508Z END:VCARD
Re: Cisco AP350 series - Freeradius authentication warning.
[EMAIL PROTECTED] wrote on 07/14/2003 01:04:37 PM: > I think the problem is the AP configuration too, but since it is on > service right now, and it is set for MAC address authentication, it is > suppossed to send the request to the FR when the MAC is not found in its > database. Casually perusing the 350 docs, it appears as though what you're trying to do _should_ be possible with the 350. Then again, the 350's run that awful VxWorst operating system, so who knows. ;) > Do you think that maybe that setting (I mean forward requests to the FR) > should work right? Can the authentication be shared between the AP and th > FR? or is it an exclusive job for just one, the FR or the AP? So should I > try to disable the MAC authentication at the AP just to see if that works? I'd try that, but that basically means you're taking the AP out of service for a while. (You're kind of stuck between a rock and a hard place here.) Why can't you just take all the MAC addresses that are on the access points, put them in FR, and then have the AP _only_ check FR? Wouldn't that eliminate an unnecessary layer of uncertainty? Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden." -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP350 series - Freeradius authentication warning.
Thank you Vincent and Wayne for your answers. I think the problem is the AP configuration too, but since it is on service right now, and it is set for MAC address authentication, it is suppossed to send the request to the FR when the MAC is not found in its database. Do you think that maybe that setting (I mean forward requests to the FR) should work right? Can the authentication be shared between the AP and th FR? or is it an exclusive job for just one, the FR or the AP? So should I try to disable the MAC authentication at the AP just to see if that works? I am still checking the configuration, and it seems to be right, unless that "shared" authentication does not work well. I will check with cisco if there is a "work around" for this configuration. Thank you, Ivan Dario Barrera Graduate Student ECE - University of Delaware - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco AP350 series - Freeradius authentication warning.
The CISCO AP350 does have a MAC authentication selection in the setting. Make sure that this is not selected. If it is selected you have to populate the AP with the MAC addresses which are authorized to use the AP. Since the Radius Server does not appear to be receiving an request in Debug mode, the AP maybe stopping the request. Just a thought!! Wayne T Work, Sr. CISSP (Work) 203.217.5004 (Fax) 208-545-4365 Owner and Sr. Information Systems Security Consultant Security Gauntlet Consulting HIPAA Compliance Resource Group www.securitygauntlet.com www.hipaact.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Barrera Sent: Monday, July 14, 2003 11:03 AM To: [EMAIL PROTECTED] Subject: Cisco AP350 series - Freeradius authentication warning. Hello, I have a linux server with Freeradius. The access point (AP) is a Cisco AP350 Series. I configured all the files, and seems to be working using radtest. When I use my laptop to try to reach the network, the AP drops a warning message like: (Warning): No MAC-Authentication response for Station 00022d0bea39 from server 10.4.132.24 Both the server and the AP are in the same network, and the ping response from the server to the AP is ok. But when I run the radius server with full debug options (-xxyz -l stdout) it does not show any message related to the request from the AP. Is that normal? Should not the server show at least the request from the AP, even if I have an error on the configuration files? Thank you for your help, Ivan Barrera ECE - University of Delaware - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html BEGIN:VCARD VERSION:2.1 N:Work;Wayne FN:Wayne T Work (E-mail) ORG:Security Gauntlet Consulting TITLE:Sr. Information Security Consultant TEL;WORK;VOICE:(203) 217-5004 TEL;CELL;VOICE:(203) 217-5004 ADR;WORK:;;56 Applewood Lane;Naugatuck;CT;06770;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:56 Applewood Lane=0D=0ANaugatuck, CT 06770=0D=0AUnited States of America EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20021023T141508Z END:VCARD
Re: Cisco AP350 series - Freeradius authentication warning.
[EMAIL PROTECTED] wrote on 07/14/2003 10:30:23 AM: > The AP is configured in that way that unknown MAC addresses are > authenticated by the Radius server (right now the AP is on service and > is the one authenticating right now) and the port used is set to 1812. It would appear that something is wrong in the AAA setup on the access point then, because it's not sending packets to FR. Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden." -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP350 series - Freeradius authentication warning.
The AP is configured in that way that unknown MAC addresses are authenticated by the Radius server (right now the AP is on service and is the one authenticating right now) and the port used is set to 1812. Ivan Dario Barrera ECE - University of Delaware - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP350 series - Freeradius authentication warning.
[EMAIL PROTECTED] wrote on 07/14/2003 10:02:37 AM: > I have a linux server with Freeradius. The access point (AP) is a Cisco > AP350 Series. > > I configured all the files, and seems to be working using radtest. > > When I use my laptop to try to reach the network, the AP drops a warning > message like: > > (Warning): No MAC-Authentication response for Station 00022d0bea39 from > server 10.4.132.24 > > Both the server and the AP are in the same network, and the ping > response from the server to the AP is ok. But when I run the radius > server with full debug options (-xxyz -l stdout) it does not show any > message related to the request from the AP. Is that normal? Should not the > server show at least the request from the AP, even if I have an error on > the configuration files? Check to make sure you've specified a radius port # on the AP. Cisco defaults to 1645, while FR defaults to 1812. (yes, you should see FR say _something_ in debug mode. Since it isn't, you can conclude that FR isn't even seeing the packet.) Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center "A four-year-old will very quickly get over news of the death of Santa if told that it was due to his fully loaded sleigh crashing in the back garden." -- Mil Millington - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP350 series - Freeradius authentication warning.
I must say, the laptop is using Windows XP, it has the certificates installed and, unfortunately, even when the message is just a warning, it does not log in to the network. Ivan Dario Barrera ECE - University of Delaware On Mon, 14 Jul 2003, Ivan Barrera wrote: > > Hello, > > I have a linux server with Freeradius. The access point (AP) is a Cisco > AP350 Series. > > I configured all the files, and seems to be working using radtest. > > When I use my laptop to try to reach the network, the AP drops a warning > message like: > > (Warning): No MAC-Authentication response for Station 00022d0bea39 from > server 10.4.132.24 > > Both the server and the AP are in the same network, and the ping > response from the server to the AP is ok. But when I run the radius > server with full debug options (-xxyz -l stdout) it does not show any > message related to the request from the AP. Is that normal? Should not the > server show at least the request from the AP, even if I have an error on > the configuration files? > > Thank you for your help, > > Ivan Barrera > ECE - University of Delaware > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html