Re: Authentication failure - PEAP - MS-CHAPv2
Problem solved! It was a routing problem... the APs are on a different subnet as the RADIUS server. Their default gateways were set to the correct host, that's why they could talk to the RADIUS server. The problem is, that recently we added a ppp connection to the server, which overwrote the default route, that way rendering the APs invisible... adding a route entry to the routing table solved the problem. Thank you for your help, anyways. Regards Gergely Kiss 2009/6/16 kissg > It's getting even more interesting: using the same configuration, but with > another access point (same model and firmware version): works flawlessly. > There are only two differences between the setups: > - In the test environment, the AP is located near to the test machine (it > was placed about 5-6 meters from the AP, no walls between) > - We didn't configure VLANs on the test AP. > > I have a feeling, that the AP refuses the connection, because some kind of > privilege checking fails (the client is not privileged to access the > required VLAN). Does FreeRADIUS configuration need anything special, if the > AP is configured for multiple VLANs? > > The VLAN configuration looks like this in the live environment: > > VLAN4 - Private vlan, the radius server is located here and an > EAP-protected SSID is mapped to this VLAN > VLAN5 - Public vlan, mapped to an open SSID > VLAN6 - Management vlan - untagged - we configure the APs using this VLAN > > Probably the LDAP server has to provide some extra attribute which grants > access to VLAN4, but I'm not sure. Could you please help? > > Thank you > > Gergely Kiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
It's getting even more interesting: using the same configuration, but with another access point (same model and firmware version): works flawlessly. There are only two differences between the setups: - In the test environment, the AP is located near to the test machine (it was placed about 5-6 meters from the AP, no walls between) - We didn't configure VLANs on the test AP. I have a feeling, that the AP refuses the connection, because some kind of privilege checking fails (the client is not privileged to access the required VLAN). Does FreeRADIUS configuration need anything special, if the AP is configured for multiple VLANs? The VLAN configuration looks like this in the live environment: VLAN4 - Private vlan, the radius server is located here and an EAP-protected SSID is mapped to this VLAN VLAN5 - Public vlan, mapped to an open SSID VLAN6 - Management vlan - untagged - we configure the APs using this VLAN Probably the LDAP server has to provide some extra attribute which grants access to VLAN4, but I'm not sure. Could you please help? Thank you Gergely Kiss 2009/6/12 kissg > 2009/6/11 Matthieu Lazaro > >> ! >> eap profile < Profile Name> >> method mschapv2 >> ! >> > > I don't have the lines above in my config. Does this have any influence on > the way the AP proxies radius packets? I think, this is only relevant if the > AP authenticates using its own database, right? > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
2009/6/11 Matthieu Lazaro > ! > eap profile < Profile Name> > method mschapv2 > ! > I don't have the lines above in my config. Does this have any influence on the way the AP proxies radius packets? I think, this is only relevant if the AP authenticates using its own database, right? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
Hi, > It really is an AP issue. Using another AP (SMC WEBT-G) with the same Radius > config works... Both Windows XP and Ubuntu connects successfully, no matter > if I set certificate validation on or off... Anyway, there are two EAP > setting which is supported by the Cisco AP: Open mode with EAP, and > something called "Network mode". I'm going to try setting the latter one, > maybe it helps. If not, a firmware update will be needed (I think). you can use both. uts recommended to use the open for non cisco clients and the network mode for cisco clients. you can (should?) run both at the same time. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
kissg a écrit : > > > It really is an AP issue. Using another AP (SMC WEBT-G) with the same > Radius config works... Both Windows XP and Ubuntu connects > successfully, no matter if I set certificate validation on or off... > Anyway, there are two EAP setting which is supported by the Cisco AP: > Open mode with EAP, and something called "Network mode". I'm going to > try setting the latter one, maybe it helps. If not, a firmware update > will be needed (I think). > > Thanks for all your comments! > > Regards > Gergely Kiss > > Hello, I know how to configure those Cisco AP 1131 AG and it's working for me. As it is too long and heavy to put some screen shots of the web interface, here are parts of the configuration you should have. Here are parts of the configuration you should have: aaa new-model ! ! aaa group server radius rad_eap server auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct server auth-port 1812 acct-port 1813 ! aaa group server radius rad_admin server auth-port 1812 acct-port 1813 ! aaa group server radius rad_eap1 server auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login eap_methods1 group rad_eap1 aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ... dot11 ssid authentication open eap eap_methods1 authentication key-management wpa version 2 guest-mode information-element ssidl wps ! dot11 holdoff-time 60 dot11 aaa csid ietf dot11 aaa dot1x compliance draft10 dot11 network-map power inline negotiation prestandard source eap profile < Profile Name> method mschapv2 ! .. radius-server local nas key secret ! radius-server attribute 32 include-in-access-req format %h radius-server host auth-port 1812 acct-port 1813 key secret radius-server vsa send accounting bridge 1 route ip ! I hope it helps a little. Best Regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
2009/6/10 Diego Martín Capello > Hi alan, > > Hi, > > > > > > self-signed are perfectly fine - but you need to ensure that the CA > > used is installed onto the client! > > > > you should *never* run an EAP client without certificate validation > > I agree with you, but this is only for testing purposes. Each client is > responsible for the configuration of his EAP client. Best regards. > > > alan > > It really is an AP issue. Using another AP (SMC WEBT-G) with the same Radius config works... Both Windows XP and Ubuntu connects successfully, no matter if I set certificate validation on or off... Anyway, there are two EAP setting which is supported by the Cisco AP: Open mode with EAP, and something called "Network mode". I'm going to try setting the latter one, maybe it helps. If not, a firmware update will be needed (I think). Thanks for all your comments! Regards Gergely Kiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
Hi alan, > Hi, > > > self-signed are perfectly fine - but you need to ensure that the CA > used is installed onto the client! > > you should *never* run an EAP client without certificate validation I agree with you, but this is only for testing purposes. Each client is responsible for the configuration of his EAP client. Best regards. > alan > -- Diego Martín Capello Administrador RedUBA Centro de Comunicación Científica Universidad de Buenos Aires - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
Hi, > I think you are using sef-signed ssl certificates in the freeradius server > and the windows XP client is trying to "validate" them; if that is right > try to configure windows xp client to not to validate them. Best regards > and sorry for my english! self-signed are perfectly fine - but you need to ensure that the CA used is installed onto the client! you should *never* run an EAP client without certificate validation alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
>> Follow the instructions on my web site: http://deployingradius.com >> It has a step by step guide to get EAP working. Follow the guide. It >> *will* work. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Thanks, I'm going to try it. Anyway, I don't think it could be Samba > related, because my config uses an LDAP database, which is totally > independent from Samba. > The only reason I can imagine, is a bug in the firmware of the access > point... but let's see what happens using your configuration. I think you are using sef-signed ssl certificates in the freeradius server and the windows XP client is trying to "validate" them; if that is right try to configure windows xp client to not to validate them. Best regards and sorry for my english! Diego Martín Capello > Gergely Kiss > -- next part -- > An HTML attachment was scrubbed... > URL: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authentication failure - PEAP - MS-CHAPv2
Have you tried, as a test, to temporarily disable server certificate validation on the WinXP wireless network definition? From: freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org [mailto:freeradius-users-bounces+neal.garber=energyeast@lists.freeradius.org] On Behalf Of kissg Sent: Wednesday, June 10, 2009 10:12 AM To: FreeRadius users mailing list Subject: Re: Authentication failure - PEAP - MS-CHAPv2 Follow the instructions on my web site: http://deployingradius.com It has a step by step guide to get EAP working. Follow the guide. It *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks, I'm going to try it. Anyway, I don't think it could be Samba related, because my config uses an LDAP database, which is totally independent from Samba. The only reason I can imagine, is a bug in the firmware of the access point... but let's see what happens using your configuration. Gergely Kiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
> Follow the instructions on my web site: http://deployingradius.com > > It has a step by step guide to get EAP working. Follow the guide. It > *will* work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Thanks, I'm going to try it. Anyway, I don't think it could be Samba related, because my config uses an LDAP database, which is totally independent from Samba. The only reason I can imagine, is a bug in the firmware of the access point... but let's see what happens using your configuration. Gergely Kiss - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
Hi, > I'm not able to do that now. I only saw two interesting things in the no debug = no help :-| you might want to try the latest 2.1.6 as the bootstrap EAP ing got a bit cleaner - are you using EAP-PEAP or are you putting client certs on the windows and actually using EAP-TLS ? following the EAP guide on deployingradius with no other changes will work. i wonder if you are playign with UserName? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
kissg wrote: > The strange thing is, that the same happens, if I try to connect from > the Ubuntu client. I've set the AP to WPA-PSK now, but it would be nice > if we could use PEAP, as it is more secure (security plays an important > role on this network, as there is a hotspot system configured on these > APs). The main goal is to be able to completely separate the private and > the public part of the network (using VLANs and PEAP). Do you have any > other ideas? Follow the instructions on my web site: http://deployingradius.com It has a step by step guide to get EAP working. Follow the guide. It *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
The strange thing is, that the same happens, if I try to connect from the Ubuntu client. I've set the AP to WPA-PSK now, but it would be nice if we could use PEAP, as it is more secure (security plays an important role on this network, as there is a hotspot system configured on these APs). The main goal is to be able to completely separate the private and the public part of the network (using VLANs and PEAP). Do you have any other ideas? 2009/6/10 Alan DeKok > kissg wrote: > > I'm not able to do that now. I only saw two interesting things in the > > output: a warning message about the LDAP directory, but that's okay, > > because there are no clear text passwords, only NT-hashed ones. The > > output tells me, that the user is authorized for access. > > Then, the EAP conversation starts, no errors can be seen. The last > > message in the output tells me, that the server sent an Access-Challange > > packet, but nothing happens after that. > > Blame Windows. It's the one deciding to stop the EAP process. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
kissg wrote: > I'm not able to do that now. I only saw two interesting things in the > output: a warning message about the LDAP directory, but that's okay, > because there are no clear text passwords, only NT-hashed ones. The > output tells me, that the user is authorized for access. > Then, the EAP conversation starts, no errors can be seen. The last > message in the output tells me, that the server sent an Access-Challange > packet, but nothing happens after that. Blame Windows. It's the one deciding to stop the EAP process. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
I'm not able to do that now. I only saw two interesting things in the output: a warning message about the LDAP directory, but that's okay, because there are no clear text passwords, only NT-hashed ones. The output tells me, that the user is authorized for access. Then, the EAP conversation starts, no errors can be seen. The last message in the output tells me, that the server sent an Access-Challange packet, but nothing happens after that. 2009/6/10 Ivan Kalik > > Post the debug. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication failure - PEAP - MS-CHAPv2
> I'm having a strange issue with FreeRADIUS 2.1.4, using a configuration > with > the following items: > > - Cisco Aironet 1130AG access point > - Ubuntu-based server with FreeRADIUS and OpenLDAP > - Client machines (Windows XP SP2, Ubuntu 9.04) > > The issue I have is, that I don't get a response from the client after the > server sends an Access-Challange packet. The certificates were made with > the > bootstrap script of FreeRADIUS, so it already contains the OIDs required > by > Windows. > > The AP is configured correctly, IP-address, port numbers and shared secret > are properly set up, I've already checked them. > Users are stored in an LDAP database and each user has a sambaNTPassword > attribute, which contains an NT-hashed password. LDAP-RADIUS attribute > mappings are properly set (NT-Password -> sambaNTPassword). The strange > thing is, that I can successfully authenticate using an EAP test tool > (eapol_test), no errors show up in the output. Using another AP with a > slightly different configuration (using smbpasswd instead of LDAP for > authorization) works, too. > I've also read, that XP SP2 is incompatible with third-party > RADIUS-servers. > I decided to install SP3, but it did not help. What I can see, is an > Access-Challange message at the end of the debug output. > > What can be wrong with my configuration? Can it be, that it's an > incompatibility issue between FreeRADIUS and the access point? Post the debug. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication failure - PEAP - MS-CHAPv2
Dear List, I'm having a strange issue with FreeRADIUS 2.1.4, using a configuration with the following items: - Cisco Aironet 1130AG access point - Ubuntu-based server with FreeRADIUS and OpenLDAP - Client machines (Windows XP SP2, Ubuntu 9.04) The issue I have is, that I don't get a response from the client after the server sends an Access-Challange packet. The certificates were made with the bootstrap script of FreeRADIUS, so it already contains the OIDs required by Windows. The AP is configured correctly, IP-address, port numbers and shared secret are properly set up, I've already checked them. Users are stored in an LDAP database and each user has a sambaNTPassword attribute, which contains an NT-hashed password. LDAP-RADIUS attribute mappings are properly set (NT-Password -> sambaNTPassword). The strange thing is, that I can successfully authenticate using an EAP test tool (eapol_test), no errors show up in the output. Using another AP with a slightly different configuration (using smbpasswd instead of LDAP for authorization) works, too. I've also read, that XP SP2 is incompatible with third-party RADIUS-servers. I decided to install SP3, but it did not help. What I can see, is an Access-Challange message at the end of the debug output. What can be wrong with my configuration? Can it be, that it's an incompatibility issue between FreeRADIUS and the access point? Thank you for your help in advance! Best regards: Gergely Kiss freeradius_config.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html