RE: Is there some kind of trick to make Cisco LEAP work???
Hi, iam actual need to setup some APs including WLSE (havn´t recived them by now) and some WDS APs. Auth should be EAP/PEAP... Reading this thread it leads me to the conclusion that a) the WLSE is sending Radius requests (well dont know what there are for) ? b) that this dosn´t work becausw WLSE is brocken ? Is that still right or have you got it working ? Regards Holger Steppke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Munroe Sent: Sunday, September 26, 2004 5:05 PM To: [EMAIL PROTECTED] Subject: RE: Is there some kind of trick to make Cisco LEAP work??? Hello Folks, All I can say is WOW! Too be quite honest I had given up on making FreeRadius work with Cisco's WDS and WLSE. In my particular situation we also had a licensed Cisco ACS 3.x (now 3.3) server however, we weren't particularly happy about exposing it to an untrusted Wi-fi network considering it also provides authentication services to the rest of our network resources. That's were I saw FreeRadius as an excellent fit. To update my original post I had gotten LEAP to work with clients (after the fact). My problem was I fooled with trying to get WDS LEAP functioning with a WLSE to the point that I could no longer see the forest for the trees. Hence I jumped to the conclusion that LEAP support was just screwed in FreeRadius! :-( After a fresh configuration from the AP's up to FreeRadius I had gotten LEAP to work for authenticating users. I would like to thank everyone for their efforts, especially Richard Timsit his diagnostic efforts and posting of the necessary patches. FreeRadius is an excellent product that in my opinion rivals any commercial package available today (a webmin module for a GUI might be a nice addition ;-)). Now, it's back to the RD cycle for me to test WDS-WLSE LEAP functionality again. Thank You All for your help, insight, and time! Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Timsit Sent: Tuesday, September 07, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: Re: Is there some kind of trick to make Cisco LEAP work??? Richard, Thanks for that input, it sounds very straightforward to me. I'll try your patches on Tuesday (Monday is a holiday here). Have you brought this up with Cisco? If not, I will open a case next week. I'd like to know whether Cisco's leap/eap developers intended for the ID to not increment-- or whether they've made a mistake against their own standard. Ok, nice if you open a case to Cisco. Their leap-software of WLSE is buggy, (not the same as their access points) :-) I'd like to use the same freeradius server for WLSE/APs as for other non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c should only kick in when reply-type.type == PW_EAP_LEAP, there should be no problem, wouldn't you say? Ok, if you have only non-LEAP clients. But you need to path every new relese of freeradius you need... Bests regards. +--+ | ??? | |{O-O} Richard Timsit | | ^_ SIC STI| |/ T \_ EPFL Lausanne | | '` I 1015 Ecublens,SUISSE | | M(021) 693 22 35| | | | [EMAIL PROTECTED] | | I I | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. Yes, WLSE is not running exatly like an access point :-(( Comparing the answer of Cisco server radius ACS who authenticate WLSE and access points, with freeradius, we can see that ACS don't increment the EAP ID as said in doc/rfc/leap.txt : - 4. RS-AP: Access-Challenge/EAP Success (with EAP id++) + State (may be different than the satate send in 2) - So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_ leap : --- -- --- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200 +++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200 @@ -147,7 +147,10 @@ /* * Do this only for Success. */ - handler-eap_ds-request-id = handler-eap_ds-response-id + 1; +/* RT Oops WLSE don't like CISCO LEAP standard + handler-eap_ds-request-id = handler-eap_ds-response-id ++ 1; */ + + handler-eap_ds-request-id = handler-eap_ds-response-id ; handler-eap_ds-set_request_id = 1; /* --- The WLSE accept the response of freeradius and send an Access-Request/EAP Request/LEAP But in stage 6 the WLSE does not accept the SUCCESS response of RS if the normal id++ so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap : --- --- eap.c.FCS 2004-08-16 18:25:05.0 +0200 +++ eap.c 2004-08-16 18:28:47.0 +0200 @@ -393,6 +393,16 @@ hdr-code = (reply-code 0xFF); hdr-id = (reply-id 0xFF); + + /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS +do */ + if((reply-code == PW_EAP_RESPONSE) + (reply-type.type == PW_EAP_LEAP) + (reply-type.length == 30)) { hdr-id -= 1 ;} + +DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d, + reply-type.type,reply-type.length); +/* END MODIF RT */ + total_length = htons(total_length); memcpy(hdr-length, total_length, sizeof(uint16_t)); --- Since i have freeradius working with thousands of users with many protocols, i made a rogue_radius with this 2 bad patchs listening on port 1645 only for Cisco WDS !!! Richard, I have been trying to get my WLSE working with FreeRadius for a very long time, untill I finally stumbled onto your post. I have applied the patches you provided to freeradius 1.0.1 and I am definetly getting further along then I used to with WLSE authenticating to the WDS enabled AP, however it's not getting to the final SECURITY KEYS SETUP state. I can only get it to go as far as AUTHENTICATED state when I execute sh wlccp wnm status on the AP. I am able to get this working using built in radius server on the Access point, but no luck with Freeradius (I wish Cisco would follow a standard protocol) Do you have any suggestions? Here is the output from the freeradius when WLSE attemps to authenticate. (I appologize for the long email) Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes
RE: Is there some kind of trick to make Cisco LEAP work???
Hello Folks, All I can say is WOW! Too be quite honest I had given up on making FreeRadius work with Cisco's WDS and WLSE. In my particular situation we also had a licensed Cisco ACS 3.x (now 3.3) server however, we weren't particularly happy about exposing it to an untrusted Wi-fi network considering it also provides authentication services to the rest of our network resources. That's were I saw FreeRadius as an excellent fit. To update my original post I had gotten LEAP to work with clients (after the fact). My problem was I fooled with trying to get WDS LEAP functioning with a WLSE to the point that I could no longer see the forest for the trees. Hence I jumped to the conclusion that LEAP support was just screwed in FreeRadius! :-( After a fresh configuration from the AP's up to FreeRadius I had gotten LEAP to work for authenticating users. I would like to thank everyone for their efforts, especially Richard Timsit his diagnostic efforts and posting of the necessary patches. FreeRadius is an excellent product that in my opinion rivals any commercial package available today (a webmin module for a GUI might be a nice addition ;-)). Now, it's back to the RD cycle for me to test WDS-WLSE LEAP functionality again. Thank You All for your help, insight, and time! Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Timsit Sent: Tuesday, September 07, 2004 11:54 AM To: [EMAIL PROTECTED] Subject: Re: Is there some kind of trick to make Cisco LEAP work??? Richard, Thanks for that input, it sounds very straightforward to me. I'll try your patches on Tuesday (Monday is a holiday here). Have you brought this up with Cisco? If not, I will open a case next week. I'd like to know whether Cisco's leap/eap developers intended for the ID to not increment-- or whether they've made a mistake against their own standard. Ok, nice if you open a case to Cisco. Their leap-software of WLSE is buggy, (not the same as their access points) :-) I'd like to use the same freeradius server for WLSE/APs as for other non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c should only kick in when reply-type.type == PW_EAP_LEAP, there should be no problem, wouldn't you say? Ok, if you have only non-LEAP clients. But you need to path every new relese of freeradius you need... Bests regards. +--+ | ??? | |{O-O} Richard Timsit | | ^_ SIC STI| |/ T \_ EPFL Lausanne | | '` I 1015 Ecublens,SUISSE | | M(021) 693 22 35| | | | [EMAIL PROTECTED] | | I I | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
Richard, Thanks for that input, it sounds very straightforward to me. I'll try your patches on Tuesday (Monday is a holiday here). Have you brought this up with Cisco? If not, I will open a case next week. I'd like to know whether Cisco's leap/eap developers intended for the ID to not increment-- or whether they've made a mistake against their own standard. I'd like to use the same freeradius server for WLSE/APs as for other non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c should only kick in when reply-type.type == PW_EAP_LEAP, there should be no problem, wouldn't you say? Thanks again, Coates Carter University of Richmond On Sep 1, 2004, at 6:04 AM, Richard Timsit wrote: James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. Yes, WLSE is not running exatly like an access point :-(( Comparing the answer of Cisco server radius ACS who authenticate WLSE and access points, with freeradius, we can see that ACS don't increment the EAP ID as said in doc/rfc/leap.txt : - 4. RS-AP: Access-Challenge/EAP Success (with EAP id++) + State (may be different than the satate send in 2) - So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_ leap : --- -- --- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200 +++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200 @@ -147,7 +147,10 @@ /* * Do this only for Success. */ - handler-eap_ds-request-id = handler-eap_ds-response-id + 1; + /* RT Oops WLSE don't like CISCO LEAP standard + handler-eap_ds-request-id = handler-eap_ds-response-id + 1; */ + + handler-eap_ds-request-id = handler-eap_ds-response-id ; handler-eap_ds-set_request_id = 1; /* --- The WLSE accept the response of freeradius and send an Access-Request/EAP Request/LEAP But in stage 6 the WLSE does not accept the SUCCESS response of RS if the normal id++ so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap : --- --- eap.c.FCS 2004-08-16 18:25:05.0 +0200 +++ eap.c 2004-08-16 18:28:47.0 +0200 @@ -393,6 +393,16 @@ hdr-code = (reply-code 0xFF); hdr-id = (reply-id 0xFF); + + /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS do */ + if((reply-code == PW_EAP_RESPONSE) + (reply-type.type == PW_EAP_LEAP) + (reply-type.length == 30)) { hdr-id -= 1 ;} + +DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d, + reply-type.type,reply-type.length); +/* END MODIF RT */ + total_length = htons(total_length); memcpy(hdr-length, total_length, sizeof(uint16_t)); --- Since i have freeradius working with thousands of users with many protocols, i made a rogue_radius with this 2 bad patchs listening on port 1645 only for Cisco WDS !!! +--+ | ??? | |{O-O} Richard Timsit | | ^_ SIC STI| |/ T \_ EPFL Lausanne | | '` I 1015 Ecublens,SUISSE | | M(021) 693 22 35| | | | [EMAIL PROTECTED] | | I I | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. Yes, WLSE is not running exatly like an access point :-(( Comparing the answer of Cisco server radius ACS who authenticate WLSE and access points, with freeradius, we can see that ACS don't increment the EAP ID as said in doc/rfc/leap.txt : - 4. RS-AP: Access-Challenge/EAP Success (with EAP id++) + State (may be different than the satate send in 2) - So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_ leap : --- -- --- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200 +++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200 @@ -147,7 +147,10 @@ /* * Do this only for Success. */ - handler-eap_ds-request-id = handler-eap_ds-response-id + 1; +/* RT Oops WLSE don't like CISCO LEAP standard + handler-eap_ds-request-id = handler-eap_ds-response-id + 1; */ + + handler-eap_ds-request-id = handler-eap_ds-response-id ; handler-eap_ds-set_request_id = 1; /* --- The WLSE accept the response of freeradius and send an Access-Request/EAP Request/LEAP But in stage 6 the WLSE does not accept the SUCCESS response of RS if the normal id++ so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap : --- --- eap.c.FCS 2004-08-16 18:25:05.0 +0200 +++ eap.c 2004-08-16 18:28:47.0 +0200 @@ -393,6 +393,16 @@ hdr-code = (reply-code 0xFF); hdr-id = (reply-id 0xFF); + + /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS do */ + if((reply-code == PW_EAP_RESPONSE) + (reply-type.type == PW_EAP_LEAP) + (reply-type.length == 30)) { hdr-id -= 1 ;} + +DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d, + reply-type.type,reply-type.length); +/* END MODIF RT */ + total_length = htons(total_length); memcpy(hdr-length, total_length, sizeof(uint16_t)); --- Since i have freeradius working with thousands of users with many protocols, i made a rogue_radius with this 2 bad patchs listening on port 1645 only for Cisco WDS !!! +--+ | ??? | |{O-O} Richard Timsit | | ^_ SIC STI| |/ T \_ EPFL Lausanne | | '` I 1015 Ecublens,SUISSE | | M(021) 693 22 35| | | | [EMAIL PROTECTED] | | I I | +--+ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... http://lists.freeradius.org/pipermail/freeradius-users/2004-August/ 035601.html However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. I've looked carefully at the debug output on freeradius as well as the debug output on the master Access Point. Freeradius debug shows that most of the EAP transaction takes place normally. The initial Access-Request, the Identity challenge, the Access-Request response to that, and the new Access-Challenge from radiusd are all just fine. But... the supplicant (WLSE) does NOT answer that final Access-Challenge... at all. Freeradius debug shows no indication of error or mis-configuration. Following this, I scrutinized the radius debug output on the master Access Point. In one test, the AP pointed to the freeradius server. In a second test, the AP pointed to a cisco ACS server (on another AP). Comparing the debug output from these two tests revealed only a small (but significant) difference. The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). Can someone who understands the nuances of this State value please help? freeradius-1.0.0 Red Hat Enterprise Linux AS release 3 (Taroon Update 2) openssl-0.9.7a-33.4.i686.rpm openldap-2.2.13 (on localhost) Thanks, Coates Carter University of Richmond ... James D. Munroe [EMAIL PROTECTED] wrote: Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Lots of people. That's why the feature is there. It's been used for over a year now. If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like it doesn't work on this list. LEAP works. If it doesn't work in your setup, debug mode will tell you why. Alan DeKok. .. James D. Munroe [EMAIL PROTECTED] Fri, 25 Jun 2004 17:32:22 -0300 (ADT) Hello, Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Components: - Cisco AIR-AP1230B-A-K9 Access Points running IOS 12.2.15 Freeradius 0.9.3 installed from the Redhat ES 3.0 RPM, running on a Redhat ES 3.0 Server If so, would it be possible to get sanitized copies of your Freeradius configuration files (radiusd.conf, users, clients.conf, etc...)? Authenication to the AP itself using radius works prefect, have even setup EAP-TLS and it works prefect!! But leap is a no good... It's not a configuration issue on the Access Points themselves. Leap works fine when used against Cisco ACS (v3.2.3). However, for security reasons and cost of course we would like to use Freeradius for outside hosts rather than expose our internal ACS server. Also, I have been unable to get the WDS service working between the AP's and Cisco's WLSE.=A0 I'm not surprised since it uses Leap. It does work though with CiscoACS...but Freeradius is a no go. :-( Any help would be greatly appreciated!! Thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
Coates Carter [EMAIL PROTECTED] wrote: The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. I'm not sure what else it would be. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 That shouldn't matter. The State attribute is defined to be opaque nonsense, so far as the NAS is concerned. The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). The state is meaningless, other than a series of bytes which the server interprets. It's implementation-specific, and the NAS thinks it means anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James D. Munroe [EMAIL PROTECTED] wrote: Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Lots of people. That's why the feature is there. It's been used for over a year now. If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like it doesn't work on this list. LEAP works. If it doesn't work in your setup, debug mode will tell you why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html