EAP on Cisco Cat2960 & Aironet1200: TLS Fails

Mon Feb 12 16:01:51 CET 2007

Hi,

I'm setting up a secure authenticated wired and wireless network for a
client of mine, closely following the following HOWTO documents:-

http://vuksan.com/linux/dot1x/802-1x-LDAP.html

integrating latest FreeRADIUS 1.1.4 with recently purchased (end 2006)
Cisco Catalyst 2960 and Cisco Aironet 1200. We're attempting to do
PEAP authentication with a mix of WinXP and MacOS X as supplicants.

Details of each component:-

1. FreeRADIUS v1.1.4

- Running on FreeBSD 6.2-RELEASE, compiled via FreeBSD ports. The
raddb config diffs comparing to sample configs:-

http://absolute-p.ath.cx/Debug/DIFFS.txt

- Nothing out of the ordinary (i.e. standard EAP-PEAP config, using
simple users file for now)
- The certs in certs directory are recreated as per FAQ item (i.e. via
CA.all script + xpextensions).

2. Cisco Catalyst 2960 (show ver):-

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version
12.2(25)SEE2, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 28-Jul-06 04:33 by yenanh

3. Cisco Aironet 1200 (show ver):-

Cisco Internetwork Operating System Software
IOS ™ C1200 Software (C1200-K9W7-M), Version 12.3(2)JA6, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 31-Mar-06 13:44 by pwade

The Cisco Aironet 1200 configs closely follow this PDF document:-

http://blog.segfault.be/Documentation/Wireles%20802.1x%20+%20PEAP%20with%20WPA.pdf

resulting in this config:-

http://absolute-p.ath.cx/Debug/aironet1200-config.txt

(The author of the above document shared his working Aironet IOS
version: c1200-k9w7-mx.123-8.JEA : I am planning to get hold of this
and repeat tests).

Problem: EAP Fails (Doesn't even get to TLS negotiation). In both
cases, we get perpetual "Access-Challenge" messages sent by
FreeRADIUS, at a very early stage — even before / during the initial
TLS negotiation in EAP.

Some FreeRADIUS debugging logs (radiusd -X):-

I. Problematic Authenticators:-

1. Aironet 1200:-

http://absolute-p.ath.cx/Debug/freeradius1.1.4-users-aironet1200-c1200-k9w7-tar.123-2.JA6.txt

2. Cisco Catalyst 2960:-

(I will update this post once I get hold of Cisco Catalyst 2960 debug
info, which is similar to what I'm seeing with Aironet 1200).

II. Working Authenticators:-

Meanwhile, I also tested the same environment with the following
authenticators, and got it working with no changes:-

1. Linksys WRT54GS (firmware v4.71.1 + hyperwrt-2.1b1-thibor15c):-

All works OK with WPA Enterprise, as shown here:-
http://absolute-p.ath.cx/Debug/freeradius1.1.4-users-linksyswrt54gs-4.71.1-hyperwrt-2.1b1-thibor15c.txt

2. Older Cisco Catalyst 2950:-

I managed to get hold of an older Cisco 2950 model, with an earlier
IOS version, and tested the same environment on it, this time it
works! (I will update this post once I get its details and debugging
output).

This leads to a conclusion that something might be up with latest
Cisco IOS implementation i.e. not playing nice with FreeRADIUS.

Aside from expressing this issue with our local Cisco support (which I
feel will be like barking to the right (but apathetic) tree , since I
would think they only support Cisco / MS RADIUS products) ;-) ), I
would appreciate if anybody here with experience with such equipment
can shed some light on this issue.

Thanks in advance! :)

p.s. longer and constantly updated version of this post is in my blog:-
http://absolute-p.ath.cx/2007/02/12/freeradius-vs-certain-recent-cisco-ios-versions

--mendonan
"Yang mimpikan secangkir kopi panas dengan selimut.."
 (Dreaming of a cup of hot coffee, and a blanket..")