Invalid EAP Type with Catalyst 2960G IOS 12.2

nf-vale nf-vale at critical-links.com
Mon Jul 28 20:47:38 CEST 2008 

The comments you refer are these ones?

"...
#  This module is the *Microsoft* implementation of MS-CHAPv2
#  in EAP.  There is another (incompatible) implementation
#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
#  currently support.
mschapv2 {
}
..."


But I also tried with TTLS using secureW2 supplicant and the log was
similar.

"...
rad_recv: Access-Request packet from host 192.168.2.1 port 1645, id=24,
length=155
        User-Name = "al00001"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-1E-BD-62-B9-81"
        Calling-Station-Id = "00-1B-38-92-39-A0"
        EAP-Message = 0x0203000c01616c3030303031
        Message-Authenticator = 0xe63d66c15b1b53a1fe27f788de329cc3
        NAS-Port-Type = Ethernet
        Cisco-NAS-Port = "GigabitEthernet0/1"
        NAS-Port = 50001
        NAS-IP-Address = 192.168.2.1
+- entering group authorize
++[preprocess] returns ok
    rlm_realm: No '@' in User-Name = "al00001", skipping NULL due to
config.
++[suffix] returns noop
    rlm_realm: No '\' in User-Name = "al00001", skipping NULL due to
config.
++[ntdomain] returns noop
++[mschap] returns noop
        expand: %{Stripped-User-Name} -> 
        expand: %{User-Name} -> al00001
        expand: %{%{User-Name}:-none} -> al00001
        expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} ->
al00001
rlm_sql (sql): sql_set_user escaped user --> 'al00001'
rlm_sql (sql): Reserving sql socket id: 2
        expand: SELECT id, UserName, Attribute, Value, Op   FROM
radcheck   WHERE Username = '%{SQL-User-Name}'   ORDER BY id -> SELECT
id, UserName, Attribute, Value, Op   FROM radcheck   WHERE Username =
'al00001'   ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, UserName, Attribute, Value, Op   FROM
radreply   WHERE Username = '%{SQL-User-Name}'   ORDER BY id -> SELECT
id, UserName, Attribute, Value, Op   FROM radreply   WHERE Username =
'al00001'   ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
        expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='al00001' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
        expand: SELECT id, GroupName, Attribute, Value, op   FROM
radgroupcheck   WHERE GroupName = '%{Sql-Group}'   ORDER BY id -> SELECT
id, GroupName, Attribute, Value, op   FROM radgroupcheck   WHERE
GroupName = 'Alunos'   ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
rlm_sql (sql): User found in group Alunos
        expand: SELECT id, GroupName, Attribute, Value, op   FROM
radgroupreply   WHERE GroupName = '%{Sql-Group}'   ORDER BY id -> SELECT
id, GroupName, Attribute, Value, op   FROM radgroupreply   WHERE
GroupName = 'Alunos'   ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[files] returns noop
  rlm_eap: EAP packet type response id 3 length 12
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.2.1 port 1645
        Tunnel-Private-Group-Id:0 := "2"
        EAP-Message = 0x010400061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8bd2c0948bd6d5c8bc5a33e2381bcef4
Finished request 1.
Going to the next request
Waking up in 0.9 seconds. 
Waking up in 4.0 seconds. 
Cleaning up request 1 ID 24 with timestamp +77
Ready to process requests.
..."



What eap configuration should I use to allow this Cisco equipment
authenticate in freeradius (if any)? Is this a Cisco "configuration
issue?


Thx,


Nelson Vale



Seg, 2008-07-28 às 20:20 +0200, Alan DeKok escreveu:
> nf-vale wrote:
> > The same clients connected to the Cisco Swicth that it's authenticating
> > in the same freeradius server can not authenticate because freeradius is
> > trying EAP-TLS instead of EAP-PEAP:
> 
>   RADIUS doesn't work that way.
> 
>   FreeRADIUS *offers* an EAP type when the client starts connecting.
> The client *chooses* a different one, if it doesn't like the offer.
> 
>   Saying "it doesn't work because of TLS versus PEAP" is equivalent to
> saying "the EAP supplicant does not support PEAP".
> 
>   The problem you're running into looks a lot like the problem described
> in the comments in eap.conf.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list