Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?

Brian Wilson briw111 at yahoo.com
Thu Sep 17 20:47:40 CEST 2009 

Hi all,

A few months ago I had posted this topic to the list, and unfortunately before I could work further on it I got pulled onto another assignment.  I apologize to those that tried helping before.  I modified my config per their recommendations, but still having the same problem....

I am still having trouble with a WLC440x with WPA2-AES-PEAP-MSCHAPv2, freeradius and edirectory setup.  Essentially, the ldap requests are taking 3-4 seconds to resolve.  In addition, freeradius ends up doing in the neighborhood of 5-6 ldap lookups for each client trying to attach.  I am unsure of why this is happening.  Below is my configuration: (This is freeradius 2.1.6)

authorize{
   preprocess
   auth_log
   suffix
   ntdomain
   eap {
       ok = return
   }
   files {
       notfound = reject
       noop = reject
       fail = reject
    }
    redundant-load-balance {
          LDAPsvr1
          LDAPsvr2
     }
     expiration
     logintime
}

authenticate {
    Auth-Type MS-CHAP {
          mschap
    }
    Auth-Type LDAP {
          redundant-load-balance {
               LDAPsvr1
               LDAPsvr2
          }
     }
     eap
}

and in eap.conf, i have default-eap-type set to peap, and not mschapv2.

here is a snippet of debug info I had posted before; this tends to repeat at nassuem about 4-5 more times before the actual access-accept is sent: 
 
rad_recv: Access-Request packet from host blah port 32769, id=5, length=196
User-Name = "test"
Calling-Station-Id = "mac"
Called-Station-Id = "mac:blah"
NAS-Port = 1
NAS-IP-Address = ipblah 
NAS-Identifier = "nameblah"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = (trimmed)
Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134
+- entering group authorize {...}
[preprocess] expand: %{Called-Station-Id} -> mac:blah 
++[preprocess] returns ok
[auth_log] expand: (trimmed)
[auth_log](trimmed)
[auth_log] expand: %t -> Wed Jun 17 10:00:10 2009
++[auth_log] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "company" for User-Name = "test"
[ntdomain] Found realm "company"
[ntdomain] Adding Stripped-User-Name = "test"
[ntdomain] Adding Realm = "company"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 2 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 178
++[files] returns ok
++- entering redundant-load-balance group redundant-load-balance {...}
[LDAPsvr2] performing user authorization for test
[LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)
[LDAPsvr2] expand: t=company -> t=company
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in t=company, with filter (cn=test)
[LDAPsvr2] Added the eDirectory password password in check items as Cleartext-Password
[LDAPsvr2] No default NMAS login sequence
[LDAPsvr2] looking for check items in directory...
[LDAPsvr2] looking for reply items in directory...
[LDAPsvr2] user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[LDAPsvr2] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 5 to blah port 32769
EAP-Message = (trimmed)
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfea96b9cfeaa7186011d5bcc3cb2528f
Finished request 67.
Going to the next request
Waking up in 9.9 seconds.
rad_recv: Access-Request packet from host blah port 32769, id=6, length=193
User-Name = "test"
Calling-Station-Id = "mac"
Called-Station-Id = "mac:blah"
NAS-Port = 1
NAS-IP-Address = blah 
NAS-Identifier = "nameblah"
Airespace-Wlan-Id = 2
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060319
State = 0xfea96b9cfeaa7186011d5bcc3cb2528f
Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c
+- entering group authorize {...}
[preprocess] expand: %{Called-Station-Id} -> mac:blah
++[preprocess] returns ok
[auth_log] expand: (trimmed)
[auth_log] (trimmed)
[auth_log] expand: (trimmed)
++[auth_log] returns ok
++[mschap] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] Looking up realm "company" for User-Name = "test"
[ntdomain] Found realm "company"
[ntdomain] Adding Stripped-User-Name = "test"
[ntdomain] Adding Realm = "company"
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 178
++[files] returns ok
++- entering redundant-load-balance group redundant-load-balance {...}
[LDAPsvr1] performing user authorization for test
[LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)
[LDAPsvr1] expand: t=company -> t=company
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in t=company, with filter (cn=test)
[LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password
[LDAPsvr1] No default NMAS login sequence
[LDAPsvr1] looking for check items in directory...
[LDAPsvr1] looking for reply items in directory...
[LDAPsvr1] user test authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[LDAPsvr1] returns ok
++- redundant-load-balance group redundant-load-balance returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 6 to blah port 32769
EAP-Message = 0x010400061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfea96b9cffad7286011d5bcc3cb2528f
Finished request 68.
Going to the next request
Waking up in 5.2 seconds.



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090917/eadc5654/attachment.html>

More information about the Freeradius-Users mailing list