EAP-PEAP drops attributes

Alan DeKok aland at deployingradius.com
Sun Feb 23 04:06:37 CET 2014 

freerad at spambin.de wrote:
> I've set up a Cisco WLC carrying several SSIDs authenticating against 
> freeradius using EAP-PEAP. I would like to make it so that specific users 
> can only connect to some SSIDs.
> Requests contain the attribute "Airespace-Wlan-Id" which contains the 
> numeric index of the SSID the request is associated to.
> 
> I have therefore set up my users file like this:
> 
> test1   Auth-Type == EAP, Airespace-Wlan-Id == 2, NAS-IP-Address == 192.168.225.110, Cleartext-Password := "test1"

  Which is wrong.  The "Auth-Type == EAP" comparison is useless.  Delete
it.  The NAS-IP-Address is also causing a problem.

  The FAQ says to create a name and a password like this:

test1 Cleartext-Password := "test1"

  Do that, and it will work.  Then, gradually change the configuration,
testing it each time.  The "man" page describes this process.

> This, however, doesn't seem to work as freeradius seems to drop the 
> Airespace-Wlan-Id attribute while processing the request.

  No.

> As can be seen 
> in the debug trace (debug_fail.txt), the user is being matched at first
> ([files] users: Matched entry test1 at line 173) but isn't found later on.

  Yes, because you didn't set "copy_request_to_tunnel = yes" in the eap
module.  This is documented.

> When I remove that one check from the users file leaving
> 
> test1   Auth-Type == EAP, NAS-IP-Address == 192.168.225.110, Cleartext-Password := "test1"
> 
> the request is being accepted (see debug_ok.txt).
> 
> The reject is clearly coming from freeradius being unable to match the 
> request against the users file therefore being unable to get to the 
> cleartext password, but only when I'm checking the Airespace-Wlan-Id 
> attribute. However, as can be seen, the attribute is present in the 
> request and the user is matched at first, even for the failed attempt.
> 
> This is freeradius 2.1.8 on Ubuntu 10.04, I'm not using inner-tunnel for 
> EAP.
> 
> I'm clearly missing something here, could somebody point me in the right 
> direction?

  Ensure that you understand the configuration you're using.  Ensure
that you start off with the simplest possible configuration that works,
and then gradually make it more complex.

  Alan DeKok.

More information about the Freeradius-Users mailing list