<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:14pt"><DIV>Hi all,<BR><BR>A few months ago I had posted this topic to the list, and unfortunately before I could work further on it I got pulled onto another assignment. I apologize to those that tried helping before. I modified my config per their recommendations, but still having the same problem....</DIV>
<DIV> </DIV>
<DIV>I am still having trouble with a WLC440x with WPA2-AES-PEAP-MSCHAPv2, freeradius and edirectory setup. Essentially, the ldap requests are taking 3-4 seconds to resolve. In addition, freeradius ends up doing in the neighborhood of 5-6 ldap lookups for each client trying to attach. I am unsure of why this is happening. Below is my configuration: (This is freeradius 2.1.6)</DIV>
<DIV> </DIV>
<DIV>authorize{</DIV>
<DIV> preprocess</DIV>
<DIV> auth_log</DIV>
<DIV> suffix</DIV>
<DIV> ntdomain</DIV>
<DIV> eap {</DIV>
<DIV> ok = return</DIV>
<DIV> }</DIV>
<DIV> files {</DIV>
<DIV> notfound = reject</DIV>
<DIV> noop = reject</DIV>
<DIV> fail = reject</DIV>
<DIV> }</DIV>
<DIV> redundant-load-balance {</DIV>
<DIV> LDAPsvr1</DIV>
<DIV> LDAPsvr2</DIV>
<DIV> }</DIV>
<DIV> expiration</DIV>
<DIV> logintime</DIV>
<DIV>}</DIV>
<DIV> </DIV>
<DIV>authenticate {</DIV>
<DIV> Auth-Type MS-CHAP {</DIV>
<DIV> mschap</DIV>
<DIV> }</DIV>
<DIV> Auth-Type LDAP {</DIV>
<DIV> redundant-load-balance {</DIV>
<DIV> LDAPsvr1</DIV>
<DIV> LDAPsvr2</DIV>
<DIV> }</DIV>
<DIV> }</DIV>
<DIV> eap</DIV>
<DIV>}</DIV>
<DIV> </DIV>
<DIV>and in eap.conf, i have default-eap-type set to peap, and not mschapv2.</DIV>
<DIV> </DIV>
<DIV>
<P>here is a snippet of debug info I had posted before; this tends to repeat at nassuem about 4-5 more times before the actual access-accept is sent: </P>
<P> </P></DIV>
<DIV>
<P>rad_recv: Access-Request packet from host blah port 32769, id=5, length=196<BR>User-Name = "test"<BR>Calling-Station-Id = "mac"<BR>Called-Station-Id = "mac:blah"<BR>NAS-Port = 1<BR>NAS-IP-Address = ipblah </P>
<P>NAS-Identifier = "nameblah"<BR>Airespace-Wlan-Id = 2<BR>Service-Type = Framed-User<BR>Framed-MTU = 1300<BR>NAS-Port-Type = Wireless-802.11<BR>EAP-Message = (trimmed)<BR>Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134<BR>+- entering group authorize {...}<BR>[preprocess] expand: %{Called-Station-Id} -> mac:blah </P>
<P>++[preprocess] returns ok<BR>[auth_log] expand: (trimmed)<BR>[auth_log](trimmed)<BR>[auth_log] expand: %t -> Wed Jun 17 10:00:10 2009<BR>++[auth_log] returns ok<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "test", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[ntdomain] Looking up realm "company" for User-Name = "test"<BR>[ntdomain] Found realm "company"<BR>[ntdomain] Adding Stripped-User-Name = "test"<BR>[ntdomain] Adding Realm = "company"<BR>[ntdomain] Authentication realm is LOCAL.<BR>++[ntdomain] returns ok<BR>[eap] EAP packet type response id 2 length 27<BR>[eap] No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>[files] users: Matched entry DEFAULT at line 178<BR>++[files] returns ok<BR>++- entering redundant-load-balance group redundant-load-balance {...}<BR>[LDAPsvr2] performing user authorization for test<BR>[LDAPsvr2] WARNING: Deprecated conditional
expansion ":-". See "man unlang" for details<BR>[LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<BR>[LDAPsvr2] expand: t=company -> t=company<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in t=company, with filter (cn=test)<BR>[LDAPsvr2] Added the eDirectory password password in check items as Cleartext-Password<BR>[LDAPsvr2] No default NMAS login sequence<BR>[LDAPsvr2] looking for check items in directory...<BR>[LDAPsvr2] looking for reply items in directory...<BR>[LDAPsvr2] user test authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>+++[LDAPsvr2] returns ok<BR>++- redundant-load-balance group redundant-load-balance returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] EAP Identity<BR>[eap] processing type mschapv2<BR>rlm_eap_mschapv2:
Issuing Challenge<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 5 to blah port 32769<BR>EAP-Message = (trimmed)<BR>Message-Authenticator = 0x00000000000000000000000000000000<BR>State = 0xfea96b9cfeaa7186011d5bcc3cb2528f<BR>Finished request 67.<BR>Going to the next request<BR>Waking up in 9.9 seconds.<BR>rad_recv: Access-Request packet from host blah port 32769, id=6, length=193<BR>User-Name = "test"<BR>Calling-Station-Id = "mac"<BR>Called-Station-Id = "mac:blah"<BR>NAS-Port = 1<BR>NAS-IP-Address = blah </P>
<P>NAS-Identifier = "nameblah"<BR>Airespace-Wlan-Id = 2<BR>Service-Type = Framed-User<BR>Framed-MTU = 1300<BR>NAS-Port-Type = Wireless-802.11<BR>EAP-Message = 0x020300060319<BR>State = 0xfea96b9cfeaa7186011d5bcc3cb2528f<BR>Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c<BR>+- entering group authorize {...}<BR>[preprocess] expand: %{Called-Station-Id} -> mac:blah<BR>++[preprocess] returns ok<BR>[auth_log] expand: (trimmed)<BR>[auth_log] (trimmed)<BR>[auth_log] expand: (trimmed)<BR>++[auth_log] returns ok<BR>++[mschap] returns noop<BR>[suffix] No '@' in User-Name = "test", looking up realm NULL<BR>[suffix] No such realm "NULL"<BR>++[suffix] returns noop<BR>[ntdomain] Looking up realm "company" for User-Name = "test"<BR>[ntdomain] Found realm "company"<BR>[ntdomain] Adding Stripped-User-Name = "test"<BR>[ntdomain] Adding Realm = "company"<BR>[ntdomain] Authentication realm is LOCAL.<BR>++[ntdomain] returns ok<BR>[eap] EAP packet type response
id 3 length 6<BR>[eap] No EAP Start, assuming it's an on-going EAP conversation<BR>++[eap] returns updated<BR>[files] users: Matched entry DEFAULT at line 178<BR>++[files] returns ok<BR>++- entering redundant-load-balance group redundant-load-balance {...}<BR>[LDAPsvr1] performing user authorization for test<BR>[LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<BR>[LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)<BR>[LDAPsvr1] expand: t=company -> t=company<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in t=company, with filter (cn=test)<BR>[LDAPsvr1] Added the eDirectory password password in check items as Cleartext-Password<BR>[LDAPsvr1] No default NMAS login sequence<BR>[LDAPsvr1] looking for check items in directory...<BR>[LDAPsvr1] looking for reply items in directory...<BR>[LDAPsvr1] user test authorized to use remote
access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>+++[LDAPsvr1] returns ok<BR>++- redundant-load-balance group redundant-load-balance returns ok<BR>++[expiration] returns noop<BR>++[logintime] returns noop<BR>Found Auth-Type = EAP<BR>+- entering group authenticate {...}<BR>[eap] Request found, released from the list<BR>[eap] EAP NAK<BR>[eap] EAP-NAK asked for EAP-Type/peap<BR>[eap] processing type tls<BR>[tls] Initiate<BR>[tls] Start returned 1<BR>++[eap] returns handled<BR>Sending Access-Challenge of id 6 to blah port 32769<BR>EAP-Message = 0x010400061920<BR>Message-Authenticator = 0x00000000000000000000000000000000<BR>State = 0xfea96b9cffad7286011d5bcc3cb2528f<BR>Finished request 68.<BR>Going to the next request<BR>Waking up in 5.2 seconds.<BR></P></DIV></div><br>
</body></html>