We are having problems getting leap to authenticate. We are using FreeRadius 0.9.3, Cisco Arionet 1200 and eDir as a back end. Here is our config file: ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname TESTAP ! enable secret 5 $1$tQu6$CiVTpfiU2yIuDBoQveZtM1 ! ip subnet-zero ! ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server tacacs+ tac_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa group server radius rad_eap1 server 172.31.1.25 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login eap_methods1 group rad_eap1 aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all ! aaa session-id common ! dot11 ssid TESTAP authentication open eap eap_methods1 authentication network-eap eap_methods1 guest-mode ! ! ! username Cisco password 7 047802150C2E ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode wep mandatory ! ssid TESTAP ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 172.31.1.79 255.255.255.0 no ip route-cache ! ip default-gateway 172.31.1.250 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! radius-server local no authentication eapfast no authentication mac eapfast server-key primary 7 C10D5BA1B105987DEA7DE22F1E2A3D7094 nas 172.31.1.79 key 7 040A59555B74 user testrad nthash 7 06255C771F6A5F412735372D5B560F7B720E6B657A46544F2051000B0E77005F57 ! radius-server attribute 32 include-in-access-req format %h radius-server host 172.31.1.25 auth-port 1812 acct-port 1813 key 7 101F5B4A5142 radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! ! ! line con 0 transport preferred all transport output all line vty 0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all ! end here is the error message we get: rad_recv: Access-Request packet from host 172.31.1.79:1645, id=5, length=131 User-Name = "testrad" Framed-MTU = 1400 Called-Station-Id = "0015.f947.8560" Calling-Station-Id = "0012.f0e3.7896" Service-Type = Login-User Message-Authenticator = 0xa00609077f82a3396080dcdcc8019804 EAP-Message = 0x0201000c0174657374726164 NAS-Port-Type = Wireless-802.11 NAS-Port = 466 NAS-IP-Address = 172.31.1.79 NAS-Identifier = "TESTAP" modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: No '@' in User-Name = "testrad", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testrad radius_xlat: '(uid=testrad)' radius_xlat: 'o=Village' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Village, with filter (uid=testrad) rlm_ldap: checking if remote access for testrad is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testrad authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 1 modcall: group Auth-Type returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [testrad/<no User-Password attribute>] (from client testap port 466 cli 0012.f0e3.7896) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 5 to 172.31.1.79:1645 Waking up in 4 seconds... I can authenticate using a small utility called NTRadPing Test Utility from my desktop directly connecting to Freeradius. any thoughts? Thank you, John Peebles Village of Hoffman Estates IS Specialist (847) 882-9100 x2500
"John Peebles" <John.Peebles@HoffmanEstates.org> wrote:
We are having problems getting leap to authenticate. We are using FreeRadius 0.9.3, Cisco Arionet 1200 and eDir as a back end.
I suggest you upgrade to 1.1.0. It has a *lot* of security fixes, and eDir integration, too.
here is the error message we get:
rad_recv: Access-Request packet from host 172.31.1.79:1645, id=5, length=131 ...
The debug log shows that you deleted the "eap" module from the "authorize" section. Don't do that. Please, upgrade to 1.1.0 and it should just work. Alan DeKok.
Hi , Please use the latest version of FreeRADIUS (1.1.0). This includes the the eDirectory integration and you should be able to set up LEAP authentication with it. Please refer to the following links which contain documentation on eDirectory integration with FreeRADIUS. http://www.novell.com/documentation/edir_radius/index.html -Sayantan.
rad_recv: Access- Request packet from host 172.31.1.79:1645, id=5, length=131 User- Name = "testrad" Framed- MTU = 1400 Called- Station- Id = "0015.f947.8560" Calling- Station- Id = "0012.f0e3.7896" Service- Type = Login- User Message- Authenticator = 0xa00609077f82a3396080dcdcc8019804 EAP- Message = 0x0201000c0174657374726164 NAS- Port- Type = Wireless- 802.11 NAS- Port = 466 NAS- IP- Address = 172.31.1.79 NAS- Identifier = "TESTAP" modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: No '@' in User- Name = "testrad", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for testrad radius_xlat: '(uid=testrad)' radius_xlat: 'o=Village' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=Village, with filter (uid=testrad) rlm_ldap: checking if remote access for testrad is allowed by dialupAccess rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user testrad authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth- Type LDAP auth: type "LDAP" modcall: entering group Auth- Type for request 1 rlm_ldap: - authenticate rlm_ldap: Attribute "User- Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 1 modcall: group Auth- Type returns invalid for request 1 auth: Failed to validate the user. Login incorrect: [testrad/<no User- Password attribute>] (from client testap port 466 cli 0012.f0e3.7896) Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access- Reject of id 5 to 172.31.1.79:1645 Waking up in 4 seconds...
I can authenticate using a small utility called NTRadPing Test Utility from my desktop directly connecting to Freeradius.
any thoughts?
Thank you, John Peebles Village of Hoffman Estates IS Specialist (847) 882- 9100 x2500
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
John Peebles -
Sayantan Bhowmick