Getting DD-WRT to work with FreeRadius and LEAP authentication
Hi I am trying to set up a WPA2 Enterprise protected network with FreeRadius as the radius server. I have configured everything and it was working fine. Then I realised that I need to use LEAP to replicate a specific environment to test. I am struggling with this for the entire day, I tried many different configurations but nothing seems to help. Basically nothing happens after the Access-Challenge message is sent to the router. Does anyone have experience getting LEAP to work with DD-WRT and FreeRadius? Thanks in advance. Below is the log: --- SNIP -- rad_recv: Access-Request packet from host 10.0.1.131 port 54801, id=12, length=195 User-Name = "u" NAS-IP-Address = 10.0.1.131 NAS-Port = 1 Called-Station-Id = "B8-A3-86-67-24-82:XXX" Calling-Station-Id = "F4-1B-A1-91-45-3B" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x027d0021110100188fa7a89c2cd5242f7ab0b864429deef700468c0b7c4fcc2575 State = 0x42737061420e616797f7f81cea17822d Message-Authenticator = 0x0d4a57a752036588d9c4bd197ef5ab86 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "u", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 125 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry u at line 81 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/leap [eap] processing type leap rlm_eap_leap: Stage 4 rlm_eap_leap: NtChallengeResponse from AP is valid [eap] Underlying EAP-Type set EAP ID to 126 ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Challenge of id 12 to 10.0.1.131 port 54801 EAP-Message = 0x037e0004 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42737061430d616797f7f81cea17822d Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 11 with timestamp +127 Cleaning up request 5 ID 12 with timestamp +127 Ready to process requests. -- END OF SNIP --
Kostya wrote:
I am trying to set up a WPA2 Enterprise protected network with FreeRadius as the radius server. I have configured everything and it was working fine. Then I realised that I need to use LEAP to replicate a specific environment to test.
You should avoid LEAP. It's insecure.
I am struggling with this for the entire day, I tried many different configurations but nothing seems to help.
Basically nothing happens after the Access-Challenge message is sent to the router.
Then the issue isn't FreeRADIUS. It's the client PC. Are you sure it supports LEAP? Most don't.
Does anyone have experience getting LEAP to work with DD-WRT and FreeRadius?
FreeRADIUS sends LEAP to the DD-WRT, which forwards it to the client PC. If the client PC doesn't respond, then FreeRADIUS and DD-WRT aren't responsible. Alan DeKok.
The client is ipad mini, it has a leap option. I will check it tomorrow again. On Jun 3, 2013 12:41 AM, "Alan DeKok" <aland@deployingradius.com> wrote:
Kostya wrote:
I am trying to set up a WPA2 Enterprise protected network with FreeRadius as the radius server. I have configured everything and it was working fine. Then I realised that I need to use LEAP to replicate a specific environment to test.
You should avoid LEAP. It's insecure.
I am struggling with this for the entire day, I tried many different configurations but nothing seems to help.
Basically nothing happens after the Access-Challenge message is sent to the router.
Then the issue isn't FreeRADIUS. It's the client PC.
Are you sure it supports LEAP? Most don't.
Does anyone have experience getting LEAP to work with DD-WRT and FreeRadius?
FreeRADIUS sends LEAP to the DD-WRT, which forwards it to the client PC. If the client PC doesn't respond, then FreeRADIUS and DD-WRT aren't responsible.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sun, Jun 2, 2013 at 9:10 PM, Kostya <kostya.y@gmail.com> wrote:
I am trying to set up a WPA2 Enterprise protected network with FreeRadius as the radius server. I have configured everything and it was working fine. Then I realised that I need to use LEAP to replicate a specific environment to test.
Huh.. LEAP should not really be used for number of reasons (not secure, not a compliant EAP method).. Does anyone have experience getting LEAP to work with DD-WRT and FreeRadius?
Assuming DD-WRT uses hostapd as the authenticator, it does not support LEAP. The LEAP design is a horrible hack that is not compliant with EAP (it looks more like two EAP exchanges in a single one and requires hacks in AS, AP/NAS, and supplicant to work). I have not seen any reason to add support for that into hostapd. - Jouni
participants (3)
-
Alan DeKok -
Jouni Malinen -
Kostya