Re: Authentication failure - PEAP - MS-CHAPv2
Follow the instructions on my web site: http://deployingradius.com
It has a step by step guide to get EAP working. Follow the guide. It *will* work.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks, I'm going to try it. Anyway, I don't think it could be Samba related, because my config uses an LDAP database, which is totally independent from Samba. The only reason I can imagine, is a bug in the firmware of the access point... but let's see what happens using your configuration.
I think you are using sef-signed ssl certificates in the freeradius server and the windows XP client is trying to "validate" them; if that is right try to configure windows xp client to not to validate them. Best regards and sorry for my english! Diego Martín Capello
Gergely Kiss
Hi,
I think you are using sef-signed ssl certificates in the freeradius server and the windows XP client is trying to "validate" them; if that is right try to configure windows xp client to not to validate them. Best regards and sorry for my english!
self-signed are perfectly fine - but you need to ensure that the CA used is installed onto the client! you should *never* run an EAP client without certificate validation alan
Hi alan,
Hi,
self-signed are perfectly fine - but you need to ensure that the CA used is installed onto the client!
you should *never* run an EAP client without certificate validation
I agree with you, but this is only for testing purposes. Each client is responsible for the configuration of his EAP client. Best regards.
alan
-- Diego Martín Capello Administrador RedUBA Centro de Comunicación Científica Universidad de Buenos Aires
2009/6/10 Diego Martín Capello <diego@ccc.uba.ar>
Hi alan,
Hi,
self-signed are perfectly fine - but you need to ensure that the CA used is installed onto the client!
you should *never* run an EAP client without certificate validation
I agree with you, but this is only for testing purposes. Each client is responsible for the configuration of his EAP client. Best regards.
alan
It really is an AP issue. Using another AP (SMC WEBT-G) with the same Radius config works... Both Windows XP and Ubuntu connects successfully, no matter if I set certificate validation on or off... Anyway, there are two EAP setting which is supported by the Cisco AP: Open mode with EAP, and something called "Network mode". I'm going to try setting the latter one, maybe it helps. If not, a firmware update will be needed (I think). Thanks for all your comments! Regards Gergely Kiss
kissg a écrit :
It really is an AP issue. Using another AP (SMC WEBT-G) with the same Radius config works... Both Windows XP and Ubuntu connects successfully, no matter if I set certificate validation on or off... Anyway, there are two EAP setting which is supported by the Cisco AP: Open mode with EAP, and something called "Network mode". I'm going to try setting the latter one, maybe it helps. If not, a firmware update will be needed (I think).
Thanks for all your comments!
Regards Gergely Kiss
Hello, I know how to configure those Cisco AP 1131 AG and it's working for me. As it is too long and heavy to put some screen shots of the web interface, here are parts of the configuration you should have. Here are parts of the configuration you should have: aaa new-model ! ! aaa group server radius rad_eap server <IP@ of freeradius> auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct server <IP@ of freeradius> auth-port 1812 acct-port 1813 ! aaa group server radius rad_admin server <IP@ of freeradius> auth-port 1812 acct-port 1813 ! aaa group server radius rad_eap1 server <IP@ of freeradius> auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login eap_methods1 group rad_eap1 aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ....................... dot11 ssid <ssID Name> authentication open eap eap_methods1 authentication key-management wpa version 2 guest-mode information-element ssidl wps ! dot11 holdoff-time 60 dot11 aaa csid ietf dot11 aaa dot1x compliance draft10 dot11 network-map power inline negotiation prestandard source eap profile < Profile Name> method mschapv2 ! .............................. radius-server local nas <ip @ of radius server> key secret ! radius-server attribute 32 include-in-access-req format %h radius-server host <IP@> auth-port 1812 acct-port 1813 key secret radius-server vsa send accounting bridge 1 route ip ! ................................ I hope it helps a little. Best Regards, Matt
2009/6/11 Matthieu Lazaro <matthieu.lazaro@eservglobal.com>
! eap profile < Profile Name> method mschapv2 !
I don't have the lines above in my config. Does this have any influence on the way the AP proxies radius packets? I think, this is only relevant if the AP authenticates using its own database, right?
It's getting even more interesting: using the same configuration, but with another access point (same model and firmware version): works flawlessly. There are only two differences between the setups: - In the test environment, the AP is located near to the test machine (it was placed about 5-6 meters from the AP, no walls between) - We didn't configure VLANs on the test AP. I have a feeling, that the AP refuses the connection, because some kind of privilege checking fails (the client is not privileged to access the required VLAN). Does FreeRADIUS configuration need anything special, if the AP is configured for multiple VLANs? The VLAN configuration looks like this in the live environment: VLAN4 - Private vlan, the radius server is located here and an EAP-protected SSID is mapped to this VLAN VLAN5 - Public vlan, mapped to an open SSID VLAN6 - Management vlan - untagged - we configure the APs using this VLAN Probably the LDAP server has to provide some extra attribute which grants access to VLAN4, but I'm not sure. Could you please help? Thank you Gergely Kiss 2009/6/12 kissg <mail.gery@gmail.com>
2009/6/11 Matthieu Lazaro <matthieu.lazaro@eservglobal.com>
! eap profile < Profile Name> method mschapv2 !
I don't have the lines above in my config. Does this have any influence on the way the AP proxies radius packets? I think, this is only relevant if the AP authenticates using its own database, right?
Problem solved! It was a routing problem... the APs are on a different subnet as the RADIUS server. Their default gateways were set to the correct host, that's why they could talk to the RADIUS server. The problem is, that recently we added a ppp connection to the server, which overwrote the default route, that way rendering the APs invisible... adding a route entry to the routing table solved the problem. Thank you for your help, anyways. Regards Gergely Kiss 2009/6/16 kissg <mail.gery@gmail.com>
It's getting even more interesting: using the same configuration, but with another access point (same model and firmware version): works flawlessly. There are only two differences between the setups: - In the test environment, the AP is located near to the test machine (it was placed about 5-6 meters from the AP, no walls between) - We didn't configure VLANs on the test AP.
I have a feeling, that the AP refuses the connection, because some kind of privilege checking fails (the client is not privileged to access the required VLAN). Does FreeRADIUS configuration need anything special, if the AP is configured for multiple VLANs?
The VLAN configuration looks like this in the live environment:
VLAN4 - Private vlan, the radius server is located here and an EAP-protected SSID is mapped to this VLAN VLAN5 - Public vlan, mapped to an open SSID VLAN6 - Management vlan - untagged - we configure the APs using this VLAN
Probably the LDAP server has to provide some extra attribute which grants access to VLAN4, but I'm not sure. Could you please help?
Thank you
Gergely Kiss
Hi,
It really is an AP issue. Using another AP (SMC WEBT-G) with the same Radius config works... Both Windows XP and Ubuntu connects successfully, no matter if I set certificate validation on or off... Anyway, there are two EAP setting which is supported by the Cisco AP: Open mode with EAP, and something called "Network mode". I'm going to try setting the latter one, maybe it helps. If not, a firmware update will be needed (I think).
you can use both. uts recommended to use the open for non cisco clients and the network mode for cisco clients. you can (should?) run both at the same time. alan
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Diego Martín Capello -
kissg -
Matthieu Lazaro