Pb with EAP/MD5
Rafael DiazMaurin
Rafael.DiazMaurin at cnrs-bellevue.fr
Tue Aug 9 09:44:10 CEST 2005
Jefri bin Dahari a écrit :
> I think you haven't put the NAS ip address in clients.conf.
Yes I did it :
client xxx.xxx.xxx.xxx {
secret = XXX
shortname = Switch
nastype = cisco
}
> ----- Original Message -----
> *From:* Rafael DiazMaurin <mailto:Rafael.DiazMaurin at cnrs-bellevue.fr>
> *To:* z.ori at morehead-st.edu <mailto:z.ori at morehead-st.edu> ;
> FreeRadius users mailing list
> <mailto:freeradius-users at lists.freeradius.org>
> *Sent:* Monday, August 08, 2005 22:44
> *Subject:* Re: Pb with EAP/MD5
>
> Thank you Zoltan,
> I made some modification but nothing changed.
> When I tested the configuration from with radping on the
> supplicant, it worked fine.
> But with my configuration md5, nothing occures at the radius
> server (no packets sent, no logs).
>
> I answer you at each point, and give the configurations on the client.
>
>
> Zoltan A. Ori a écrit :
>
>>On Monday 08 August 2005 03:54, Rafael DiazMaurin wrote:
>>
>>
>>>Hello,
>>>Cna someone help me ?
>>>I use : freeradius 1.0.4, and a switch CISCO 2950
>>>
>>>I'm trying to configure EAP/MD5, but the client can't show the window of
>>>login/password, it's connected to the network without asking for the
>>>login/password, and the freeradius daemon is still :
>>> Listening on authentication *:1812
>>> Listening on accounting *:1813
>>> Ready to process requests.
>>>A part of the log of the freeradius :
>>> Module: Loaded eap
>>> eap: default_eap_type = "md5"
>>> eap: timer_expire = 60
>>> eap: ignore_unknown_eap_types = yes
>>> eap: cisco_accounting_username_bug = no
>>> rlm_eap: Loaded and initialized type md5
>>> Module: Instantiated eap (eap)
>>>
>>>
>>>
>>
>>The Cisco 2950 is the client (or NAS). Is it configured?
>>
>>
> Yes it's configured :
> IOS version : 12.1(22)EA4
> General configuration :
> aaa new-model
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> radius-server host IP-Adress auth-port 1812 acct-port 1813 key XXX
> radius-server retransmit 3
>
> Here is the configuration of the port where the Supplicant (XP SP
> 2) is connected :
> interface FastEthernet0/2
> description supplicant
> switchport access vlan XXX
> switchport mode access
> duplex full
> dot1x port-control auto
> dot1x timeout reauth-period 300
> dot1x reauthentication
> spanning-tree portfast
>
> This switch is connected to another switch with a Trunk link, and
> another trunk link until the radius server.
> Here is the configuration of the port where the radius server is
> connected :
> interface FastEthernet2/11
> description RadiusServer
> switchport access vlan 260
>
>
> Do I need to configure the 2 last switchs with authentification
> dot1x ?
> I didn't configure anything on these switch, even the one where
> the radius server is plugged.
> I only configure the switch where the supplicant is conected.
>
>>XP is the supplicant. If the Cisco 2950 (client) doesn't require login, then
>>the supplicant will simply connect without any authentication dialog.
>>
>>
> How can I make the connection of the supplicant with an
> authentification dialog ?
>
>>
>>
>>>The local tests are ok !
>>>
>>>
>>>
>>
>>Then server is probably working just fine.
>>
>>
>>
>>>Here is the configurations I tested :
>>>raddb/users :
>>>test Auth-Type := EAP, User-Password == "test"
>>> Service-Type = Framed-User
>>>
>>>
>>>
>>
>>Don't set the Auth-Type in users file.
>>
>>
> I deleted it, but nothing changed.
>
>>>On the client (windows XP sp2) I configure the 802.1x properties on Type
>>>EAP : MD5-Challenge
>>>
>>>
>>
>>That is the supplicant. Now, configure the client.
>>
>>Zoltan
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>
> Rafael.
>
>
More information about the Freeradius-Users
mailing list