Pb with EAP/MD5

Jefri bin Dahari jeff at mimos.my
Tue Aug 9 10:37:55 CEST 2005


Use 'debug radius authentication' command on your switch and run radiusd -X 
and see the output.
Check whether the vlan you configure on the port is supported on the switch.


----- Original Message ----- 
From: "Rafael DiazMaurin" <Rafael.DiazMaurin at cnrs-bellevue.fr>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, August 09, 2005 15:44
Subject: Re: Pb with EAP/MD5


> Jefri bin Dahari a écrit :
>
>> I think you haven't put the NAS ip address in clients.conf.
>
>
> Yes I did it :
>
> client xxx.xxx.xxx.xxx {
>        secret          = XXX
>        shortname    = Switch
>        nastype         = cisco
> }
>
>
>>     ----- Original Message -----
>>     *From:* Rafael DiazMaurin <mailto:Rafael.DiazMaurin at cnrs-bellevue.fr>
>>     *To:* z.ori at morehead-st.edu <mailto:z.ori at morehead-st.edu> ;
>>     FreeRadius users mailing list
>>     <mailto:freeradius-users at lists.freeradius.org>
>>     *Sent:* Monday, August 08, 2005 22:44
>>     *Subject:* Re: Pb with EAP/MD5
>>
>>     Thank you Zoltan,
>>     I made some modification but nothing changed.
>>     When I tested the configuration from with radping on the
>>     supplicant, it worked fine.
>>     But with my configuration md5, nothing occures at the radius
>>     server (no packets sent, no logs).
>>
>>     I answer you at each point, and give the configurations on the 
>> client.
>>
>>
>>     Zoltan A. Ori a écrit :
>>
>>>On Monday 08 August 2005 03:54, Rafael DiazMaurin wrote:
>>>
>>>>Hello,
>>>>Cna someone help me ?
>>>>I use : freeradius 1.0.4, and a switch CISCO 2950
>>>>
>>>>I'm trying to configure EAP/MD5, but the client can't show the window of
>>>>login/password, it's connected to the network without asking for the
>>>>login/password, and the freeradius daemon is still :
>>>>            Listening on authentication *:1812
>>>>            Listening on accounting *:1813
>>>>            Ready to process requests.
>>>>A part of the log of the freeradius :
>>>>    Module: Loaded eap
>>>>     eap: default_eap_type = "md5"
>>>>     eap: timer_expire = 60
>>>>     eap: ignore_unknown_eap_types = yes
>>>>     eap: cisco_accounting_username_bug = no
>>>>    rlm_eap: Loaded and initialized type md5
>>>>    Module: Instantiated eap (eap)
>>>>
>>>>
>>>
>>>The Cisco 2950 is the client (or NAS). Is it configured?
>>>
>>     Yes it's configured :
>>     IOS version : 12.1(22)EA4
>>     General configuration :
>>         aaa new-model
>>         aaa authentication dot1x default group radius
>>         aaa authorization network default group radius
>>     radius-server host IP-Adress auth-port 1812 acct-port 1813 key XXX
>>     radius-server retransmit 3
>>
>>     Here is the configuration of the port where the Supplicant (XP SP
>>     2) is connected :
>>     interface FastEthernet0/2
>>       description supplicant
>>      switchport access vlan XXX
>>      switchport mode access
>>      duplex full
>>      dot1x port-control auto
>>      dot1x timeout reauth-period 300
>>      dot1x reauthentication
>>      spanning-tree portfast
>>
>>     This switch is connected to another switch with a Trunk link, and
>>     another trunk link until the radius server.
>>     Here is the configuration of the port where the radius server is
>>     connected :
>>     interface FastEthernet2/11
>>      description RadiusServer
>>      switchport access vlan 260
>>
>>
>>     Do I need to configure the 2 last switchs with authentification
>>     dot1x ?
>>     I didn't configure anything on these switch, even the one where
>>     the radius server is plugged.
>>     I only configure the switch where the supplicant is conected.
>>
>>>XP is the supplicant. If the Cisco 2950 (client) doesn't require login, 
>>>then the supplicant will simply connect without any authentication 
>>>dialog.
>>     How can I make the connection of the supplicant with an
>>     authentification dialog ?
>>
>>>
>>>>The local tests are ok !
>>>>
>>>>
>>>
>>>Then server is probably working just fine.
>>>
>>>
>>>>Here is the configurations I tested :
>>>>raddb/users :
>>>>test    Auth-Type := EAP, User-Password == "test"
>>>>         Service-Type = Framed-User
>>>>
>>>>
>>>
>>>Don't set the Auth-Type in users file.
>>>
>>     I deleted it, but nothing changed.
>>
>>>>On the client (windows XP sp2) I configure the 802.1x properties on Type
>>>>EAP : MD5-Challenge
>>>>
>>>
>>>That is the supplicant. Now, configure the client.
>>>
>>>Zoltan
>>>
>>>- List info/subscribe/unsubscribe? See 
>>>http://www.freeradius.org/list/users.html
>>>
>>
>>     Rafael.
>>
>>
>
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list