freeradius 1.0.4 and Cisco WLSE

jck-freeradius at southwestern.edu jck-freeradius at southwestern.edu
Fri Aug 19 18:24:50 CEST 2005


On Thu, Aug 11, 2005 at 07:02:19PM -0400, Alan DeKok wrote:
> jck-freeradius at southwestern.edu wrote:
> > I am trying to speak between my Freeradius server and a Cisco WLSE.
> > I am seeing EAP timeouts while WLSE is trying to authenticate
> > through Freeradius.
> 
>   Short summary: the supplicant is broken.
> 
> > Sending Access-Challenge of id 3 to 192.168.254.10:32815
> >         EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0x8c90735921dd51b22bc8ef97379845b8
> ...
> > rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125
> >         User-Name = "wlseacct"
> >         NAS-IP-Address = 192.168.254.10
> >         Called-Station-Id = "ABBAABBAABBA"
> >         Calling-Station-Id = "ABBAABBAABBA"
> >         NAS-Identifier = "Cisco Secure II"
> >         NAS-Port = 29
> >         Framed-MTU = 1400
> >         NAS-Port-Type = Wireless-802.11
> >         EAP-Message = 0x020300060311
> >         Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48
> 
>   The client is sending a NACK, and asking for another EAP type.  But
> it's changing the EAP ID in a broken way, which means that the AP
> doesn't add the State attribute from the previous challenge.
> 
>   In the last packet, FreeRADIUS is seeing the middle of a
> conversation, without any way to know what the conversation was about.
> 
>   The supplicant is broken.  Use another one.

I am stuck using WLSE.  Are there plans on an "official" fix in Freeradius,
to work with whatever is broken in WLSE?  Cisco APs are only good if you have
decent management.

--johnk



More information about the Freeradius-Users mailing list