freeradius 1.0.4 and Cisco WLSE
jck-freeradius at southwestern.edu
jck-freeradius at southwestern.edu
Fri Aug 19 18:24:50 CEST 2005
On Thu, Aug 11, 2005 at 07:02:19PM -0400, Alan DeKok wrote:
> jck-freeradius at southwestern.edu wrote:
> > I am trying to speak between my Freeradius server and a Cisco WLSE.
> > I am seeing EAP timeouts while WLSE is trying to authenticate
> > through Freeradius.
>
> Short summary: the supplicant is broken.
>
> > Sending Access-Challenge of id 3 to 192.168.254.10:32815
> > EAP-Message = 0x010100221a0101001d10b063da2c8f5c52273cd537b0c09d69e5776c736561636374
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x8c90735921dd51b22bc8ef97379845b8
> ...
> > rad_recv: Access-Request packet from host 192.168.254.10:32815, id=3, length=125
> > User-Name = "wlseacct"
> > NAS-IP-Address = 192.168.254.10
> > Called-Station-Id = "ABBAABBAABBA"
> > Calling-Station-Id = "ABBAABBAABBA"
> > NAS-Identifier = "Cisco Secure II"
> > NAS-Port = 29
> > Framed-MTU = 1400
> > NAS-Port-Type = Wireless-802.11
> > EAP-Message = 0x020300060311
> > Message-Authenticator = 0x070f8a208866000f797e64be5bd48f48
>
> The client is sending a NACK, and asking for another EAP type. But
> it's changing the EAP ID in a broken way, which means that the AP
> doesn't add the State attribute from the previous challenge.
>
> In the last packet, FreeRADIUS is seeing the middle of a
> conversation, without any way to know what the conversation was about.
>
> The supplicant is broken. Use another one.
I am stuck using WLSE. Are there plans on an "official" fix in Freeradius,
to work with whatever is broken in WLSE? Cisco APs are only good if you have
decent management.
--johnk
More information about the Freeradius-Users
mailing list