LEAP
John Peebles
John.Peebles at HoffmanEstates.org
Tue Jan 17 17:02:36 CET 2006
We are having problems getting leap to authenticate. We are using FreeRadius 0.9.3, Cisco Arionet 1200 and eDir as a back end.
Here is our config file:
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TESTAP
!
enable secret 5 $1$tQu6$CiVTpfiU2yIuDBoQveZtM1
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 172.31.1.25 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
!
dot11 ssid TESTAP
authentication open eap eap_methods1
authentication network-eap eap_methods1
guest-mode
!
!
!
username Cisco password 7 047802150C2E
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode wep mandatory
!
ssid TESTAP
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 172.31.1.79 255.255.255.0
no ip route-cache
!
ip default-gateway 172.31.1.250
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
radius-server local
no authentication eapfast
no authentication mac
eapfast server-key primary 7 C10D5BA1B105987DEA7DE22F1E2A3D7094
nas 172.31.1.79 key 7 040A59555B74
user testrad nthash 7 06255C771F6A5F412735372D5B560F7B720E6B657A46544F2051000B0E77005F57
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.31.1.25 auth-port 1812 acct-port 1813 key 7 101F5B4A5142
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input all
transport output all
line vty 5 15
transport preferred all
transport input all
transport output all
!
end
here is the error message we get:
rad_recv: Access-Request packet from host 172.31.1.79:1645, id=5, length=131
User-Name = "testrad"
Framed-MTU = 1400
Called-Station-Id = "0015.f947.8560"
Calling-Station-Id = "0012.f0e3.7896"
Service-Type = Login-User
Message-Authenticator = 0xa00609077f82a3396080dcdcc8019804
EAP-Message = 0x0201000c0174657374726164
NAS-Port-Type = Wireless-802.11
NAS-Port = 466
NAS-IP-Address = 172.31.1.79
NAS-Identifier = "TESTAP"
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_realm: No '@' in User-Name = "testrad", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testrad
radius_xlat: '(uid=testrad)'
radius_xlat: 'o=Village'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=Village, with filter (uid=testrad)
rlm_ldap: checking if remote access for testrad is allowed by dialupAccess
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testrad authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 1
modcall: group Auth-Type returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [testrad/<no User-Password attribute>] (from client testap port 466 cli 0012.f0e3.7896)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 5 to 172.31.1.79:1645
Waking up in 4 seconds...
I can authenticate using a small utility called NTRadPing Test Utility from my desktop directly connecting to Freeradius.
any thoughts?
Thank you,
John Peebles
Village of Hoffman Estates
IS Specialist
(847) 882-9100 x2500
More information about the Freeradius-Users
mailing list