LEAP

John Peebles John.Peebles at HoffmanEstates.org
Tue Jan 17 17:02:36 CET 2006 

We are having problems getting leap to authenticate. We are using FreeRadius 0.9.3, Cisco Arionet 1200 and eDir as a back end.

Here is our config file:


!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TESTAP
!
enable secret 5 $1$tQu6$CiVTpfiU2yIuDBoQveZtM1
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
 server 172.31.1.25 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
 all
!
aaa session-id common
!
dot11 ssid TESTAP
   authentication open eap eap_methods1 
   authentication network-eap eap_methods1 
   guest-mode
!
!
!
username Cisco password 7 047802150C2E
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode wep mandatory 
 !
 ssid TESTAP
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 172.31.1.79 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.31.1.250
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag 
ip radius source-interface BVI1 
!
radius-server local
  no authentication eapfast
  no authentication mac
  eapfast server-key primary 7 C10D5BA1B105987DEA7DE22F1E2A3D7094
  nas 172.31.1.79 key 7 040A59555B74
  user testrad nthash 7 06255C771F6A5F412735372D5B560F7B720E6B657A46544F2051000B0E77005F57
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.31.1.25 auth-port 1812 acct-port 1813 key 7 101F5B4A5142
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input all
 transport output all
line vty 5 15
 transport preferred all
 transport input all
 transport output all
!
end





here is the error message we get:

rad_recv: Access-Request packet from host 172.31.1.79:1645, id=5, length=131
        User-Name = "testrad"
        Framed-MTU = 1400
        Called-Station-Id = "0015.f947.8560"
        Calling-Station-Id = "0012.f0e3.7896"
        Service-Type = Login-User
        Message-Authenticator = 0xa00609077f82a3396080dcdcc8019804
        EAP-Message = 0x0201000c0174657374726164
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 466
        NAS-IP-Address = 172.31.1.79
        NAS-Identifier = "TESTAP"
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
    rlm_realm: No '@' in User-Name = "testrad", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
    users: Matched DEFAULT at 152
  modcall[authorize]: module "files" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testrad
radius_xlat:  '(uid=testrad)'
radius_xlat:  'o=Village'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=Village, with filter (uid=testrad)
rlm_ldap: checking if remote access for testrad is allowed by dialupAccess
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testrad authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns ok for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
modcall: entering group Auth-Type for request 1
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "ldap" returns invalid for request 1
modcall: group Auth-Type returns invalid for request 1
auth: Failed to validate the user.
Login incorrect: [testrad/<no User-Password attribute>] (from client testap port 466 cli 0012.f0e3.7896)
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 5 to 172.31.1.79:1645
Waking up in 4 seconds...



I can authenticate using a small utility called NTRadPing Test Utility from my desktop directly connecting to Freeradius.

any thoughts?



Thank you,
John Peebles
Village of Hoffman Estates
IS Specialist
(847) 882-9100 x2500

More information about the Freeradius-Users mailing list