EAP on Cisco Cat2960 & Aironet1200: TLS Fails

Senandung Mendonan mendonan at gmail.com
Wed Feb 21 10:34:05 CET 2007

On 2/13/07, Alan DeKok <aland at deployingradius.com> wrote:
> Senandung Mendonan wrote:
> > Problem: EAP Fails (Doesn't even get to TLS negotiation). In both
> > cases, we get perpetual "Access-Challenge" messages sent by
> > FreeRADIUS, at a very early stage — even before / during the initial
> > TLS negotiation in EAP.
>   No... the NAS isn't seeing the response of the RADIUS server, so it
> re-sends the Access-Request, the server notices the duplicate request,
> and re-sends it's response.

Yes, I believe so as well.

>   Since the same IOS version seems to work for someone else, the problem
> is local to you.  Please see the FAQ for what to do when the NAS never
> sees the response from the server.

Your phrase "NAS never sees the response" helped me focus on that
problem (previously I thought something wrong with my config).
Finally, after hours of troubleshooting, the root cause was found: as
Mr Alan DeKok pointed out it was the environment:-

1. For the Cisco Catalyst 2960: all it needed was another hard reset!
Somehow one of the config lines (source port 1645…) didn't get
activated until a hard reset.

2. For the Cisco Aironet 1200: Something else (a router) was blocking
the Access-Challenge packet from reaching port 1645 on the Aironet.
Fixed the rules.

So now we get the following working as expected:-

1. Authenticating a user in users file.

2. Authenticating a user in LDAP.

However, we are unable to get through one last hurdle:-

3. Authenticating a user in LDAP, then VLAN information passed back to
NAS via cisco-avpair settings in LDAP.

Somehow, when we add radiusReplyItem containing the desired
cisco-avpairs, we get back the same Access-Challenge loop at the early
EAP stage.

Here are the debug outputs for comparison:-

1. For LDAP entry 'testuser', as follows:-

dn: uid=testuser,ou=People,dc=company,dc=net
sambaPrimaryGroupSID: S-2-3-8-1040
sambaAcctFlags: [U          ]
shadowLastChange: 13525
sambaPwdLastSet: 1168566854
sambaLMPassword: 94918E8B0385E0A9AAD3B435B51404EE
sambaPwdCanChange: 1168566854
sambaNTPassword: 25AF711D2C13E00B6AB7DD4DE11B7136
cn: Company Test User
mailRoutingAddress: testuser at mail.company.net
uidNumber: 1003
gecos: Company Test User
mail: testuser at company.net
krbName: testuser at COMPANY.NET
uid: testuser
homeDirectory: /home/testuser
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: top
objectClass: kerberosSecurityObject
objectClass: radiusprofile
objectClass: sambaSamAccount
objectClass: inetOrgPerson
mailHost: mail.company.net
gidNumber: 20
givenName: Company Test
sn: User
loginShell: /bin/sh
radiusReplyItem: cisco-avpair += "tunnel-type=VLAN"
radiusReplyItem: cisco-avpair += "tunnel-medium-type=802 media"
radiusReplyItem: cisco-avpair += "tunnel-private-group-ID=110"
userPassword: mangkuk
sambaSID: S-1-5-21-2238693525-531040028-2956884036

Authentication fails with Access-Challenge loop in EAP (at rlm_tls,
similar to what I'm seeing before), as shown here:-


However, as soon as I remove all radiusReplyItem attributes from the
same entry, the authentication succeeds, and I get connected.

Any help is welcome — thanks.
"Yang mimpikan secangkir kopi panas dengan selimut.."
 (Dreaming of a cup of hot coffee, and a blanket..")

More information about the Freeradius-Users mailing list