EAP on Cisco Cat2960 & Aironet1200: TLS Fails
mendonan at gmail.com
Wed Feb 21 10:34:05 CET 2007
On 2/13/07, Alan DeKok <aland at deployingradius.com> wrote:
> Senandung Mendonan wrote:
> > Problem: EAP Fails (Doesn't even get to TLS negotiation). In both
> > cases, we get perpetual "Access-Challenge" messages sent by
> > FreeRADIUS, at a very early stage — even before / during the initial
> > TLS negotiation in EAP.
> No... the NAS isn't seeing the response of the RADIUS server, so it
> re-sends the Access-Request, the server notices the duplicate request,
> and re-sends it's response.
Yes, I believe so as well.
> Since the same IOS version seems to work for someone else, the problem
> is local to you. Please see the FAQ for what to do when the NAS never
> sees the response from the server.
Your phrase "NAS never sees the response" helped me focus on that
problem (previously I thought something wrong with my config).
Finally, after hours of troubleshooting, the root cause was found: as
Mr Alan DeKok pointed out it was the environment:-
1. For the Cisco Catalyst 2960: all it needed was another hard reset!
Somehow one of the config lines (source port 1645…) didn't get
activated until a hard reset.
2. For the Cisco Aironet 1200: Something else (a router) was blocking
the Access-Challenge packet from reaching port 1645 on the Aironet.
Fixed the rules.
So now we get the following working as expected:-
1. Authenticating a user in users file.
2. Authenticating a user in LDAP.
However, we are unable to get through one last hurdle:-
3. Authenticating a user in LDAP, then VLAN information passed back to
NAS via cisco-avpair settings in LDAP.
Somehow, when we add radiusReplyItem containing the desired
cisco-avpairs, we get back the same Access-Challenge loop at the early
Here are the debug outputs for comparison:-
1. For LDAP entry 'testuser', as follows:-
sambaAcctFlags: [U ]
cn: Company Test User
mailRoutingAddress: testuser at mail.company.net
gecos: Company Test User
mail: testuser at company.net
krbName: testuser at COMPANY.NET
givenName: Company Test
radiusReplyItem: cisco-avpair += "tunnel-type=VLAN"
radiusReplyItem: cisco-avpair += "tunnel-medium-type=802 media"
radiusReplyItem: cisco-avpair += "tunnel-private-group-ID=110"
Authentication fails with Access-Challenge loop in EAP (at rlm_tls,
similar to what I'm seeing before), as shown here:-
However, as soon as I remove all radiusReplyItem attributes from the
same entry, the authentication succeeds, and I get connected.
Any help is welcome — thanks.
"Yang mimpikan secangkir kopi panas dengan selimut.."
(Dreaming of a cup of hot coffee, and a blanket..")
More information about the Freeradius-Users