Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
Rokkhan
rokkhan at gmail.com
Thu Sep 17 21:38:14 CEST 2009
Have you tried to configure an inner-tunnel for peap? it will reduce
the ldap lookups.
2009/9/17 Brian Wilson <briw111 at yahoo.com>:
> Hi all,
>
> A few months ago I had posted this topic to the list, and unfortunately
> before I could work further on it I got pulled onto another assignment. I
> apologize to those that tried helping before. I modified my config per
> their recommendations, but still having the same problem....
>
> I am still having trouble with a WLC440x with WPA2-AES-PEAP-MSCHAPv2,
> freeradius and edirectory setup. Essentially, the ldap requests are taking
> 3-4 seconds to resolve. In addition, freeradius ends up doing in the
> neighborhood of 5-6 ldap lookups for each client trying to attach. I am
> unsure of why this is happening. Below is my configuration: (This is
> freeradius 2.1.6)
>
> authorize{
> preprocess
> auth_log
> suffix
> ntdomain
> eap {
> ok = return
> }
> files {
> notfound = reject
> noop = reject
> fail = reject
> }
> redundant-load-balance {
> LDAPsvr1
> LDAPsvr2
> }
> expiration
> logintime
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> redundant-load-balance {
> LDAPsvr1
> LDAPsvr2
> }
> }
> eap
> }
>
> and in eap.conf, i have default-eap-type set to peap, and not mschapv2.
>
>
> here is a snippet of debug info I had posted before; this tends to repeat at
> nassuem about 4-5 more times before the actual access-accept is sent:
>
>
>
> rad_recv: Access-Request packet from host blah port 32769, id=5, length=196
> User-Name = "test"
> Calling-Station-Id = "mac"
> Called-Station-Id = "mac:blah"
> NAS-Port = 1
> NAS-IP-Address = ipblah
>
> NAS-Identifier = "nameblah"
> Airespace-Wlan-Id = 2
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> EAP-Message = (trimmed)
> Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134
> +- entering group authorize {...}
> [preprocess] expand: %{Called-Station-Id} -> mac:blah
>
> ++[preprocess] returns ok
> [auth_log] expand: (trimmed)
> [auth_log](trimmed)
> [auth_log] expand: %t -> Wed Jun 17 10:00:10 2009
> ++[auth_log] returns ok
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] Looking up realm "company" for User-Name = "test"
> [ntdomain] Found realm "company"
> [ntdomain] Adding Stripped-User-Name = "test"
> [ntdomain] Adding Realm = "company"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 2 length 27
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 178
> ++[files] returns ok
> ++- entering redundant-load-balance group redundant-load-balance {...}
> [LDAPsvr2] performing user authorization for test
> [LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> [LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)
> [LDAPsvr2] expand: t=company -> t=company
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in t=company, with filter (cn=test)
> [LDAPsvr2] Added the eDirectory password password in check items as
> Cleartext-Password
> [LDAPsvr2] No default NMAS login sequence
> [LDAPsvr2] looking for check items in directory...
> [LDAPsvr2] looking for reply items in directory...
> [LDAPsvr2] user test authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[LDAPsvr2] returns ok
> ++- redundant-load-balance group redundant-load-balance returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 5 to blah port 32769
> EAP-Message = (trimmed)
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfea96b9cfeaa7186011d5bcc3cb2528f
> Finished request 67.
> Going to the next request
> Waking up in 9.9 seconds.
> rad_recv: Access-Request packet from host blah port 32769, id=6, length=193
> User-Name = "test"
> Calling-Station-Id = "mac"
> Called-Station-Id = "mac:blah"
> NAS-Port = 1
> NAS-IP-Address = blah
>
> NAS-Identifier = "nameblah"
> Airespace-Wlan-Id = 2
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020300060319
> State = 0xfea96b9cfeaa7186011d5bcc3cb2528f
> Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c
> +- entering group authorize {...}
> [preprocess] expand: %{Called-Station-Id} -> mac:blah
> ++[preprocess] returns ok
> [auth_log] expand: (trimmed)
> [auth_log] (trimmed)
> [auth_log] expand: (trimmed)
> ++[auth_log] returns ok
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] Looking up realm "company" for User-Name = "test"
> [ntdomain] Found realm "company"
> [ntdomain] Adding Stripped-User-Name = "test"
> [ntdomain] Adding Realm = "company"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 3 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 178
> ++[files] returns ok
> ++- entering redundant-load-balance group redundant-load-balance {...}
> [LDAPsvr1] performing user authorization for test
> [LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> [LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)
> [LDAPsvr1] expand: t=company -> t=company
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in t=company, with filter (cn=test)
> [LDAPsvr1] Added the eDirectory password password in check items as
> Cleartext-Password
> [LDAPsvr1] No default NMAS login sequence
> [LDAPsvr1] looking for check items in directory...
> [LDAPsvr1] looking for reply items in directory...
> [LDAPsvr1] user test authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[LDAPsvr1] returns ok
> ++- redundant-load-balance group redundant-load-balance returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/peap
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 6 to blah port 32769
> EAP-Message = 0x010400061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfea96b9cffad7286011d5bcc3cb2528f
> Finished request 68.
> Going to the next request
> Waking up in 5.2 seconds.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list