Cisco WLC PEAP/MSCHAPv2 - unnecessary ldap lookups?
Brian Wilson
briw111 at yahoo.com
Thu Sep 17 21:55:35 CEST 2009
I will need to do some more research on inner-tunnels, as i'm not too familiar with them. How would I add the ldap components? as part of the peap module itself?
All the documentation i've found on LDAP requires the ldap modules to be referenced in both the authorize and authentication sections directly. It would be useful to see some more examples.
-----Inline Message Follows-----
Have you tried to configure an inner-tunnel for peap? it will reduce
the ldap lookups.
2009/9/17 Brian Wilson <briw111 at yahoo.com>:
> Hi all,
>
> A few months ago I had posted this topic to the list, and unfortunately
> before I could work further on it I got pulled onto another assignment. I
> apologize to those that tried helping before. I modified my config per
> their recommendations, but still having the same problem....
>
> I am still having trouble with a WLC440x with WPA2-AES-PEAP-MSCHAPv2,
> freeradius and edirectory setup. Essentially, the ldap requests are taking
> 3-4 seconds to resolve. In addition, freeradius ends up doing in the
> neighborhood of 5-6 ldap lookups for each client trying to attach. I am
> unsure of why this is happening. Below is my configuration: (This is
> freeradius 2.1.6)
>
> authorize{
> preprocess
> auth_log
> suffix
> ntdomain
> eap {
> ok = return
> }
> files {
> notfound = reject
> noop = reject
> fail = reject
> }
> redundant-load-balance {
> LDAPsvr1
> LDAPsvr2
> }
> expiration
> logintime
> }
>
> authenticate {
> Auth-Type MS-CHAP {
> mschap
> }
> Auth-Type LDAP {
> redundant-load-balance {
> LDAPsvr1
> LDAPsvr2
> }
> }
> eap
> }
>
> and in eap.conf, i have default-eap-type set to peap, and not mschapv2.
>
>
> here is a snippet of debug info I had posted before; this tends to repeat at
> nassuem about 4-5 more times before the actual access-accept is sent:
>
>
>
> rad_recv: Access-Request packet from host blah port 32769, id=5, length=196
> User-Name = "test"
> Calling-Station-Id = "mac"
> Called-Station-Id = "mac:blah"
> NAS-Port = 1
> NAS-IP-Address = ipblah
>
> NAS-Identifier = "nameblah"
> Airespace-Wlan-Id = 2
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> EAP-Message = (trimmed)
> Message-Authenticator = 0x8dd02304de9a3c5e3c732d1a622be134
> +- entering group authorize {...}
> [preprocess] expand: %{Called-Station-Id} -> mac:blah
>
> ++[preprocess] returns ok
> [auth_log] expand: (trimmed)
> [auth_log](trimmed)
> [auth_log] expand: %t -> Wed Jun 17 10:00:10 2009
> ++[auth_log] returns ok
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] Looking up realm "company" for User-Name = "test"
> [ntdomain] Found realm "company"
> [ntdomain] Adding Stripped-User-Name = "test"
> [ntdomain] Adding Realm = "company"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 2 length 27
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 178
> ++[files] returns ok
> ++- entering redundant-load-balance group redundant-load-balance {...}
> [LDAPsvr2] performing user authorization for test
> [LDAPsvr2] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> [LDAPsvr2] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)
> [LDAPsvr2] expand: t=company -> t=company
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in t=company, with filter (cn=test)
> [LDAPsvr2] Added the eDirectory password password in check items as
> Cleartext-Password
> [LDAPsvr2] No default NMAS login sequence
> [LDAPsvr2] looking for check items in directory...
> [LDAPsvr2] looking for reply items in directory...
> [LDAPsvr2] user test authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[LDAPsvr2] returns ok
> ++- redundant-load-balance group redundant-load-balance returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type mschapv2
> rlm_eap_mschapv2: Issuing Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 5 to blah port 32769
> EAP-Message = (trimmed)
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfea96b9cfeaa7186011d5bcc3cb2528f
> Finished request 67.
> Going to the next request
> Waking up in 9.9 seconds.
> rad_recv: Access-Request packet from host blah port 32769, id=6, length=193
> User-Name = "test"
> Calling-Station-Id = "mac"
> Called-Station-Id = "mac:blah"
> NAS-Port = 1
> NAS-IP-Address = blah
>
> NAS-Identifier = "nameblah"
> Airespace-Wlan-Id = 2
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020300060319
> State = 0xfea96b9cfeaa7186011d5bcc3cb2528f
> Message-Authenticator = 0x7efad720ed506e1d3324a14c5f001a4c
> +- entering group authorize {...}
> [preprocess] expand: %{Called-Station-Id} -> mac:blah
> ++[preprocess] returns ok
> [auth_log] expand: (trimmed)
> [auth_log] (trimmed)
> [auth_log] expand: (trimmed)
> ++[auth_log] returns ok
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] Looking up realm "company" for User-Name = "test"
> [ntdomain] Found realm "company"
> [ntdomain] Adding Stripped-User-Name = "test"
> [ntdomain] Adding Realm = "company"
> [ntdomain] Authentication realm is LOCAL.
> ++[ntdomain] returns ok
> [eap] EAP packet type response id 3 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> [files] users: Matched entry DEFAULT at line 178
> ++[files] returns ok
> ++- entering redundant-load-balance group redundant-load-balance {...}
> [LDAPsvr1] performing user authorization for test
> [LDAPsvr1] WARNING: Deprecated conditional expansion ":-". See "man unlang"
> for details
> [LDAPsvr1] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -> (cn=test)
> [LDAPsvr1] expand: t=company -> t=company
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in t=company, with filter (cn=test)
> [LDAPsvr1] Added the eDirectory password password in check items as
> Cleartext-Password
> [LDAPsvr1] No default NMAS login sequence
> [LDAPsvr1] looking for check items in directory...
> [LDAPsvr1] looking for reply items in directory...
> [LDAPsvr1] user test authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[LDAPsvr1] returns ok
> ++- redundant-load-balance group redundant-load-balance returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/peap
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 6 to blah port 32769
> EAP-Message = 0x010400061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfea96b9cffad7286011d5bcc3cb2528f
> Finished request 68.
> Going to the next request
> Waking up in 5.2 seconds.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090917/0bd77c9b/attachment.html>
More information about the Freeradius-Users
mailing list