Wireless WPA2 enterprise Radius authentication

Maurice James midnightsteel at msn.com
Tue Oct 26 14:10:26 CEST 2010 

I'm running freeradius 2.1.9-1. I will run the debug test when I get home
later

The funny thing is, it could be just 1 small setting that I missed. This is
a pain.
I have a Windows Vista/7 clients connecting to a cisco e3000 wireless router
(WPA2 Enterprise) authenticating to > freeradius 2.1.9-1 > authenticating to
389-DS-1.2.1-1(fedora directory service). 

DO you have any sample configs that work with a setup as mentioned above?

-----Original Message-----
From: freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org
[mailto:freeradius-users-bounces+midnightsteel=msn.com at lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: Tuesday, October 26, 2010 4:33 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Wireless WPA2 enterprise Radius authentication

On 10/26/2010 03:59 AM, midnightsteel wrote:
>
> Has anyone gotten Freeradius 2.x and LDAP (OpenLDAP, FDS, etc...) to 
> properly authenticate users?
>
> I get the following in my radius log
>
> Auth: Login incorrect: [wii/<via Auth-Type = EAP>] (from client access 
> port
> 0 via TLS tunnel)
> Auth: Login incorrect: [wii/<via Auth-Type = EAP>] (from client access 
> port
> 14 cli 78e400881f19)
>
>
> This is driving me crazy. I can authenticate users from the radius 
> serve to ldap but not from the access point to radius to ldap
>
> If anyone has gotten it to work please post the example config files 
> that you used. Im open to answer any questions that you may have about 
> my configs.
>
> Access point using WPA2-Enterprise>>  Freeradius 2.x>>  389-DS(Fedora 
> LDAP)
>

Yes, people have used LDAP to authenticate 802.1x.

Run the server in debug mode (I should get a keyboard macro to type
this) and look at the output:

radiusd -X | tee logfile

...as you make an authentication attempt. Chances are if you read that debug
output (as suggested in the README) you'll see the problem. If not post the
full debug output here.

In brief:

  1. Your ldap server needs to contain the password hash(es) appropriate for
your method of authentication(s) - or better yet the plaintext - and the
freeradius binddn must be able to see them

  2. The attribute names should match ldap.attrmap, or you should update is

You said "FreeRadius 2.x". That's a bit vague. What is the actual version?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list