Failed to Authenticate Cisco WLC 5508 to FreeRadius Server by using EAP.

Poon Weng Chee poonwc at igsb.com.my
Wed Dec 18 03:38:08 CET 2013 

Hey guys,

I want to implement the Cisco WLC 5508 to FreeRadius server, basically the FreeRadius Server is integrate with LDAP.
The connection will look like diagram below,


WLC 5508 --------> FreeRadius (Integrated LDAP)

The connection between WLC 5508 to FreeRadius is using EAP.

I got an errors while doing the test, the errors are below,

+- entering group authorize {...}
[ldap] performing user authorization for evening
[ldap]    expand: %{Stripped-User-Name} ->
[ldap]    ... expanding second conditional
[ldap]    expand: %{User-Name} -> evening
[ldap]    expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=evening)
[ldap]    expand: dc=fng,dc=fnf,dc=local -> dc=fng,dc=fnf,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=fng,dc=fnf,dc=local, with filter (uid=evening)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user evening authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation

I also getting this Accept-Challenge and Accept-Request, see the errors below,

++[eap] returns handled
Sending Access-Challenge of id 153 to 10.201.65.241 port 32769
                EAP-Message = 0x010200061920
                Message-Authenticator = 0x00000000000000000000000000000000
                State = 0x7acc1b267ace021e658dc33386efc594
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.201.65.241 port 32769, id=154, length=347
                User-Name = "evening"
                Calling-Station-Id = "00-23-12-11-6f-c5"
                Called-Station-Id = "ec-c8-82-ab-03-10:FNTest"
                NAS-Port = 1
                Cisco-AVPair = "audit-session-id=0ac941f10001e76252a7e42a"
                NAS-IP-Address = 10.201.65.241
                NAS-Identifier = "F&N_COM_WLC5508_2"
                Airespace-Wlan-Id = 3
                Service-Type = Framed-User
                Framed-MTU = 1300
                NAS-Port-Type = Wireless-802.11
                Tunnel-Type:0 = VLAN
                Tunnel-Medium-Type:0 = IEEE-802
                Tunnel-Private-Group-Id:0 = "10"
                EAP-Message = 0x0202006d198000000063160301005e0100005a030152a7e33ffc9ad76b67fac2d1ba43bfca99c29126ee731235c001ea8bfdf4bd32000018002f00350005000ac013c014c009c00a003200380013000401000019ff01000100000a0006000400170018000b0002010000230000
                State = 0x7acc1b267ace021e658dc33386efc594
                Message-Authenticator = 0x59835b7747b9a7654512b48586a132a5


What are the possibility that the authentication failed between Cisco WLC to FreeRadius??

Hope you guys can assist me on this particular issues.

Really appreciate it for your help.

Thanks & Regards,
Weng Chee
DISCLAIMER: This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient or the person responsible, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify us. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131218/f7fe9870/attachment.html>

More information about the Freeradius-Users mailing list