FreeRADIUS not receiving password from WLC
Phil Mayers
p.mayers at imperial.ac.uk
Wed May 7 18:53:06 CEST 2014
On 07/05/14 16:33, Richard Long wrote:
> Hi all,
> I'm a bit stuck. I've stood up a CentOS server with FreeRADIUS so I
> can authenticate against Active Directory using a Cisco Wireless
> Controller. As you can see from the output below, I've got ntlm_auth
> and radtest working correctly, however, the wireless controller
> doesn't seem to be passing passwords to FreeRADIUS. I very obviously
> got something wrong in my setup, but I can't figure out what. I
> appreciate any help.
Few things for background, because terminology matters:
First, the wireless controller doesn't "send passwords" (unless you're
doing web auth). It forwards the EAP traffic from the wireless client.
Second, the only valid EAP methods for WPA-Enterprise are those which
generate keying material - typically, but not exclusively, TLS-based
methods. In almost every case, the password is not available, and in the
few cases it is, only *after* EAP has completed a TLS exchange.
Third, you are further limited by the intersection of the EAP methods
your client base supports and your password store can authenticate.
See here for more information:
http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html
Looking at your debugging, the problem is that you've put the
"ntlm_auth" module into authorize like this:
authorize {
...
ntlm_auth
...
}
That's not what you want. The (unfortunately named) "ntlm_auth" module
checks username/password. As above, wireless clients don't send this -
they speak one or more EAP methods. In any event, you don't want to put
that module there; it would live in "authenticate" and you'd use an
"Auth-Type" directive to direct to it, as described here:
http://deployingradius.com/documents/configuration/active_directory.html
Remove the "ntlm_auth" module from your config. What you actually want
is to take the default config and:
1. Edit "modules/mschap". Uncomment and put appropriate values for the
"ntlm_auth" option of *that* module
2. Start the server and test
More information about the Freeradius-Users
mailing list