FreeRADIUS not receiving password from WLC

Richard Long longrichard562 at yahoo.com
Wed May 7 20:59:31 CEST 2014


It works now.  Thank you so much for your help.  It's greatly appreciated.



On Wednesday, May 7, 2014 10:10 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
On 07/05/14 16:33, Richard Long wrote:
> Hi all,
> I'm a bit stuck.  I've stood up a CentOS server with FreeRADIUS so I
> can authenticate against Active Directory using a Cisco Wireless
> Controller.  As you can see from the output below, I've got ntlm_auth
> and radtest working correctly, however, the wireless controller
> doesn't seem to be passing passwords to FreeRADIUS.  I very obviously
> got something wrong in my setup, but I can't figure out what.  I
> appreciate any help.

Few things for background, because terminology matters:

First, the wireless controller doesn't "send passwords" (unless you're 
doing web auth). It forwards the EAP traffic from the wireless client.

Second, the only valid EAP methods for WPA-Enterprise are those which 
generate keying material - typically, but not exclusively, TLS-based 
methods. In almost every case, the password is not available, and in the 
few cases it is, only *after* EAP has completed a TLS exchange.

Third, you are further limited by the intersection of the EAP methods 
your client base supports and your password store can authenticate.

See here for more information:

http://deployingradius.com/documents/protocols/compatibility.html
http://deployingradius.com/documents/protocols/oracles.html


Looking at your debugging, the problem is that you've put the 
"ntlm_auth" module into authorize like this:

authorize {
   ...
   ntlm_auth
   ...
}

That's not what you want. The (unfortunately named) "ntlm_auth" module 
checks username/password. As above, wireless clients don't send this - 
they speak one or more EAP methods. In any event, you don't want to put 
that module there; it would live in "authenticate" and you'd use an 
"Auth-Type" directive to direct to it, as described here:

http://deployingradius.com/documents/configuration/active_directory.html

Remove the "ntlm_auth" module from your config. What you actually want 
is to take the default config and:

  1. Edit "modules/mschap". Uncomment and put appropriate values for the 
"ntlm_auth" option of *that* module
  2. Start the server and test
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list