I'm using freeradius 0.8.1 and I'm having problems successfully authenticating through a Cisco AP1100. It's the first time I'm using any radius server and wireless devices. The AP is configures for using my freeradius server for EAP authentication. Freeradius is configured for supporting EAP and is working together with MySQL.
The problem is that the Cisco AP requests authentication, I insert my username and password (the client OS is WindowsXP) and freeradius doesn't seem to receive the password! I'm running radiusd with the -X option and a "User-Password" field never arrives, and of course authentication fails.
The problem is... I have no idea what the problem is! I think the AP is configured properly, and I have successfully authenticated using a small application (I can't recall the name right now) that connects directly to the freeradius server. So my guess is the problem is with the AP/freeradius connection.
I include the AP's configuration, and freeradius configurations files below. Any help would be GREATLY apreciated! :)
Thx in advance! Joao
--------------- Cisco AP 1100 Config: ---------------
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname dec-wap-01
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.10.182 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login pmip_methods group rad_pmip
aaa authorization ipmobile default group rad_pmip
aaa accounting update periodic 1
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
enable password 7 123A0C041104
!
username Cisco password 7 05280F1C2243
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
dot11 holdoff-time 600
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 D89B6CA6D882F1D06D865EC469D0 transmit-key
encryption mode wep optional
!
!
ssid cs1100
authentication open eap eap_methods
guest-mode
!
speed basic-5.5 basic-11.0
rts threshold 2312
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.10.250 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.10.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
radius-server host 192.168.10.182 auth-port 1812 acct-port 1813 key 7 131112011F050A2D7A767B
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
line con 0
line vty 5 15
!
end
---------------
Freeradius radiusd.conf:
---------------
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusdlog_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no log_auth_goodpass = no
usercollide = no
lower_user = no lower_pass = no
nospace_user = no nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200reject_delay = 1
status_server = no }
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/snmp.conf
thread pool { start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10max_requests_per_server = 0 }
modules {
pap {
encryption_scheme = md5
} chap {
authtype = CHAP
} pam {
pam_auth = radiusd
} unix {
cache = nocache_reload = 600
radwtmp = ${logdir}/radwtmp
} eap {
# Supported EAP-types
md5 {
}
} mschap {
authtype = MS-CHAP}
realm suffix {
format = suffix
delimiter = "@"
} realm realmslash {
format = prefix
delimiter = "/"
} realm realmpercent {
format = suffix
delimiter = "%"
} preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23with_ntdomain_hack = no
with_specialix_jetstream_hack = no
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = "h323-attribute=value".
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is stripped
# out. The result is:
#
# H323-Attribute = "value"
#
# If you're not running a Cisco NAS, you don't need
# this hack.
with_cisco_vsa_hack = no
} files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users compat = no
} detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600
}acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
}
$INCLUDE ${confdir}/sql.conf
radutmp {
filename = ${logdir}/radutmpperm = 0600
callerid = "yes"
} radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
} attr_filter {
attrsfile = ${confdir}/attrs
} counter {
filename = ${raddbdir}/db.counter
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
} always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
} expr {
} # ANSI X9.9 token support. Not included by default.
# $INCLUDE ${confdir}/x99.conf}
instantiate {
expr
}authorize {
preprocesschap
mschap
eap
suffix
files#MySQL
sql
}authenticate {
authtype PAP {
pap
} authtype CHAP {
chap
} authtype MS-CHAP {
mschap
}
unixeap }
preacct { preprocess suffix files }
accounting { acct_unique detail counter unix # wtmp file radutmp }
session { radutmp }
---------------
Freeradius client.conf:
---------------
client 127.0.0.1 {
secret = testing123nastype = other # localhost isn't usually a NAS... }
client 192.168.10.180 {
secret = testing123
shortname = armindo
}client 192.168.10.250 {
secret = testing123
shortname = wap
nastype = cisco
}_________________________________________________________________
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
