This is the instruction on how to setup Cisco LEAP
with FreeRadius.
I am NOT an expert with FreeRadius so I am sure this
"howto" has
shortcomings in it. Please feel to make comments and
changes
to the documentation. I just know that this
instruction works for me. Last but not least, many
thanks to everyone in this group that has made it
possible.
Equipments:
1) Xupplicant: Win2k (SP3)/WinXP (SP1) with Cisco
Aironet Control
Utility (ACU) software. Aironet Wirless Card.
2) Authenticator: Cisco Wireless Access Point (WAP)
AP340 model.
3) Authentication Server: FreeRadius snapshot version
freeradius-snapshot-20030324.tar.gz (I think any
version after March 8
will support Cisco LEAP).
Instructions:
1) download the freeradius-snapshot-20030324.tar.gz
file,
2) tar xzpf freeradius-snapshot-20030324.tar.gz
3) cd to the freeradius-snapshot-20030324 directory
4) ./configure --sysconfdir=/etc
5) make
6) make install
7) in the /etc/raddb/clients.conf file, include the IP
address of the
WAP
8) in the users file, specify a test account. For
example:
"dtran" Auth-Type := EAP, User-Password == "123456"
9) In the radiusd.conf, change the following:
from:
default_eap_type = md5
to:
default_eap_type = leap
# Supported EAP-types
from:
md5 {
to:
leap {
Uncomment the "eap" below:
# The chap module will set 'Auth-Type := CHAP'
if we are
# handling a CHAP request and Auth-Type has
not already been set
#
chap
# counter
# attr_filter
# eap
Again, uncomment the "eap" below:
# Uncomment it if you want to use ldap for
authentication
# authtype LDAP {
# ldap
# }
# mschap
# eap
Uncomment the "passwd" and "shadow":
# To force the module to use the
system password functions,
# instead of reading the files,
comment out the 'passwd'
# and 'shadow' configuration entries.
This is required
# for some systems, like FreeBSD, and
Mac OSX.
#
# passwd = /etc/passwd
# shadow = /etc/shadow
group = /etc/group
10) for testing purposes, start radiusd in debug mode:
radiusd -X -A
11) Setup your WAP to use FreeRadius. Specify port
1812 instead of
1645 in the WAP.
>From Win2k or XP, setup your wireless to use LEAP.
If everything is working right, you will see on the
radius server the
following message:
[EMAIL PROTECTED] root]# radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir =
"/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
"/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
"/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "leap"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile =
"/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/deta
il-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
"/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and
1813/udp, with proxy on 1814/udp. Ready to process
requests.
rad_recv: Access-Request packet from host
172.17.1.6:1087, id=61, length=147
User-Name = "dtran"
Cisco-AVPair = "ssid=micronet"
NAS-IP-Address = 172.17.1.6
Called-Station-Id = "00409631adfd"
Calling-Station-Id = "0040963a0c33"
NAS-Identifier = "AP340"
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = "\002\002\000\014\001dtran"
Message-Authenticator =
0x6b575287db8c7d318e4f1f6ca76df5df
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password
attribute in request
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 2 length 12
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "dtran", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched dtran at 97
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 2 length 12
rlm_eap: processing type leap
rlm_eap_leap: Stage 2
rlm_eap_leap: Issuing AP Challenge
rlm_eap_leap: Successfully initiated
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 61 to 172.17.1.6:1087
EAP-Message =
0x01030017110100085186b6cc743c97007472616e646131
Message-Authenticator =
0x00000000000000000000000000000000
State =
0x0cf206a2f87ef8a3353de6056d9b15577cdf823e6133268d44f256f59d54fe7e
d0642859
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
172.17.1.6:1088, id=62, length=212
User-Name = "dtran"
Cisco-AVPair = "ssid=micronet"
NAS-IP-Address = 172.17.1.6
Called-Station-Id = "00409631adfd"
Calling-Station-Id = "0040963a0c33"
NAS-Identifier = "AP340"
NAS-Port = 37
Framed-MTU = 1400
State =
0x0cf206a2f87ef8a3353de6056d9b15577cdf823e6133268d44f256f59d54fe7e
d0642859
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
"\002\003\000'\021\001\000\030CV\317D\032\273\214F\247\235\2
30\310d\212D\350u\254\374\207Xw(\312dtran"
Message-Authenticator =
0xf97ff6625eb670a624763d06447893b8
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password
attribute in request
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 3 length 39
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "dtran", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched dtran at 97
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 3 length 39
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 4
rlm_eap_leap: NtChallengeResponse from AP is valid
rlm_eap: Underlying EAP-Type set EAP ID to 4
rlm_eap: Saving LEAP state
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 62 to 172.17.1.6:1088
EAP-Message = 0x03040004
Message-Authenticator =
0x00000000000000000000000000000000
State =
0x0cf206a2f87ef8a3353de6056d9b15577cdf823e6133268d44f256f59d54fe7e
d0642859
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
172.17.1.6:1089, id=63, length=196
User-Name = "dtran"
Cisco-AVPair = "ssid=123456"
NAS-IP-Address = 172.17.1.6
Called-Station-Id = "00409631adfd"
Calling-Station-Id = "0040963a0c33"
NAS-Identifier = "AP340"
NAS-Port = 37
Framed-MTU = 1400
State =
0x0cf206a2f87ef8a3353de6056d9b15577cdf823e6133268d44f256f59d54fe7e
d0642859
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
"\001\004\000\027\021\001\000\010,\023X\034cc\014\331dtran
"
Message-Authenticator =
0x2b85bfe93cb0dcb1ecb1f76d2d8f612f
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password
attribute in request
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type identity id 4 length 23
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "dtran", looking
up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched dtran at 97
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type identity id 4 length 23
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - leap
rlm_eap: processing type leap
rlm_eap_leap: Stage 6
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 63 to 172.17.1.6:1089
Cisco-AVPair +=
"leap:session-key=\204\241O\314`\203HbU\317\333\266\006\25
4\301\207\035\376\340\333\344\301\310'B\274\343\247\275\033\302\255a\357"
EAP-Message =
0x02050027110100185bd8b3a00c1f12a5c8823d4d641e6baae600bb1190
7a5fce7472616e646131
Message-Authenticator =
0x00000000000000000000000000000000
Finished request 2
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 61 with timestamp 3e82df7c
Cleaning up request 1 ID 62 with timestamp 3e82df7c
Cleaning up request 2 ID 63 with timestamp 3e82df7c
Nothing to do. Sleeping until we see a request.
--- Matt Peterson <[EMAIL PROTECTED]> wrote:
> It would be awesome if you could post a "HowTO" on
> configuring FreeRADIUS
> w/ LEAP to work ;)
>
> --On Friday, March 28, 2003 2:25 PM -0800 david tran
>
> <[EMAIL PROTECTED]> wrote:
>
> > All,
> > Thanks to everyone in this group, I've been able
> to
> > use LEAP via FreeRadius to authenticate wireless
> users
> > to access my wireless network. I've a question,
> > abeit a dumb one, that may be someone can help me
> > with.
> >
> > In the users file, this is what I have:
> >
> > "dtran" Auth-Type := EAP, User-Password ==
> "123456"
> >
> > With this configuratiion, LEAP works fine.
> >
> > User "dtran" also has a Unix account,"dtran", on
> the
> > FreeRadius Server and I would like to use that
> account
> > and password for Cisco LEAP instead of having to
> > specify a different password in the users file.
> > However, if I do this:
> >
> > "dtran" Auth-Type := SYSTEM
> >
> > Then LEAP stops working. I also make following
> > changes
> > in the radiusd.conf file:
> >
> > # To force the module to use the
> > system password functions,
> > # instead of reading the files,
> > comment out the 'passwd'
> > # and 'shadow' configuration
> entries.
> > This is required
> > # for some systems, like FreeBSD,
> and
> > Mac OSX.
> > #
> > # passwd = /etc/passwd
> > # shadow = /etc/shadow
> > group = /etc/group
> >
> >
> > It still doesn't work. Can someone tell me if it
> can
> > be done? And if so, how can I make it happen?
> >
> > Many thanks.
> > David
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Platinum - Watch CBS' NCAA March Madness,
> live on your desktop!
> > http://platinum.yahoo.com
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
>
> --
> Matt Peterson another.geek.without.a.life
> [EMAIL PROTECTED] http://matt.peterson.org/
> -------------------------------------------------
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
