Ah, well, that's surprising. All the documentation and config screens seem to indicate that LEAP is supported. I hadn't really wanted to muck about with certs and cert management, but, what the heck. This looks like a great how-to, I'll give it a shot tonight and see how it works out. Thanks Andreas, much appreciated!
Sean. -----Original Message----- From: Andreas Wolf [mailto:[EMAIL PROTECTED] Sent: December 3, 2003 5:08 PM To: [EMAIL PROTECTED] Subject: Re: Airport Extreme , WPA Enterprise and LEAP On Dec 3, 2003, at 3:20 PM, Sean Page wrote: > Hi, > > First of all let me start with the standard "I am new to RADIUS, be > patient > with me" disclaimer. :) > I'm trying to get WPA Enterprise LEAP support running using Aiport > Extreme, > FreeRADIUS v0.9.2 on FreeBSD 4.9p1 WPA Enterprise does not support LEAP, at least not with AirPort Extreme. > When I try to authenticate, the wireless client machine times out and > no > authentication occurs. > It looks to me like the radius server is behaving properly, but I > might be > blindly missing something, perhaps someone can give me a hand. AirPort Extreme's WPA implementation supports the following EAP types: TLS, TTLS and PEAP. So I don't know if you depend on WPA Enterprise or LEAP. If you need LEAP then I think you need a different Access Point (NAS). If you need WPA Enterprise then you can find an example WPA Enterprise configuration of freeRADIUS at: http://homepage.mac.com/andreaswolf/public/wpaeap.html#radiusd.conf It also contains info on how to configure your AirPort Extreme. -Andreas > Second question, do I need to manually set a timeout on the radius > server > for key expiry? > Any help would be greatly appreciated. > > Thanks > Sean. > > Clients.conf: > > client 192.168.0.250 { > secret = XXXXXXXXX > shortname = AirWolf > nastype = other > } > > > In radiusd.conf > > Pam is commented out > default_eap_type = leap > Md5 is commented out > Passwd and ldap support also commented out. > Proxy disabled > > Users is simply: > > thewolf User-Password == "testing" > > Output from radius d -X is as follows: > > Starting - reading configuration files ... > reread_config: reading radiusd.conf > Config: including file: /usr/local/etc/raddb/clients.conf > Config: including file: /usr/local/etc/raddb/snmp.conf > Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/var" > main: logdir = "/var/log" > main: libdir = "/usr/local/lib" > main: radacctdir = "/var/log/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/var/run/radiusd/radiusd.pid" > main: bind_address = 192.168.0.1 IP address [192.168.0.1] > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > Using deprecated clients file. Support for this will go away soon. > read_config_files: reading realms > Using deprecated realms file. Support for this will go away soon. > radiusd: entering modules setup > Module: Library search path is /usr/local/lib > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: passwd = "(null)" > mschap: authtype = "MS-CHAP" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/var/log/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "leap" > eap: timer_expire = 60 > rlm_eap: Loaded and initialized the type leap > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > Module: Instantiated realm (suffix) > Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, > Client-IP-Address, NAS-Port-Id" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = > "/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded radutmp > radutmp: filename = "/var/log/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Listening on IP address 192.168.0.1, ports 1812/udp and 1813/udp. > Ready to > process requests. > > rad_recv: Access-Request packet from host 192.168.0.250:1024, id=1, > length=180 > Framed-MTU = 1466 > NAS-IP-Address = 10.0.1.1 > NAS-Identifier = "AirWolf" > User-Name = "thewolf" > Service-Type = Framed-User > NAS-Port = 256 > NAS-Port-Type = Ethernet > NAS-Port-Id = "wl0" > Called-Station-Id = "00-03-93-ee-f0-2e" > Calling-Station-Id = "00-0a-95-f4-a2-35" > Connect-Info = "CONNECT Ethernet 54Mbps Half duplex" > EAP-Message = 0x0201000c01746865776f6c66 > Message-Authenticator = 0x6a3e34afd8a4094e1af3f640291f3d03 > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > rlm_eap: EAP packet type notification id 1 length 12 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated for request 0 > rlm_realm: No '@' in User-Name = "thewolf", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > users: Matched thewolf at 97 > modcall[authorize]: module "files" returns ok for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > modcall: group authorize returns updated for request 0 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate for request 0 > rlm_eap: EAP packet type notification id 1 length 12 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type leap > rlm_eap_leap: Stage 2 > rlm_eap_leap: Issuing AP Challenge > rlm_eap_leap: Successfully initiated > modcall[authenticate]: module "eap" returns ok for request 0 > modcall: group authenticate returns ok for request 0 > Sending Access-Challenge of id 1 to 192.168.0.250:1024 > EAP-Message = 0x0102001711010008b69ccbda0b6f58d0746865776f6c66 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0x0a832a6825413d5827738852723d53dbd44ace3fb7d36766ccb904b90ad5ba71343f7 > 0ae > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 1 with timestamp 3fce4ad4 > Nothing to do. Sleeping until we see a request. > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -------------- Andreas Wolf Apple Computer, Inc. Technologies, AirPort Engineering - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
