Re: Airport Extreme , WPA Enterprise and LEAP

[Andreas Wolf]

On Dec 4, 2003, at 1:31 PM, Sean Page wrote:

Ah, well, that's surprising. All the documentation and config screens  
seem
to indicate that LEAP is supported.
No, if you read the documentations you'll find that LEAP is not  
supported in WPA
and LEAP (it cannot work as WPA and LEAP are inherently incompatible).  
Even without WPA,
LEAP is not supported on the Base Station side, ie. it only works with  
Cisco Access Points
(LEAP is a Cisco thing).

What is supported is to use LEAP on the MacOS X _client_ with a third  
party access point
that supports LEAP. Anyway, if you have WPA, why bother with a  
proprietary protocol?

-Andreas

 I hadn't really wanted to muck about
with certs and cert management, but, what the heck. This looks like a  
great
how-to, I'll give it a shot tonight and see how it works out.
Thanks Andreas, much appreciated!

Sean.

-----Original Message-----
From: Andreas Wolf [mailto:[EMAIL PROTECTED]
Sent: December 3, 2003 5:08 PM
To: [EMAIL PROTECTED]
Subject: Re: Airport Extreme , WPA Enterprise and LEAP
On Dec 3, 2003, at 3:20 PM, Sean Page wrote:

Hi,

First of all let me start with the standard "I am new to RADIUS, be
patient
with me" disclaimer. :)
I'm trying to get WPA Enterprise LEAP support running using Aiport
Extreme,
FreeRADIUS v0.9.2 on FreeBSD 4.9p1
WPA Enterprise does not support LEAP, at least not with AirPort  
Extreme.

When I try to authenticate, the wireless client machine times out and
no
authentication occurs.
It looks to me like the radius server is behaving properly, but I
might be
blindly missing something, perhaps someone can give me a hand.
AirPort Extreme's WPA implementation supports the following EAP types:
TLS, TTLS and PEAP.
So I don't know if you depend on WPA Enterprise or LEAP. If you need
LEAP then
I think you need a different Access Point (NAS).
If you need WPA Enterprise then you can find an example WPA Enterprise
configuration
of freeRADIUS at:
http://homepage.mac.com/andreaswolf/public/wpaeap.html#radiusd.conf

It also contains info on how to configure your AirPort Extreme.

-Andreas

Second question, do I need to manually set a timeout on the radius
server
for key expiry?
Any help would be greatly appreciated.
Thanks
Sean.
Clients.conf:

client 192.168.0.250 {
        secret          = XXXXXXXXX
        shortname       = AirWolf
        nastype         = other
}
In radiusd.conf

Pam is commented out
default_eap_type = leap
Md5 is commented out
Passwd and ldap support also commented out.
Proxy disabled
Users is simply:

thewolf         User-Password == "testing"

Output from radius d -X is as follows:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/var"
 main: logdir = "/var/log"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/var/log/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: bind_address = 192.168.0.1 IP address [192.168.0.1]
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "leap"
 eap: timer_expire = 60
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/etc/raddb/users"
 files: acctusersfile = "/usr/local/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/log/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/log/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address 192.168.0.1, ports 1812/udp and 1813/udp.
Ready to
process requests.
rad_recv: Access-Request packet from host 192.168.0.250:1024, id=1,
length=180
        Framed-MTU = 1466
        NAS-IP-Address = 10.0.1.1
        NAS-Identifier = "AirWolf"
        User-Name = "thewolf"
        Service-Type = Framed-User
        NAS-Port = 256
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "wl0"
        Called-Station-Id = "00-03-93-ee-f0-2e"
        Calling-Station-Id = "00-0a-95-f4-a2-35"
        Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
        EAP-Message = 0x0201000c01746865776f6c66
        Message-Authenticator = 0x6a3e34afd8a4094e1af3f640291f3d03
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  rlm_eap: EAP packet type notification id 1 length 12
  rlm_eap: EAP Start not found
  modcall[authorize]: module "eap" returns updated for request 0
    rlm_realm: No '@' in User-Name = "thewolf", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
    users: Matched thewolf at 97
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 0
  rlm_eap: EAP packet type notification id 1 length 12
  rlm_eap: EAP Start not found
  rlm_eap: EAP Identity
  rlm_eap: processing type leap
  rlm_eap_leap: Stage 2
  rlm_eap_leap: Issuing AP Challenge
  rlm_eap_leap: Successfully initiated
  modcall[authenticate]: module "eap" returns ok for request 0
modcall: group authenticate returns ok for request 0
Sending Access-Challenge of id 1 to 192.168.0.250:1024
        EAP-Message = 0x0102001711010008b69ccbda0b6f58d0746865776f6c66
        Message-Authenticator = 0x00000000000000000000000000000000
        State =
0x0a832a6825413d5827738852723d53dbd44ace3fb7d36766ccb904b90ad5ba71343f 
7
0ae
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 1 with timestamp 3fce4ad4
Nothing to do.  Sleeping until we see a request.



-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

--------------
Andreas Wolf            
Apple Computer, Inc.
Technologies, AirPort Engineering
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See  
http://www.freeradius.org/list/users.html


--------------
Andreas Wolf            
Apple Computer, Inc.
Technologies, AirPort Engineering
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html