As far as I can tell, the username is getting accepted, but there's nowhere for me to put the user's password in. Does anyone know where the password gets set? I tried setting the password on my laptop thinking it may pull it from the windows account, but no dice.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 3:13 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) I don't know much about the the LDAP module, but it sure looks like it's not returning a password for the user. Try putting a test user in the users file like this: localpeap User-Password == "test" See if you can authenticate as that user. On Apr 23, 2004, at 2:03 PM, Clayton Dukes wrote: > That did the trick... > I'm connecting now but getting an Auth failure. > I see where I can set a different username in XP, but where do I set a > password? > > Here's my output: > Waking up in 4 seconds... > rad_recv: Access-Request packet from host 16.19.20.5:59342, id=99, > length=147 > User-Name = "cdukes" > Framed-MTU = 1400 > Called-Station-Id = "000f.8f76.2e20" > Calling-Station-Id = "0006.25a9.8594" > Message-Authenticator = 0x9fe1634ba1f815346a56cf48a7dd3d59 > EAP-Message = 0x02010014016364756b65733a6931323639753131 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 263 > Service-Type = Framed-User > NAS-IP-Address = 10.100.10.10 > NAS-Identifier = "ap-noc" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 35 > modcall[authorize]: module "preprocess" returns ok for request 35 > rlm_eap: EAP packet type response id 1 length 20 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 35 > rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 35 > users: Matched DEFAULT at 152 > users: Matched DEFAULT at 171 > users: Matched DEFAULT at 218 > modcall[authorize]: module "files" returns ok for request 35 > modcall: group authorize returns updated for request 35 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 35 > rlm_ldap: - authenticate > rlm_ldap: Attribute "User-Password" is required for authentication. > modcall[authenticate]: module "ldap" returns invalid for request 35 > modcall: group Auth-Type returns invalid for request 35 > auth: Failed to validate the user. > Delaying request 35 for 1 seconds > Finished request 35 > Going to the next request > --- Walking the entire request list --- Waking up in 1 seconds... > --- Walking the entire request list --- Waking up in 1 seconds... > --- Walking the entire request list --- Sending Access-Reject of id 99 > to 16.19.20.5:59342 Waking up in 1 seconds... > --- Walking the entire request list --- Cleaning up request 34 ID 98 > with timestamp 4089758b Waking up in 3 seconds... > > > TIA! > Regards, > Clayton Dukes > CCNA, CCDA, CCNP, CCDP > Sr. Network Engineer > E Solutions Corp. > http://www.esnet.com > 813.301.2620 (o) > 813.545.7373 (c) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bob > McCormick > Sent: Friday, April 23, 2004 2:26 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) > > Here's a config template I use for Cisco 1120 AP's. Try this and see > if it works for you. > > > > !######################################### > ! Basic config template for Cisco IOS Access Points ! 4/20/2004 - BDM > - > I've tested it with 1120's but should work with 1200's > !######################################### > ! > ! > !############################### > ! Remove some junk from the default config that we don't want/need > !################################## > no ip dhcp excluded-address 10.0.0.1 10.0.0.10 no ip dhcp pool > local-default-pool no aaa group server radius rad_mac no aaa group > server radius rad_acct no aaa group server radius rad_admin no aaa > group server > tacacs+ tac_admin no aaa group server radius rad_pmip no aaa group > server > radius dummy no aaa authentication login mac_methods local no aaa > authorization ipmobile default group rad_pmip no ip http server no ip > http help-path ! > ! > !########################### > ! AAA config for EAP authentication and some radius accounting > !############################# aaa new-model aaa authentication login > eap_methods group rad_eap aaa authorization exec default local aaa > accounting network acct_methods start-stop group rad_acct aaa > session-id common ! > aaa group server radius rad_eap > server <ipaddress> auth-port 1812 acct-port 1813 ! > bridge irb > ! > interface Dot11Radio0 > no ip address > no ip route-cache > ! ##### Require wep128 encryption > encryption mode ciphers wep128 > ! ##### rotate broadcast wep key every 10 minutes > broadcast-key change 600 > ! ##### Create an SSID named "wifi" > ! ##### Require EAP authentication > ! ##### broadcast the SSID > ssid wifi > authentication open eap eap_methods > guest-mode > ! ###### set the data rates support and/or required by the AP ! ###### > These are the rates recommended by Cisco for best throughput ! ###### > for supporting both 802.11.b and 802.11g > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 > 24.0 36.0 48.0 54.0 ! > rts threshold 2312 > station-role root > no cdp enable > ! ###### Tell the AP to honor the Session-Timeout returned by the > Radius server > dot1x reauth-period server > ! > bridge-group 1 > bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source > no bridge-group 1 source-learning > no bridge-group 1 unicast-flooding > bridge-group 1 spanning-disable > ! > interface FastEthernet0 > no ip address > no ip route-cache > bridge-group 1 > no bridge-group 1 source-learning > bridge-group 1 spanning-disabled > > ! > interface BVI1 > ip address <ip address> <subnetmask> > > > ! > ip tacacs source-interface BVI1 > ip radius source-interface BVI1 > radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <key> > radius-server attribute 32 include-in-access-req format %h > radius-server authorization permit missing Service-Type radius-server > vsa send accounting bridge 1 route ip > > > On Apr 23, 2004, at 1:15 PM, Clayton Dukes wrote: > >> I can see from searching the mailing list that this has been asked >> many times, but what I can't seem to locate are config examples or a >> good howto on setting everything up. >> I have the radius server set up -- and it appears to work on, but I >> am not sure what I am lacking/doing wrong on the AP. >> I have followed the instructions from the following URL: >> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm >> It's a very good guide -- although outdated, I was still able to get >> the radius and client side configured. >> What I see now are no requests from the AP to the radius server when >> I boot up the laptop. The laptop is not able to get to the AP either. >> I also have LDAP auth turned on, when I telnet to the AP the LDAP >> piece communicates fine with the radius server so I know the comms >> are ok. >> >> Does anyone have an example 1100AP config that I can use? >> >> >> >> >> Regards, >> Clayton Dukes >> CCNA, CCDA, CCNP, CCDP >> Sr. Network Engineer >> E Solutions Corp. >> http://www.esnet.com >> 813.301.2620 (o) >> 813.545.7373 (c) >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html !DSPAM:40896916206621774497321! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
