Yeah, the dialog pops up, but it only has a username, not a password field -- kinda funky
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) WinXP doesn't pop up a dialog box asking for your username and password? On Apr 23, 2004, at 2:22 PM, Clayton Dukes wrote: > As far as I can tell, the username is getting accepted, but there's > nowhere for me to put the user's password in. > Does anyone know where the password gets set? I tried setting the > password on my laptop thinking it may pull it from the windows > account, but no dice. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bob > McCormick > Sent: Friday, April 23, 2004 3:13 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) > > I don't know much about the the LDAP module, but it sure looks like > it's not returning a password for the user. > > Try putting a test user in the users file like this: > > localpeap User-Password == "test" > > See if you can authenticate as that user. > > > On Apr 23, 2004, at 2:03 PM, Clayton Dukes wrote: > >> That did the trick... >> I'm connecting now but getting an Auth failure. >> I see where I can set a different username in XP, but where do I set >> a password? >> >> Here's my output: >> Waking up in 4 seconds... >> rad_recv: Access-Request packet from host 16.19.20.5:59342, id=99, >> length=147 >> User-Name = "cdukes" >> Framed-MTU = 1400 >> Called-Station-Id = "000f.8f76.2e20" >> Calling-Station-Id = "0006.25a9.8594" >> Message-Authenticator = 0x9fe1634ba1f815346a56cf48a7dd3d59 >> EAP-Message = 0x02010014016364756b65733a6931323639753131 >> NAS-Port-Type = Wireless-802.11 >> NAS-Port = 263 >> Service-Type = Framed-User >> NAS-IP-Address = 10.100.10.10 >> NAS-Identifier = "ap-noc" >> Processing the authorize section of radiusd.conf >> modcall: entering group authorize for request 35 >> modcall[authorize]: module "preprocess" returns ok for request 35 >> rlm_eap: EAP packet type response id 1 length 20 >> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation >> modcall[authorize]: module "eap" returns updated for request 35 >> rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL >> rlm_realm: No such realm "NULL" >> modcall[authorize]: module "suffix" returns noop for request 35 >> users: Matched DEFAULT at 152 >> users: Matched DEFAULT at 171 >> users: Matched DEFAULT at 218 >> modcall[authorize]: module "files" returns ok for request 35 >> modcall: group authorize returns updated for request 35 >> rad_check_password: Found Auth-Type LDAP >> auth: type "LDAP" >> Processing the authenticate section of radiusd.conf >> modcall: entering group Auth-Type for request 35 >> rlm_ldap: - authenticate >> rlm_ldap: Attribute "User-Password" is required for authentication. >> modcall[authenticate]: module "ldap" returns invalid for request 35 >> modcall: group Auth-Type returns invalid for request 35 >> auth: Failed to validate the user. >> Delaying request 35 for 1 seconds >> Finished request 35 >> Going to the next request >> --- Walking the entire request list --- Waking up in 1 seconds... >> --- Walking the entire request list --- Waking up in 1 seconds... >> --- Walking the entire request list --- Sending Access-Reject of id >> 99 to 16.19.20.5:59342 Waking up in 1 seconds... >> --- Walking the entire request list --- Cleaning up request 34 ID 98 >> with timestamp 4089758b Waking up in 3 seconds... >> >> >> TIA! >> Regards, >> Clayton Dukes >> CCNA, CCDA, CCNP, CCDP >> Sr. Network Engineer >> E Solutions Corp. >> http://www.esnet.com >> 813.301.2620 (o) >> 813.545.7373 (c) >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Bob >> McCormick >> Sent: Friday, April 23, 2004 2:26 PM >> To: [EMAIL PROTECTED] >> Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) >> >> Here's a config template I use for Cisco 1120 AP's. Try this and >> see >> if it works for you. >> >> >> >> !######################################### >> ! Basic config template for Cisco IOS Access Points ! 4/20/2004 - >> BDM >> - >> I've tested it with 1120's but should work with 1200's >> !######################################### >> ! >> ! >> !############################### >> ! Remove some junk from the default config that we don't want/need >> !################################## >> no ip dhcp excluded-address 10.0.0.1 10.0.0.10 no ip dhcp pool >> local-default-pool no aaa group server radius rad_mac no aaa group >> server radius rad_acct no aaa group server radius rad_admin no aaa >> group server >> tacacs+ tac_admin no aaa group server radius rad_pmip no aaa group >> server >> radius dummy no aaa authentication login mac_methods local no aaa >> authorization ipmobile default group rad_pmip no ip http server no ip >> http help-path ! >> ! >> !########################### >> ! AAA config for EAP authentication and some radius accounting >> !############################# aaa new-model aaa authentication login >> eap_methods group rad_eap aaa authorization exec default local aaa >> accounting network acct_methods start-stop group rad_acct aaa >> session-id common ! >> aaa group server radius rad_eap >> server <ipaddress> auth-port 1812 acct-port 1813 ! >> bridge irb >> ! >> interface Dot11Radio0 >> no ip address >> no ip route-cache >> ! ##### Require wep128 encryption >> encryption mode ciphers wep128 >> ! ##### rotate broadcast wep key every 10 minutes >> broadcast-key change 600 >> ! ##### Create an SSID named "wifi" >> ! ##### Require EAP authentication >> ! ##### broadcast the SSID >> ssid wifi >> authentication open eap eap_methods >> guest-mode >> ! ###### set the data rates support and/or required by the AP ! >> ###### These are the rates recommended by Cisco for best throughput ! >> ###### for supporting both 802.11.b and 802.11g >> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 >> 24.0 36.0 48.0 54.0 ! >> rts threshold 2312 >> station-role root >> no cdp enable >> ! ###### Tell the AP to honor the Session-Timeout returned by the >> Radius server >> dot1x reauth-period server >> ! >> bridge-group 1 >> bridge-group 1 subscriber-loop-control >> bridge-group 1 block-unknown-source >> no bridge-group 1 source-learning >> no bridge-group 1 unicast-flooding >> bridge-group 1 spanning-disable >> ! >> interface FastEthernet0 >> no ip address >> no ip route-cache >> bridge-group 1 >> no bridge-group 1 source-learning >> bridge-group 1 spanning-disabled >> >> ! >> interface BVI1 >> ip address <ip address> <subnetmask> >> >> >> ! >> ip tacacs source-interface BVI1 >> ip radius source-interface BVI1 >> radius-server host <ipaddress> auth-port 1812 acct-port 1813 key >> <key> radius-server attribute 32 include-in-access-req format %h >> radius-server authorization permit missing Service-Type radius-server >> vsa send accounting bridge 1 route ip >> >> >> On Apr 23, 2004, at 1:15 PM, Clayton Dukes wrote: >> >>> I can see from searching the mailing list that this has been asked >>> many times, but what I can't seem to locate are config examples or a >>> good howto on setting everything up. >>> I have the radius server set up -- and it appears to work on, but I >>> am not sure what I am lacking/doing wrong on the AP. >>> I have followed the instructions from the following URL: >>> http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm >>> It's a very good guide -- although outdated, I was still able to get >>> the radius and client side configured. >>> What I see now are no requests from the AP to the radius server when >>> I boot up the laptop. The laptop is not able to get to the AP either. >>> I also have LDAP auth turned on, when I telnet to the AP the LDAP >>> piece communicates fine with the radius server so I know the comms >>> are ok. >>> >>> Does anyone have an example 1100AP config that I can use? >>> >>> >>> >>> >>> Regards, >>> Clayton Dukes >>> CCNA, CCDA, CCNP, CCDP >>> Sr. Network Engineer >>> E Solutions Corp. >>> http://www.esnet.com >>> 813.301.2620 (o) >>> 813.545.7373 (c) >>> >>> >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html !DSPAM:40896bbb213231520921276! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
