Configuring Windows 2000 for 802.1x (PEAP)
• 802.1x support is included in Windows 2000 service pack 4.
• Windows 2000 support for wireless networks is limited, and does not include any standard screens for configuring your wireless card (SSID to attach to, etc). You will have to use the software that came with your wireless card for most configuration.
• Many wireless network card drivers include an 802.1x supplicant. If your card driver includes an 802.1x supplicant, you will have to disable the 802.1x supplicant in the driver if you wish to use the Microsoft 802.1x supplicant (Wireless Configuration service). Alternatively, you can disable the Microsoft supplicant and use the supplicant provided by your network card driver. To disable the Microsoft supplicant, stop the Wireless Configuration service and set the service to manual startup.
• After installing service pack 4, you will have to enable the Wireless Configuration service. By default it is set to Manual startup. Change this to Automatic startup and start the service
· The next step is to configure 802.1x for your wireless connection. Under Control Panel, Network and Dialup Connections; select and right click on your wireless network connection. Select Properties from the context menu.
· In the Properties window, select the Authentication tab. (If you don’t have an authentication tap it is probably because the Wireless Configuration service isn’t running).
· Select the checkbox “Enable network access control using IEEE 802.1x”
· Select your desired EAP type (PEAP).
· Unselect the checkboxes for “Authenticate as computer” and “Authenticate as guest”.
• Click on the Properties button to configure your EAP type (PEAP).
• Select the checkbox for “Validate server certificate” (unless your Radius server is using a self-signed certificate”.
• Unselect the checkbox for “Connect to these servers”.
• Click the Configure button
• In the EAP MSCHAPv2 window, select or unselect the "Automatically use my Windows logon name and password" checkbox as appropriate (i.e. if you expect your EAP username and password to match your Windows username and password).
On Apr 23, 2004, at 2:30 PM, Clayton Dukes wrote:
Yeah, the dialog pops up, but it only has a username, not a password field
-- kinda funky
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 3:25 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
WinXP doesn't pop up a dialog box asking for your username and password?
On Apr 23, 2004, at 2:22 PM, Clayton Dukes wrote:
As far as I can tell, the username is getting accepted, but there's nowhere for me to put the user's password in. Does anyone know where the password gets set? I tried setting the password on my laptop thinking it may pull it from the windows account, but no dice.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 3:13 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
I don't know much about the the LDAP module, but it sure looks like it's not returning a password for the user.
Try putting a test user in the users file like this:
localpeap User-Password == "test"
See if you can authenticate as that user.
On Apr 23, 2004, at 2:03 PM, Clayton Dukes wrote:
That did the trick... I'm connecting now but getting an Auth failure. I see where I can set a different username in XP, but where do I set a password?
Here's my output: Waking up in 4 seconds... rad_recv: Access-Request packet from host 16.19.20.5:59342, id=99, length=147 User-Name = "cdukes" Framed-MTU = 1400 Called-Station-Id = "000f.8f76.2e20" Calling-Station-Id = "0006.25a9.8594" Message-Authenticator = 0x9fe1634ba1f815346a56cf48a7dd3d59 EAP-Message = 0x02010014016364756b65733a6931323639753131 NAS-Port-Type = Wireless-802.11 NAS-Port = 263 Service-Type = Framed-User NAS-IP-Address = 10.100.10.10 NAS-Identifier = "ap-noc" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 35 modcall[authorize]: module "preprocess" returns ok for request 35 rlm_eap: EAP packet type response id 1 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 35 rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 35 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched DEFAULT at 218 modcall[authorize]: module "files" returns ok for request 35 modcall: group authorize returns updated for request 35 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 35 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 35 modcall: group Auth-Type returns invalid for request 35 auth: Failed to validate the user. Delaying request 35 for 1 seconds Finished request 35 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 99 to 16.19.20.5:59342 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 34 ID 98 with timestamp 4089758b Waking up in 3 seconds...
TIA! Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob McCormick Sent: Friday, April 23, 2004 2:26 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP)
Here's a config template I use for Cisco 1120 AP's. Try this and see if it works for you.
!######################################### ! Basic config template for Cisco IOS Access Points ! 4/20/2004 - BDM - I've tested it with 1120's but should work with 1200's !######################################### ! ! !############################### ! Remove some junk from the default config that we don't want/need !################################## no ip dhcp excluded-address 10.0.0.1 10.0.0.10 no ip dhcp pool local-default-pool no aaa group server radius rad_mac no aaa group server radius rad_acct no aaa group server radius rad_admin no aaa group server tacacs+ tac_admin no aaa group server radius rad_pmip no aaa group server radius dummy no aaa authentication login mac_methods local no aaa authorization ipmobile default group rad_pmip no ip http server no ip http help-path ! ! !########################### ! AAA config for EAP authentication and some radius accounting !############################# aaa new-model aaa authentication login eap_methods group rad_eap aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common ! aaa group server radius rad_eap server <ipaddress> auth-port 1812 acct-port 1813 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ##### Require wep128 encryption encryption mode ciphers wep128 ! ##### rotate broadcast wep key every 10 minutes broadcast-key change 600 ! ##### Create an SSID named "wifi" ! ##### Require EAP authentication ! ##### broadcast the SSID ssid wifi authentication open eap eap_methods guest-mode ! ###### set the data rates support and/or required by the AP ! ###### These are the rates recommended by Cisco for best throughput ! ###### for supporting both 802.11.b and 802.11g speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 ! rts threshold 2312 station-role root no cdp enable ! ###### Tell the AP to honor the Session-Timeout returned by the Radius server dot1x reauth-period server ! bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disable ! interface FastEthernet0 no ip address no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled
! interface BVI1 ip address <ip address> <subnetmask>
! ip tacacs source-interface BVI1 ip radius source-interface BVI1 radius-server host <ipaddress> auth-port 1812 acct-port 1813 key <key> radius-server attribute 32 include-in-access-req format %h radius-server authorization permit missing Service-Type radius-server vsa send accounting bridge 1 route ip
On Apr 23, 2004, at 1:15 PM, Clayton Dukes wrote:
I can see from searching the mailing list that this has been asked
many times, but what I can't seem to locate are config examples or a
good howto on setting everything up.
I have the radius server set up -- and it appears to work on, but I
am not sure what I am lacking/doing wrong on the AP.
I have followed the instructions from the following URL:
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
It's a very good guide -- although outdated, I was still able to get
the radius and client side configured.
What I see now are no requests from the AP to the radius server when
I boot up the laptop. The laptop is not able to get to the AP either.
I also have LDAP auth turned on, when I telnet to the AP the LDAP
piece communicates fine with the radius server so I know the comms
are ok.
Does anyone have an example 1100AP config that I can use?
Regards, Clayton Dukes CCNA, CCDA, CCNP, CCDP Sr. Network Engineer E Solutions Corp. http://www.esnet.com 813.301.2620 (o) 813.545.7373 (c)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
!DSPAM:40896bbb213231520921276!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
