James,
We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet...
http://lists.freeradius.org/pipermail/freeradius-users/2004-August/ 035601.html
However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. I've looked carefully at the debug output on freeradius as well as the debug output on the master Access Point. Freeradius debug shows that most of the EAP transaction takes place normally. The initial Access-Request, the Identity challenge, the Access-Request response to that, and the new Access-Challenge from radiusd are all just fine. But... the supplicant (WLSE) does NOT answer that final Access-Challenge... at all. Freeradius debug shows no indication of error or mis-configuration.
Following this, I scrutinized the radius debug output on the master Access Point. In one test, the AP pointed to the freeradius server. In a second test, the AP pointed to a cisco ACS server (on another AP). Comparing the debug output from these two tests revealed only a small (but significant) difference.
The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know.
More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this...
3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC
Freeradius sends a State with 16 octets of data, like this...
08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94
The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse).
Can someone who understands the nuances of this State value please help?
freeradius-1.0.0 Red Hat Enterprise Linux AS release 3 (Taroon Update 2) openssl-0.9.7a-33.4.i686.rpm openldap-2.2.13 (on localhost)
Thanks,
Coates Carter
University of Richmond
........................................................................ ...............
"James D. Munroe" <[EMAIL PROTECTED]> wrote: > Has anyone tried or successfully been able to get Cisco-Leap to work > using FreeRadius?
Lots of people. That's why the feature is there. It's been used for over a year now.
If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like "it doesn't work" on this list.
LEAP works. If it doesn't work in your setup, debug mode will tell you why.
Alan DeKok.
......
James D. Munroe [EMAIL PROTECTED] Fri, 25 Jun 2004 17:32:22 -0300 (ADT)
Hello,
Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius?
Components: - Cisco AIR-AP1230B-A-K9 Access Points running IOS 12.2.15
Freeradius 0.9.3 installed from the Redhat ES 3.0 RPM, running on a Redhat ES 3.0
Server
If so, would it be possible to get sanitized copies of your Freeradius configuration files (radiusd.conf, users, clients.conf, etc...)? Authenication to the AP itself using radius works prefect, have even setup EAP-TLS and it works prefect!! But leap is a no good...
It's not a configuration issue on the Access Points themselves. Leap works fine when used against Cisco ACS (v3.2.3). However, for security reasons and cost of course we would like to use Freeradius for outside hosts rather than expose our internal ACS server.
Also, I have been unable to get the WDS service working between the AP's and Cisco's WLSE.=A0 I'm not surprised since it uses Leap. It does work though with CiscoACS...but Freeradius is a no go. :-(
Any help would be greatly appreciated!!
Thanks, Jim
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
