Re: Is there some kind of trick to make Cisco LEAP work???

Wed, 01 Sep 2004 03:05:22 -0700 

> James,
> 
> We have gotten LEAP to work with Cisco access points.  My last posting  
> on the subject might help if you haven't gotten there yet...
> 

> 
> However, we have not been able to get LEAP for Cisco's WDS worked out.   
> All of the access points in the group authenticate successfully, but  
> the WLSE does not. 
>
Yes, WLSE is not running exatly like an access point :-((
Comparing the answer of Cisco server radius ACS who authenticate
WLSE and access points, with freeradius, we can see that ACS don't 
increment the EAP ID as said in doc/rfc/leap.txt :
---------------------------------------------------------
 4. RS->AP: Access-Challenge/EAP Success (with EAP id++)
   + State (may be different than the satate send in <2>)
---------------------------------------------------------
So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
leap :
-------------------------------------------------------------------------------
----------
--- rlm_eap_leap.c.FCS  2004-08-16 18:29:23.000000000 +0200
+++ rlm_eap_leap.c      2004-08-16 18:34:25.000000000 +0200
@@ -147,7 +147,10 @@
                /*
                 *      Do this only for Success.
                 */
-               handler->eap_ds->request->id = handler->eap_ds->response->id + 1;
+                        /* RT   Oops WLSE don't like CISCO LEAP standard....
+               handler->eap_ds->request->id = handler->eap_ds->response->id + 1; */
+
+               handler->eap_ds->request->id = handler->eap_ds->response->id ;
                handler->eap_ds->set_request_id = 1;
 
                /*
-------------------------------------------------------------------------------
------------

The WLSE accept the response of freeradius and send an Access-Request/EAP 
Request/LEAP

But in stage 6 the WLSE does not accept the SUCCESS response of RS if the 
normal id++
so i made a second patch  of eap.c in freeradius-1.0.0/src/modules/rlm_eap :
-------------------------------------------------------------------------------
------------
--- eap.c.FCS   2004-08-16 18:25:05.000000000 +0200
+++ eap.c       2004-08-16 18:28:47.000000000 +0200
@@ -393,6 +393,16 @@
 
        hdr->code = (reply->code & 0xFF);
        hdr->id = (reply->id & 0xFF);
+       
+       /* RT  Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS do 
.... */
+       if((reply->code == PW_EAP_RESPONSE) &&
+           (reply->type.type == PW_EAP_LEAP) &&
+          (reply->type.length == 30)) { hdr->id -= 1 ;}  
+
+DEBUG2("  rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d",
+                      reply->type.type,reply->type.length);
+        /* END MODIF RT */
+                              
        total_length = htons(total_length);
        memcpy(hdr->length, &total_length, sizeof(uint16_t));
 
-------------------------------------------------------------------------------
----------------

Since i have freeradius working with thousands of users with many protocols,
i made a rogue_radius with this 2 bad patchs listening on port 1645 only for 
Cisco WDS !!!



   +--------------------------------------+
   |     ???                              |
   |    {O-O}      Richard Timsit         |
   |      ^_       SIC STI                |
   |    / T \_     EPFL Lausanne          |
   |   '` I   "    1015 Ecublens,SUISSE   |
   |      M        (021) 693 22 35        |
   |     | |       [EMAIL PROTECTED] |
   |     I I                              |
   +--------------------------------------+



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to