Re: Is there some kind of trick to make Cisco LEAP work???

Fri, 03 Sep 2004 07:09:07 -0700 

Richard,

Thanks for that input, it sounds very straightforward to me. I'll try your patches on Tuesday (Monday is a holiday here). Have you brought this up with Cisco? If not, I will open a case next week. I'd like to know whether Cisco's leap/eap developers intended for the ID to not increment-- or whether they've made a mistake against their own standard.

I'd like to use the same freeradius server for WLSE/APs as for other non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c should only kick in when reply->type.type == PW_EAP_LEAP, there should be no problem, wouldn't you say?

Thanks again,

Coates Carter
University of Richmond


On Sep 1, 2004, at 6:04 AM, Richard Timsit wrote:

James,

We have gotten LEAP to work with Cisco access points.  My last posting
on the subject might help if you haven't gotten there yet...



However, we have not been able to get LEAP for Cisco's WDS worked out.
All of the access points in the group authenticate successfully, but
the WLSE does not.

Yes, WLSE is not running exatly like an access point :-((
Comparing the answer of Cisco server radius ACS who authenticate
WLSE and access points, with freeradius, we can see that ACS don't
increment the EAP ID as said in doc/rfc/leap.txt :
---------------------------------------------------------
4. RS->AP: Access-Challenge/EAP Success (with EAP id++)
+ State (may be different than the satate send in <2>)
---------------------------------------------------------
So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
leap :
------------------------------------------------------------------------ -------
----------
--- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.000000000 +0200
+++ rlm_eap_leap.c 2004-08-16 18:34:25.000000000 +0200
@@ -147,7 +147,10 @@
/*
* Do this only for Success.
*/
- handler->eap_ds->request->id = handler->eap_ds->response->id + 1;
+ /* RT Oops WLSE don't like CISCO LEAP standard....
+ handler->eap_ds->request->id = handler->eap_ds->response->id + 1; */
+
+ handler->eap_ds->request->id = handler->eap_ds->response->id ;
handler->eap_ds->set_request_id = 1;

/*
------------------------------------------------------------------------ -------
------------

The WLSE accept the response of freeradius and send an Access-Request/EAP
Request/LEAP

But in stage 6 the WLSE does not accept the SUCCESS response of RS if the
normal id++
so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap :
------------------------------------------------------------------------ -------
------------
--- eap.c.FCS 2004-08-16 18:25:05.000000000 +0200
+++ eap.c 2004-08-16 18:28:47.000000000 +0200
@@ -393,6 +393,16 @@

hdr->code = (reply->code & 0xFF);
hdr->id = (reply->id & 0xFF);
+
+ /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS do
.... */
+ if((reply->code == PW_EAP_RESPONSE) &&
+ (reply->type.type == PW_EAP_LEAP) &&
+ (reply->type.length == 30)) { hdr->id -= 1 ;}
+
+DEBUG2(" rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d",
+ reply->type.type,reply->type.length);
+ /* END MODIF RT */
+
total_length = htons(total_length);
memcpy(hdr->length, &total_length, sizeof(uint16_t));

------------------------------------------------------------------------ -------
----------------

Since i have freeradius working with thousands of users with many protocols,
i made a rogue_radius with this 2 bad patchs listening on port 1645 only for
Cisco WDS !!!



   +--------------------------------------+
   |     ???                              |
   |    {O-O}      Richard Timsit         |
   |      ^_       SIC STI                |
   |    / T \_     EPFL Lausanne          |
   |   '` I   "    1015 Ecublens,SUISSE   |
   |      M        (021) 693 22 35        |
   |     | |       [EMAIL PROTECTED] |
   |     I I                              |
   +--------------------------------------+



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to