Re: Pb with EAP/MD5

Mon, 08 Aug 2005 20:26:58 -0700

I think you haven't put the NAS ip address in clients.conf.
----- Original Message -----
Sent: Monday, August 08, 2005 22:44
Subject: Re: Pb with EAP/MD5

Thank you Zoltan,
I made some modification but nothing changed.
When I tested the configuration from with radping on the supplicant, it worked fine.
But with my configuration md5, nothing occures at the radius server (no packets sent, no logs).

I answer you at each point, and give the configurations on the client.


Zoltan A. Ori a écrit : 
On Monday 08 August 2005 03:54, Rafael DiazMaurin wrote:
  
Hello,
Cna someone help me ?
I use : freeradius 1.0.4, and a switch CISCO 2950

I'm trying to configure EAP/MD5, but the client can't show the window of
login/password, it's connected to the network without asking for the
login/password, and the freeradius daemon is still :
            Listening on authentication *:1812
            Listening on accounting *:1813
            Ready to process requests.
A part of the log of the freeradius :
    Module: Loaded eap
     eap: default_eap_type = "md5"
     eap: timer_expire = 60
     eap: ignore_unknown_eap_types = yes
     eap: cisco_accounting_username_bug = no
    rlm_eap: Loaded and initialized type md5
    Module: Instantiated eap (eap)

    

The Cisco 2950 is the client (or NAS). Is it configured?
Yes it's configured :
IOS version : 12.1(22)EA4
General configuration :
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
radius-server host IP-Adress auth-port 1812 acct-port 1813 key XXX
radius-server retransmit 3

Here is the configuration of the port where the Supplicant (XP SP 2) is connected :
interface FastEthernet0/2
  description supplicant
 switchport access vlan XXX
 switchport mode access
 duplex full
 dot1x port-control auto
 dot1x timeout reauth-period 300
 dot1x reauthentication
 spanning-tree portfast

This switch is connected to another switch with a Trunk link, and another trunk link until the radius server.
Here is the configuration of the port where the radius server is connected :
interface FastEthernet2/11
 description RadiusServer
 switchport access vlan 260


Do I need to configure the 2 last switchs with authentification dot1x ?
I didn't configure anything on these switch, even the one where the radius server is plugged.
I only configure the switch where the supplicant is conected.

XP is the supplicant. If the Cisco 2950 (client) doesn't require login, then 
the supplicant will simply connect without any authentication dialog.
How can I make the connection of the supplicant with an authentification dialog ?

  
The local tests are ok !

    

Then server is probably working just fine.

  
Here is the configurations I tested :
raddb/users :
test    Auth-Type := EAP, User-Password == "test"
         Service-Type = Framed-User

    

Don't set the Auth-Type in users file.
I deleted it, but nothing changed.


    
On the client (windows XP sp2) I configure the 802.1x properties on Type
EAP : MD5-Challenge
    

That is the supplicant. Now, configure the client.

Zoltan

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

Rafael.

  

  


  
- 
List info/subscribe/unsubscribe? See 
  http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to