On 2/13/07, Alan DeKok <[EMAIL PROTECTED]> wrote: > Senandung Mendonan wrote: > > Problem: EAP Fails (Doesn't even get to TLS negotiation). In both > > cases, we get perpetual "Access-Challenge" messages sent by > > FreeRADIUS, at a very early stage — even before / during the initial > > TLS negotiation in EAP. > > No... the NAS isn't seeing the response of the RADIUS server, so it > re-sends the Access-Request, the server notices the duplicate request, > and re-sends it's response.
Yes, I believe so as well. > Since the same IOS version seems to work for someone else, the problem > is local to you. Please see the FAQ for what to do when the NAS never > sees the response from the server. Your phrase "NAS never sees the response" helped me focus on that problem (previously I thought something wrong with my config). Finally, after hours of troubleshooting, the root cause was found: as Mr Alan DeKok pointed out it was the environment:- 1. For the Cisco Catalyst 2960: all it needed was another hard reset! Somehow one of the config lines (source port 1645…) didn't get activated until a hard reset. 2. For the Cisco Aironet 1200: Something else (a router) was blocking the Access-Challenge packet from reaching port 1645 on the Aironet. Fixed the rules. So now we get the following working as expected:- 1. Authenticating a user in users file. 2. Authenticating a user in LDAP. However, we are unable to get through one last hurdle:- 3. Authenticating a user in LDAP, then VLAN information passed back to NAS via cisco-avpair settings in LDAP. Somehow, when we add radiusReplyItem containing the desired cisco-avpairs, we get back the same Access-Challenge loop at the early EAP stage. Here are the debug outputs for comparison:- 1. For LDAP entry 'testuser', as follows:- dn: uid=testuser,ou=People,dc=company,dc=net sambaPrimaryGroupSID: S-2-3-8-1040 sambaAcctFlags: [U ] shadowLastChange: 13525 sambaPwdLastSet: 1168566854 sambaLMPassword: 94918E8B0385E0A9AAD3B435B51404EE sambaPwdCanChange: 1168566854 sambaNTPassword: 25AF711D2C13E00B6AB7DD4DE11B7136 cn: Company Test User mailRoutingAddress: [EMAIL PROTECTED] uidNumber: 1003 gecos: Company Test User mail: [EMAIL PROTECTED] krbName: [EMAIL PROTECTED] uid: testuser homeDirectory: /home/testuser objectClass: posixAccount objectClass: shadowAccount objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: top objectClass: kerberosSecurityObject objectClass: radiusprofile objectClass: sambaSamAccount objectClass: inetOrgPerson mailHost: mail.company.net gidNumber: 20 givenName: Company Test sn: User loginShell: /bin/sh radiusReplyItem: cisco-avpair += "tunnel-type=VLAN" radiusReplyItem: cisco-avpair += "tunnel-medium-type=802 media" radiusReplyItem: cisco-avpair += "tunnel-private-group-ID=110" userPassword: mangkuk sambaSID: S-1-5-21-2238693525-531040028-2956884036 Authentication fails with Access-Challenge loop in EAP (at rlm_tls, similar to what I'm seeing before), as shown here:- http://absolute-p.ath.cx/Debug/freeradius-1.1.4-cat2960-with-ldap.txt However, as soon as I remove all radiusReplyItem attributes from the same entry, the authentication succeeds, and I get connected. Any help is welcome — thanks. -- --mendonan "Yang mimpikan secangkir kopi panas dengan selimut.." (Dreaming of a cup of hot coffee, and a blanket..") - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html