Re: 802.1x problems

2009-01-15 Thread tnt
I am having some issues with setting up 802.1x using
freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is
doing Mac Auth against a file. One is using ldap auth and the other is
setup to use 802.1x. Mac auth and ldap auth works great so I know my
ldap config in radius should be setup correctly. It looks like the
authorize part of 802.1x works but it fails during the authenticate
part. Does anyone see what I have messed up? I am sure it is something
simple that I am overlooking. I am using windows xp sp3 to try to
connect to this network. My wireless network is all Cisco LWAPP AP's
connecting to Cisco WLAN controllers and we use Cisco WCS to manage
all of these devices. I am trying to setup a secure network using wpa
and wpa2 with 802.1x using eap-peap.

The message

'WARNING: No known good password was found in LDAP.  Are you sure that the 
user is configured correctly?'

shows up also on the non-802.1x ldap auth wlan that works. Let me know
if more detail is needed.


Where is his password supposed to be? Ldap auth can't work with mschap,
so you need to send the password to freeradius. You need to enable ldap
instances in inner-tunnel virtual server (that will be doing mschap
auth).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: 802.1x problems

2009-01-15 Thread Keith Ledford
On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote:
 Where is his password supposed to be? Ldap auth can't work with mschap,
 so you need to send the password to freeradius. You need to enable ldap
 instances in inner-tunnel virtual server (that will be doing mschap
 auth).

The passwords are in the ldap server (Novell). I don't understand what
you mean by 

so you need to send the password to freeradius

Can you either explain or point me to the proper doc? If ldap auth
can't work with mschap what does everyone do to work with standard
windows clients?

I did enable ldap in the inner-tunnel config file. I did miss that
before. Thanks!



-- 
Keith Ledford kledford AT uga DOT edu
Network Administrator
EITS Network Engineering
706.542.0723 phone
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: 802.1x problems

2009-01-15 Thread tnt
The passwords are in the ldap server (Novell). I don't understand what
you mean by

so you need to send the password to freeradius


It should be made available in userPassword attribute. Or as NT hash in
ntPassword or sambaNtPassword.

Can you either explain or point me to the proper doc? If ldap auth
can't work with mschap what does everyone do to work with standard
windows clients?

Read comments above set_auth_type in ldap module configuration file
(raddb/modules/ldap). People make the passwords available to radius.
Your debug shows no attributes being passed from ldap to radius (check
or reply).

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: 802.1x problems

2009-01-15 Thread Danner, Mearl
The passwords need to be extracted from eDirectory and passed to
freeradius.


This guide is old - I haven't seen what needs to be done with the
freeradius config, but it will tell you what you need to do on the
Novell end.

http://freeradius.org/doc/radiusadmin.pdf

Mearl

-Original Message-
From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org
[mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.o
rg] On Behalf Of Keith Ledford
Sent: Thursday, January 15, 2009 2:41 PM
To: FreeRadius users mailing list
Subject: Re: 802.1x problems

On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote:
 Where is his password supposed to be? Ldap auth can't work with
mschap,
 so you need to send the password to freeradius. You need to enable
ldap
 instances in inner-tunnel virtual server (that will be doing mschap
 auth).

The passwords are in the ldap server (Novell). I don't understand what
you mean by 

so you need to send the password to freeradius

Can you either explain or point me to the proper doc? If ldap auth
can't work with mschap what does everyone do to work with standard
windows clients?

I did enable ldap in the inner-tunnel config file. I did miss that
before. Thanks!



-- 
Keith Ledford kledford AT uga DOT edu
Network Administrator
EITS Network Engineering
706.542.0723 phone
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: 802.1x problems

2009-01-15 Thread tnt
There are comments about eDirectory in ldap module configuration file.
You might need to rebuild the server.

Ivan Kalik
Kalik Informatika ISP


Dana 15/1/2009, Danner, Mearl jmdan...@samford.edu piše:

The passwords need to be extracted from eDirectory and passed to
freeradius.


This guide is old - I haven't seen what needs to be done with the
freeradius config, but it will tell you what you need to do on the
Novell end.

http://freeradius.org/doc/radiusadmin.pdf

Mearl

-Original Message-
From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org
[mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.o
rg] On Behalf Of Keith Ledford
Sent: Thursday, January 15, 2009 2:41 PM
To: FreeRadius users mailing list
Subject: Re: 802.1x problems

On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote:
 Where is his password supposed to be? Ldap auth can't work with
mschap,
 so you need to send the password to freeradius. You need to enable
ldap
 instances in inner-tunnel virtual server (that will be doing mschap
 auth).

The passwords are in the ldap server (Novell). I don't understand what
you mean by

so you need to send the password to freeradius

Can you either explain or point me to the proper doc? If ldap auth
can't work with mschap what does everyone do to work with standard
windows clients?

I did enable ldap in the inner-tunnel config file. I did miss that
before. Thanks!



--
Keith Ledford kledford AT uga DOT edu
Network Administrator
EITS Network Engineering
706.542.0723 phone
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html