Re: 802.1x problems
I am having some issues with setting up 802.1x using freeradius-server-2.1.1-2.el5. I have 3 SSIDs setup. One of them is doing Mac Auth against a file. One is using ldap auth and the other is setup to use 802.1x. Mac auth and ldap auth works great so I know my ldap config in radius should be setup correctly. It looks like the authorize part of 802.1x works but it fails during the authenticate part. Does anyone see what I have messed up? I am sure it is something simple that I am overlooking. I am using windows xp sp3 to try to connect to this network. My wireless network is all Cisco LWAPP AP's connecting to Cisco WLAN controllers and we use Cisco WCS to manage all of these devices. I am trying to setup a secure network using wpa and wpa2 with 802.1x using eap-peap. The message 'WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly?' shows up also on the non-802.1x ldap auth wlan that works. Let me know if more detail is needed. Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x problems
On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote: Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). The passwords are in the ldap server (Novell). I don't understand what you mean by so you need to send the password to freeradius Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford kledford AT uga DOT edu Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x problems
The passwords are in the ldap server (Novell). I don't understand what you mean by so you need to send the password to freeradius It should be made available in userPassword attribute. Or as NT hash in ntPassword or sambaNtPassword. Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? Read comments above set_auth_type in ldap module configuration file (raddb/modules/ldap). People make the passwords available to radius. Your debug shows no attributes being passed from ldap to radius (check or reply). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x problems
The passwords need to be extracted from eDirectory and passed to freeradius. This guide is old - I haven't seen what needs to be done with the freeradius config, but it will tell you what you need to do on the Novell end. http://freeradius.org/doc/radiusadmin.pdf Mearl -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.o rg] On Behalf Of Keith Ledford Sent: Thursday, January 15, 2009 2:41 PM To: FreeRadius users mailing list Subject: Re: 802.1x problems On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote: Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). The passwords are in the ldap server (Novell). I don't understand what you mean by so you need to send the password to freeradius Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford kledford AT uga DOT edu Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x problems
There are comments about eDirectory in ldap module configuration file. You might need to rebuild the server. Ivan Kalik Kalik Informatika ISP Dana 15/1/2009, Danner, Mearl jmdan...@samford.edu piše: The passwords need to be extracted from eDirectory and passed to freeradius. This guide is old - I haven't seen what needs to be done with the freeradius config, but it will tell you what you need to do on the Novell end. http://freeradius.org/doc/radiusadmin.pdf Mearl -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.o rg] On Behalf Of Keith Ledford Sent: Thursday, January 15, 2009 2:41 PM To: FreeRadius users mailing list Subject: Re: 802.1x problems On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote: Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). The passwords are in the ldap server (Novell). I don't understand what you mean by so you need to send the password to freeradius Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford kledford AT uga DOT edu Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html