RE: Is there some kind of trick to make Cisco LEAP work???
Hi,
iam actual need to setup some APs including WLSE (havn´t recived them by
now) and some WDS APs. Auth should be EAP/PEAP...
Reading this thread it leads me to the conclusion that
a) the WLSE is sending Radius requests (well dont know what there are for) ?
b) that this dosn´t work becausw WLSE is brocken ?
Is that still right or have you got it working ?
Regards
Holger Steppke
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of James Munroe
Sent: Sunday, September 26, 2004 5:05 PM
To: [EMAIL PROTECTED]
Subject: RE: Is there some kind of trick to make Cisco LEAP work???
Hello Folks,
All I can say is WOW! Too be quite honest I had given
up on making FreeRadius work with Cisco's WDS and WLSE. In
my particular situation we also had a licensed Cisco ACS 3.x
(now 3.3) server however, we weren't particularly happy about
exposing it to an untrusted Wi-fi network considering it also
provides authentication services to the rest of our network
resources. That's were I saw FreeRadius as an excellent fit.
To update my original post I had gotten LEAP to work
with clients (after the fact). My problem was I fooled with
trying to get WDS LEAP functioning with a WLSE to the point
that I could no longer see the forest for the trees. Hence
I jumped to the conclusion that LEAP support was just screwed
in FreeRadius! :-( After a fresh configuration from the AP's
up to FreeRadius I had gotten LEAP to work for authenticating users.
I would like to thank everyone for their efforts,
especially Richard Timsit his diagnostic efforts and posting
of the necessary patches. FreeRadius is an excellent product
that in my opinion rivals any commercial package available
today (a webmin module for a GUI might be a nice addition
;-)). Now, it's back to the RD cycle for me to test
WDS-WLSE LEAP functionality again.
Thank You All for your help, insight, and time!
Jim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Richard Timsit
Sent: Tuesday, September 07, 2004 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Is there some kind of trick to make Cisco LEAP work???
Richard,
Thanks for that input, it sounds very straightforward to
me. I'll try
your patches on Tuesday (Monday is a holiday here). Have
you brought
this up with Cisco? If not, I will open a case next week.
I'd like
to know whether Cisco's leap/eap developers intended for
the ID to not
increment-- or whether they've made a mistake against their own
standard.
Ok, nice if you open a case to Cisco. Their leap-software of
WLSE is buggy,
(not the same as their access points) :-)
I'd like to use the same freeradius server for WLSE/APs as
for other
non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c
should only kick in when reply-type.type == PW_EAP_LEAP, there
should be no problem, wouldn't you say?
Ok, if you have only non-LEAP clients. But you need to path
every new relese
of freeradius you need...
Bests regards.
+--+
| ??? |
|{O-O} Richard Timsit |
| ^_ SIC STI|
|/ T \_ EPFL Lausanne |
| '` I 1015 Ecublens,SUISSE |
| M(021) 693 22 35|
| | | [EMAIL PROTECTED] |
| I I |
+--+
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James,
We have gotten LEAP to work with Cisco access points. My last posting
on the subject might help if you haven't gotten there yet...
However, we have not been able to get LEAP for Cisco's WDS worked out.
All of the access points in the group authenticate successfully, but
the WLSE does not.
Yes, WLSE is not running exatly like an access point :-((
Comparing the answer of Cisco server radius ACS who authenticate
WLSE and access points, with freeradius, we can see that ACS don't
increment the EAP ID as said in doc/rfc/leap.txt :
-
4. RS-AP: Access-Challenge/EAP Success (with EAP id++)
+ State (may be different than the satate send in 2)
-
So with this first patch in
freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
leap :
---
--
--- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200
+++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200
@@ -147,7 +147,10 @@
/*
* Do this only for Success.
*/
- handler-eap_ds-request-id =
handler-eap_ds-response-id
+ 1;
+/* RT Oops WLSE don't like CISCO LEAP
standard
+ handler-eap_ds-request-id =
handler-eap_ds-response-id
++ 1; */
+
+ handler-eap_ds-request-id =
handler-eap_ds-response-id ;
handler-eap_ds-set_request_id = 1;
/*
---
The WLSE accept the response of freeradius and send an Access-Request/EAP
Request/LEAP
But in stage 6 the WLSE does not accept the SUCCESS response of RS if the
normal id++
so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap
:
---
--- eap.c.FCS 2004-08-16 18:25:05.0 +0200
+++ eap.c 2004-08-16 18:28:47.0 +0200
@@ -393,6 +393,16 @@
hdr-code = (reply-code 0xFF);
hdr-id = (reply-id 0xFF);
+
+ /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as
ACS
+do
*/
+ if((reply-code == PW_EAP_RESPONSE)
+ (reply-type.type == PW_EAP_LEAP)
+ (reply-type.length == 30)) { hdr-id -= 1 ;}
+
+DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d,
+ reply-type.type,reply-type.length);
+/* END MODIF RT */
+
total_length = htons(total_length);
memcpy(hdr-length, total_length, sizeof(uint16_t));
---
Since i have freeradius working with thousands of users with many
protocols,
i made a rogue_radius with this 2 bad patchs listening on port 1645 only
for
Cisco WDS !!!
Richard,
I have been trying to get my WLSE working with FreeRadius for a very long
time, untill I finally stumbled onto your post.
I have applied the patches you provided to freeradius 1.0.1 and I am
definetly getting further along then I used to with WLSE authenticating to
the WDS enabled AP, however it's not getting to the final SECURITY KEYS
SETUP state. I can only get it to go as far as AUTHENTICATED state when
I execute sh wlccp wnm status on the AP. I am able to get this working
using built in radius server on the Access point, but no luck with
Freeradius (I wish Cisco would follow a standard protocol)
Do you have any suggestions?
Here is the output from the freeradius when WLSE attemps to authenticate.
(I appologize for the long email)
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
RE: Is there some kind of trick to make Cisco LEAP work???
Hello Folks,
All I can say is WOW! Too be quite honest I had given up on making
FreeRadius work with Cisco's WDS and WLSE. In my particular situation we
also had a licensed Cisco ACS 3.x (now 3.3) server however, we weren't
particularly happy about exposing it to an untrusted Wi-fi network
considering it also provides authentication services to the rest of our
network resources. That's were I saw FreeRadius as an excellent fit.
To update my original post I had gotten LEAP to work with clients
(after the fact). My problem was I fooled with trying to get WDS LEAP
functioning with a WLSE to the point that I could no longer see the forest
for the trees. Hence I jumped to the conclusion that LEAP support was just
screwed in FreeRadius! :-( After a fresh configuration from the AP's up to
FreeRadius I had gotten LEAP to work for authenticating users.
I would like to thank everyone for their efforts, especially Richard
Timsit his diagnostic efforts and posting of the necessary patches.
FreeRadius is an excellent product that in my opinion rivals any commercial
package available today (a webmin module for a GUI might be a nice addition
;-)). Now, it's back to the RD cycle for me to test WDS-WLSE LEAP
functionality again.
Thank You All for your help, insight, and time!
Jim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard
Timsit
Sent: Tuesday, September 07, 2004 11:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Is there some kind of trick to make Cisco LEAP work???
Richard,
Thanks for that input, it sounds very straightforward to me. I'll try
your patches on Tuesday (Monday is a holiday here). Have you brought
this up with Cisco? If not, I will open a case next week. I'd like
to know whether Cisco's leap/eap developers intended for the ID to not
increment-- or whether they've made a mistake against their own
standard.
Ok, nice if you open a case to Cisco. Their leap-software of WLSE is buggy,
(not the same as their access points) :-)
I'd like to use the same freeradius server for WLSE/APs as for other
non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c
should only kick in when reply-type.type == PW_EAP_LEAP, there
should be no problem, wouldn't you say?
Ok, if you have only non-LEAP clients. But you need to path every new relese
of freeradius you need...
Bests regards.
+--+
| ??? |
|{O-O} Richard Timsit |
| ^_ SIC STI|
|/ T \_ EPFL Lausanne |
| '` I 1015 Ecublens,SUISSE |
| M(021) 693 22 35|
| | | [EMAIL PROTECTED] |
| I I |
+--+
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
Richard,
Thanks for that input, it sounds very straightforward to me. I'll try
your patches on Tuesday (Monday is a holiday here). Have you brought
this up with Cisco? If not, I will open a case next week. I'd like to
know whether Cisco's leap/eap developers intended for the ID to not
increment-- or whether they've made a mistake against their own
standard.
I'd like to use the same freeradius server for WLSE/APs as for other
non-LEAP clients, such as TLS/PEAP. Since your patch to rlm_eap.c
should only kick in when reply-type.type == PW_EAP_LEAP, there should
be no problem, wouldn't you say?
Thanks again,
Coates Carter
University of Richmond
On Sep 1, 2004, at 6:04 AM, Richard Timsit wrote:
James,
We have gotten LEAP to work with Cisco access points. My last posting
on the subject might help if you haven't gotten there yet...
However, we have not been able to get LEAP for Cisco's WDS worked out.
All of the access points in the group authenticate successfully, but
the WLSE does not.
Yes, WLSE is not running exatly like an access point :-((
Comparing the answer of Cisco server radius ACS who authenticate
WLSE and access points, with freeradius, we can see that ACS don't
increment the EAP ID as said in doc/rfc/leap.txt :
-
4. RS-AP: Access-Challenge/EAP Success (with EAP id++)
+ State (may be different than the satate send in 2)
-
So with this first patch in
freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
leap :
---
--
--- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200
+++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200
@@ -147,7 +147,10 @@
/*
* Do this only for Success.
*/
- handler-eap_ds-request-id = handler-eap_ds-response-id + 1;
+ /* RT Oops WLSE don't like CISCO LEAP standard
+ handler-eap_ds-request-id = handler-eap_ds-response-id + 1; */
+
+ handler-eap_ds-request-id = handler-eap_ds-response-id ;
handler-eap_ds-set_request_id = 1;
/*
---
The WLSE accept the response of freeradius and send an
Access-Request/EAP
Request/LEAP
But in stage 6 the WLSE does not accept the SUCCESS response of RS if
the
normal id++
so i made a second patch of eap.c in
freeradius-1.0.0/src/modules/rlm_eap :
---
--- eap.c.FCS 2004-08-16 18:25:05.0 +0200
+++ eap.c 2004-08-16 18:28:47.0 +0200
@@ -393,6 +393,16 @@
hdr-code = (reply-code 0xFF);
hdr-id = (reply-id 0xFF);
+
+ /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS
do
*/
+ if((reply-code == PW_EAP_RESPONSE)
+ (reply-type.type == PW_EAP_LEAP)
+ (reply-type.length == 30)) { hdr-id -= 1 ;}
+
+DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d,
+ reply-type.type,reply-type.length);
+/* END MODIF RT */
+
total_length = htons(total_length);
memcpy(hdr-length, total_length, sizeof(uint16_t));
---
Since i have freeradius working with thousands of users with many
protocols,
i made a rogue_radius with this 2 bad patchs listening on port 1645
only for
Cisco WDS !!!
+--+
| ??? |
|{O-O} Richard Timsit |
| ^_ SIC STI|
|/ T \_ EPFL Lausanne |
| '` I 1015 Ecublens,SUISSE |
| M(021) 693 22 35|
| | | [EMAIL PROTECTED] |
| I I |
+--+
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James,
We have gotten LEAP to work with Cisco access points. My last posting
on the subject might help if you haven't gotten there yet...
However, we have not been able to get LEAP for Cisco's WDS worked out.
All of the access points in the group authenticate successfully, but
the WLSE does not.
Yes, WLSE is not running exatly like an access point :-((
Comparing the answer of Cisco server radius ACS who authenticate
WLSE and access points, with freeradius, we can see that ACS don't
increment the EAP ID as said in doc/rfc/leap.txt :
-
4. RS-AP: Access-Challenge/EAP Success (with EAP id++)
+ State (may be different than the satate send in 2)
-
So with this first patch in freeradius-1.0.0/src/modules/rlm_eap/types/rlm_eap_
leap :
---
--
--- rlm_eap_leap.c.FCS 2004-08-16 18:29:23.0 +0200
+++ rlm_eap_leap.c 2004-08-16 18:34:25.0 +0200
@@ -147,7 +147,10 @@
/*
* Do this only for Success.
*/
- handler-eap_ds-request-id = handler-eap_ds-response-id + 1;
+/* RT Oops WLSE don't like CISCO LEAP standard
+ handler-eap_ds-request-id = handler-eap_ds-response-id + 1; */
+
+ handler-eap_ds-request-id = handler-eap_ds-response-id ;
handler-eap_ds-set_request_id = 1;
/*
---
The WLSE accept the response of freeradius and send an Access-Request/EAP
Request/LEAP
But in stage 6 the WLSE does not accept the SUCCESS response of RS if the
normal id++
so i made a second patch of eap.c in freeradius-1.0.0/src/modules/rlm_eap :
---
--- eap.c.FCS 2004-08-16 18:25:05.0 +0200
+++ eap.c 2004-08-16 18:28:47.0 +0200
@@ -393,6 +393,16 @@
hdr-code = (reply-code 0xFF);
hdr-id = (reply-id 0xFF);
+
+ /* RT Oops WLSE don't like CISCO LEAP Standard ... so we make as ACS do
*/
+ if((reply-code == PW_EAP_RESPONSE)
+ (reply-type.type == PW_EAP_LEAP)
+ (reply-type.length == 30)) { hdr-id -= 1 ;}
+
+DEBUG2( rlm_eap: RT Modif EAP-Type = %d EAP-LENGTH = %d,
+ reply-type.type,reply-type.length);
+/* END MODIF RT */
+
total_length = htons(total_length);
memcpy(hdr-length, total_length, sizeof(uint16_t));
---
Since i have freeradius working with thousands of users with many protocols,
i made a rogue_radius with this 2 bad patchs listening on port 1645 only for
Cisco WDS !!!
+--+
| ??? |
|{O-O} Richard Timsit |
| ^_ SIC STI|
|/ T \_ EPFL Lausanne |
| '` I 1015 Ecublens,SUISSE |
| M(021) 693 22 35|
| | | [EMAIL PROTECTED] |
| I I |
+--+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James, We have gotten LEAP to work with Cisco access points. My last posting on the subject might help if you haven't gotten there yet... http://lists.freeradius.org/pipermail/freeradius-users/2004-August/ 035601.html However, we have not been able to get LEAP for Cisco's WDS worked out. All of the access points in the group authenticate successfully, but the WLSE does not. I've looked carefully at the debug output on freeradius as well as the debug output on the master Access Point. Freeradius debug shows that most of the EAP transaction takes place normally. The initial Access-Request, the Identity challenge, the Access-Request response to that, and the new Access-Challenge from radiusd are all just fine. But... the supplicant (WLSE) does NOT answer that final Access-Challenge... at all. Freeradius debug shows no indication of error or mis-configuration. Following this, I scrutinized the radius debug output on the master Access Point. In one test, the AP pointed to the freeradius server. In a second test, the AP pointed to a cisco ACS server (on another AP). Comparing the debug output from these two tests revealed only a small (but significant) difference. The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). Can someone who understands the nuances of this State value please help? freeradius-1.0.0 Red Hat Enterprise Linux AS release 3 (Taroon Update 2) openssl-0.9.7a-33.4.i686.rpm openldap-2.2.13 (on localhost) Thanks, Coates Carter University of Richmond ... James D. Munroe [EMAIL PROTECTED] wrote: Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Lots of people. That's why the feature is there. It's been used for over a year now. If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like it doesn't work on this list. LEAP works. If it doesn't work in your setup, debug mode will tell you why. Alan DeKok. .. James D. Munroe [EMAIL PROTECTED] Fri, 25 Jun 2004 17:32:22 -0300 (ADT) Hello, Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Components: - Cisco AIR-AP1230B-A-K9 Access Points running IOS 12.2.15 Freeradius 0.9.3 installed from the Redhat ES 3.0 RPM, running on a Redhat ES 3.0 Server If so, would it be possible to get sanitized copies of your Freeradius configuration files (radiusd.conf, users, clients.conf, etc...)? Authenication to the AP itself using radius works prefect, have even setup EAP-TLS and it works prefect!! But leap is a no good... It's not a configuration issue on the Access Points themselves. Leap works fine when used against Cisco ACS (v3.2.3). However, for security reasons and cost of course we would like to use Freeradius for outside hosts rather than expose our internal ACS server. Also, I have been unable to get the WDS service working between the AP's and Cisco's WLSE.=A0 I'm not surprised since it uses Leap. It does work though with CiscoACS...but Freeradius is a no go. :-( Any help would be greatly appreciated!! Thanks, Jim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
Coates Carter [EMAIL PROTECTED] wrote: The ACS server and freeradius return nearly identical attributes. The first difference is that in the first Access-Challenge, ACS returns Session-Timeout integer of value 10. Freeradius does not return this attribute by default. I'll have it return that attribute in the next test. I doubt that is the problem, but you never know. I'm not sure what else it would be. More significant is the value of State in each Access-Challenge. The ACS server sends a State with 48 octets of data, like this... 3C CE 0B C2 1F C4 EC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4A 8B 02 C7 5F 73 30 72 79 4C BE 81 58 77 08 FC Freeradius sends a State with 16 octets of data, like this... 08 69 18 A9 AF 56 71 B1 2C E9 A9 2A 35 CA D9 94 That shouldn't matter. The State attribute is defined to be opaque nonsense, so far as the NAS is concerned. The RFC on this attribute ( http://www.freeradius.org/rfc/rfc2865.html#State ) says the value is application specific, and I'm not sure which module produces it, how to decode it, etc. But it seems clear to me that this is the fly that choked the horse (Cisco's WLSE leap/eap/radius client being the horse). The state is meaningless, other than a series of bytes which the server interprets. It's implementation-specific, and the NAS thinks it means anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is there some kind of trick to make Cisco LEAP work???
James D. Munroe [EMAIL PROTECTED] wrote: Has anyone tried or successfully been able to get Cisco-Leap to work using FreeRadius? Lots of people. That's why the feature is there. It's been used for over a year now. If you can't get LEAP to work, I suggest running the server in debugging mode, and reading the FAQ about statements like it doesn't work on this list. LEAP works. If it doesn't work in your setup, debug mode will tell you why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
