help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius

From: Mikael Syska
Subject: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
Date: Wed, 26 Mar 2008 00:35:59 +0100 
Hi,

I having problems getting my AP auth with my radius. Below are various
information.

Windows client: ( I'm trying to translate the danish )
WPA-Enterprise
Encryption: TKIP
Authentication method: PEAP ( the other one are chip or certificate )
Dont validate server certificate
EAP-MSCHAP v2 ( Do not use windows logon name and password )
Under there are 3 check boxes all turned off ....

So ... windows says this configuration is right and I get to type the
username and password ...  but It never gets to the RADIUS box, as you
can see from the log files below ....

If you need more information, I will happily supply it .... as I'm
really lost here ... dont know if GNU Radius even are able to do it
... only time will tell, but I sure hope so :-)

best regards
Mikael Syska

----------------------

Here are some debug information:
Debug from the Cisco AP:
Mar 25 22:54:16.617: RADIUS/ENCODE(000000A1):Orig. component type = DOT11
Mar 25 22:54:16.617: RADIUS:  AAA Unsupported Attr: ssid              [263] 3
Mar 25 22:54:16.617: RADIUS:   6F
         [o]
Mar 25 22:54:16.617: RADIUS:  AAA Unsupported Attr: location-name     [530] 4
Mar 25 22:54:16.617: RADIUS:   4F 45
         [OE]
Mar 25 22:54:16.618: RADIUS:  AAA Unsupported Attr: interface         [156] 3
Mar 25 22:54:16.618: RADIUS:   34
         [4]
Mar 25 22:54:16.618: RADIUS(000000A1): Storing nasport 412 in rad_db
Mar 25 22:54:16.618: RADIUS(000000A1): Config NAS IP: 172.17.4.30
Mar 25 22:54:16.619: RADIUS/ENCODE(000000A1): acct_session_id: 161
Mar 25 22:54:16.619: RADIUS(000000A1): Config NAS IP: 172.17.4.30
Mar 25 22:54:16.619: RADIUS(000000A1): sending
Mar 25 22:54:16.619: RADIUS(000000A1): Send Access-Request to
172.17.4.1:1812 id 1645/31, len 121
Mar 25 22:54:16.619: RADIUS:  authenticator 63 B4 AE 27 0B BF 68 D1 -
8E C2 A9 74 03 17 D7 38
Mar 25 22:54:16.619: RADIUS:  User-Name           [1]   5   "rrr"
Mar 25 22:54:16.620: RADIUS:  Framed-MTU          [12]  6   1400
Mar 25 22:54:16.620: RADIUS:  Called-Station-Id   [30]  16  "001e.be8e.03e0"
Mar 25 22:54:16.620: RADIUS:  Calling-Station-Id  [31]  16  "001b.77d2.b10c"
Mar 25 22:54:16.620: RADIUS:  Service-Type        [6]   6   Login
               [1]
Mar 25 22:54:16.620: RADIUS:  Message-Authenticato[80]  18  *
Mar 25 22:54:16.621: RADIUS:  EAP-Message         [79]  10
Mar 25 22:54:16.621: RADIUS:   02 02 00 08 01 72 72 72
         [?????rrr]
Mar 25 22:54:16.621: RADIUS:  NAS-Port-Type       [61]  6   802.11
wireless           [19]
Mar 25 22:54:16.621: RADIUS:  NAS-Port            [5]   6   412
Mar 25 22:54:16.621: RADIUS:  NAS-IP-Address      [4]   6
172.17.4.30
Mar 25 22:54:16.621: RADIUS:  Nas-Identifier      [32]  6   "ap30"
Mar 25 22:54:16.624: RADIUS: Received from id 1645/31 172.17.4.1:1812,
Access-Reject, len 39
Mar 25 22:54:16.624: RADIUS:  authenticator 4C 71 B8 6A A3 15 51 B7 -
B5 4A 93 69 64 84 49 1C
Mar 25 22:54:16.624: RADIUS:  Reply-Message       [18]  19
Mar 25 22:54:16.625: RADIUS:   0D 0A 41 63 63 65 73 73 20 64 65 6E 69
65 64 0D  [??Access denied?]
Mar 25 22:54:16.625: RADIUS:   0A
         [?]
Mar 25 22:54:16.625: RADIUS(000000A1): Received from id 1645/31

Debug from the GNU Radius server:
Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
/usr/local/etc/raddb/users:14; hints:4
Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
/usr/local/etc/raddb/users:14; hints:4
Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
/usr/local/etc/raddb/users:14; hints:4
Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
/usr/local/etc/raddb/users:14; hints:4
Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
/usr/local/etc/raddb/users:14; hints:4
Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr"
CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
/usr/local/etc/raddb/users:14; hints:4

Cisco config.txt:
!
! Last configuration change at 23:25:11 +0100 Tue Mar 25 2008 by Cisco
! NVRAM config last updated at 23:25:11 +0100 Tue Mar 25 2008 by Cisco
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap30
!
no logging console
enable secret 5 $1$2jwC$NHe..OkEaUL4fxHY22NDe0
!
clock timezone +0100 1
ip subnet-zero
ip domain name foo.tld
ip name-server 172.17.4.1
!
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.17.4.1 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid oma
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   guest-mode
!
!
!
username Cisco privilege 15 password 7 0005170B0D555B51
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 !
 ssid oma
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0
basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 172.17.4.30 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.17.4.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
logging facility auth
logging 172.17.4.20
access-list 111 permit tcp any any neq telnet
snmp-server view dot11view ieee802dot11 included
snmp-server community public view dot11view RO
snmp-server location OEST
snmp-server contact address@hidden
snmp-server chassis-id ap30
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.17.4.1 auth-port 1812 acct-port 1813 key 7
135647415A5F567978
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
 access-class 111 in
line vty 0 4
 access-class 111 in
!
sntp server 83.221.136.68
sntp broadcast client
end

config from the radius server:
# For detailed description, run:
#       info Radius config

# usedbm no;

option {
        # source-ip 172.17.4.1;
        max-requests 1024;
        resolve no;
};

logging {
        prefix-hook "default_log_prefix";
        channel default {
                file "radius.log";
                print-category yes;
                print-level yes;
        };
        channel info {
                file "radius.info";
                print-pid yes;
        };
        channel debug {
                file "radius.debug";
        };
        category auth {
                level high;
                print-auth yes;
                print-failed-pass yes;
        };
        category info {
                channel info;
        };
        category =debug {
                channel debug;
        };
        category * {
                channel default;
        };
};

auth {
        #listen 172.17.4.1;
        #port 1645;
        trace-rules yes;
        max-requests 127;
        request-cleanup-delay 2;
        detail yes;
        # detail-file-name "=nas_name(request_source_ip()) + \"/detail.auth\"";
        strip-names yes;
        # checkrad-assume-logged yes;
};

acct {
        max-requests 127;
        request-cleanup-delay 2;
        detail-file-name "=nas_name(request_source_ip()) + \"/detail\"";
};

rewrite {
        load "checknas.rw";
        load "log-hook.rw";
        load "nas-ip.rw";
};

# snmp {
#       listen no;
# };

users from the Gnu Radius:
# For detailed description, run:
#       info Radius users


## The following entry is supposed to be used with authentication probe
## control. Please read `info --node 'Auth Probing' radius' for the detailed
## description of it
DEFAULT Group = "*LOCKED_ACCOUNT*",
                Auth-Type = Reject
        Reply-Message = "Your account is currently locked.\n\
Please, contact your system administrator\n"


## Default entry.
DEFAULT Auth-Type = Crypt-Local,
                         Password-Location = SQL,
                Simultaneous-Use = 1
        Service-Type = Framed-User,
                Framed-Protocol = PPP

sqlserver from the radius server:
Only changed a few things, like:
doauth yes;
user,pass,host,database so it can Auth, rest is default.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]