[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
|
From: |
Mikael Syska |
|
Subject: |
Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius |
|
Date: |
Mon, 31 Mar 2008 22:01:39 +0200 |
I dont know if its a Gnu Radius problem ... but I changed to
"Freeradius" and all seems to work atm ....
What also made me change was when I read i havent been updated for 2
years ... so I also thought it might be a Vista problem ...
// oUT
On Wed, Mar 26, 2008 at 10:23 PM, Martin Laflamme
<address@hidden> wrote:
> Hi Mikael,
>
> I've had a similar issue before with straightfoward PPPoE authentication.
>
> Login incorrect [rrr/]
>
> Some users would log in and I would see something like you're seeing
> above. I'd get them to retype their username and everything would be
> fine.
>
> I'm not sure if gnu-radius chomps the username (remove any carriage
> returns or spaces from usernames) but it almost looks like that was the
> issue.
>
> Anyways... it's an idea.
>
> Martin
>
>
>
>
> > Hi,
> >
> > I having problems getting my AP auth with my radius. Below are various
> > information.
> >
> > Windows client: ( I'm trying to translate the danish )
> > WPA-Enterprise
> > Encryption: TKIP
> > Authentication method: PEAP ( the other one are chip or certificate )
> > Dont validate server certificate
> > EAP-MSCHAP v2 ( Do not use windows logon name and password )
> > Under there are 3 check boxes all turned off ....
> >
> > So ... windows says this configuration is right and I get to type the
> > username and password ... but It never gets to the RADIUS box, as you
> > can see from the log files below ....
> >
> > If you need more information, I will happily supply it .... as I'm
> > really lost here ... dont know if GNU Radius even are able to do it
> > ... only time will tell, but I sure hope so :-)
> >
> > best regards
> > Mikael Syska
> >
> > ----------------------
> >
> > Here are some debug information:
> > Debug from the Cisco AP:
> > Mar 25 22:54:16.617: RADIUS/ENCODE(000000A1):Orig. component type = DOT11
> > Mar 25 22:54:16.617: RADIUS: AAA Unsupported Attr: ssid
> > [263] 3
> > Mar 25 22:54:16.617: RADIUS: 6F
> > [o]
> > Mar 25 22:54:16.617: RADIUS: AAA Unsupported Attr: location-name
> > [530] 4
> > Mar 25 22:54:16.617: RADIUS: 4F 45
> > [OE]
> > Mar 25 22:54:16.618: RADIUS: AAA Unsupported Attr: interface
> > [156] 3
> > Mar 25 22:54:16.618: RADIUS: 34
> > [4]
> > Mar 25 22:54:16.618: RADIUS(000000A1): Storing nasport 412 in rad_db
> > Mar 25 22:54:16.618: RADIUS(000000A1): Config NAS IP: 172.17.4.30
> > Mar 25 22:54:16.619: RADIUS/ENCODE(000000A1): acct_session_id: 161
> > Mar 25 22:54:16.619: RADIUS(000000A1): Config NAS IP: 172.17.4.30
> > Mar 25 22:54:16.619: RADIUS(000000A1): sending
> > Mar 25 22:54:16.619: RADIUS(000000A1): Send Access-Request to
> > 172.17.4.1:1812 id 1645/31, len 121
> > Mar 25 22:54:16.619: RADIUS: authenticator 63 B4 AE 27 0B BF 68 D1 -
> > 8E C2 A9 74 03 17 D7 38
> > Mar 25 22:54:16.619: RADIUS: User-Name [1] 5 "rrr"
> > Mar 25 22:54:16.620: RADIUS: Framed-MTU [12] 6 1400
> > Mar 25 22:54:16.620: RADIUS: Called-Station-Id [30] 16
> > "001e.be8e.03e0"
> > Mar 25 22:54:16.620: RADIUS: Calling-Station-Id [31] 16
> > "001b.77d2.b10c"
> > Mar 25 22:54:16.620: RADIUS: Service-Type [6] 6 Login
> > [1]
> > Mar 25 22:54:16.620: RADIUS: Message-Authenticato[80] 18 *
> > Mar 25 22:54:16.621: RADIUS: EAP-Message [79] 10
> > Mar 25 22:54:16.621: RADIUS: 02 02 00 08 01 72 72 72
> > [?????rrr]
> > Mar 25 22:54:16.621: RADIUS: NAS-Port-Type [61] 6 802.11
> > wireless [19]
> > Mar 25 22:54:16.621: RADIUS: NAS-Port [5] 6 412
> > Mar 25 22:54:16.621: RADIUS: NAS-IP-Address [4] 6
> > 172.17.4.30
> > Mar 25 22:54:16.621: RADIUS: Nas-Identifier [32] 6 "ap30"
> > Mar 25 22:54:16.624: RADIUS: Received from id 1645/31 172.17.4.1:1812,
> > Access-Reject, len 39
> > Mar 25 22:54:16.624: RADIUS: authenticator 4C 71 B8 6A A3 15 51 B7 -
> > B5 4A 93 69 64 84 49 1C
> > Mar 25 22:54:16.624: RADIUS: Reply-Message [18] 19
> > Mar 25 22:54:16.625: RADIUS: 0D 0A 41 63 63 65 73 73 20 64 65 6E 69
> > 65 64 0D [??Access denied?]
> > Mar 25 22:54:16.625: RADIUS: 0A
> > [?]
> > Mar 25 22:54:16.625: RADIUS(000000A1): Received from id 1645/31
> >
> > Debug from the GNU Radius server:
> > Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> > Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> > /usr/local/etc/raddb/users:14; hints:4
> > Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> > Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> > /usr/local/etc/raddb/users:14; hints:4
> > Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> > Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> > /usr/local/etc/raddb/users:14; hints:4
> > Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> > Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> > /usr/local/etc/raddb/users:14; hints:4
> > Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> > Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> > /usr/local/etc/raddb/users:14; hints:4
> > Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> > Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr"
> > CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> > /usr/local/etc/raddb/users:14; hints:4
> >
> > Cisco config.txt:
> > !
> > ! Last configuration change at 23:25:11 +0100 Tue Mar 25 2008 by Cisco
> > ! NVRAM config last updated at 23:25:11 +0100 Tue Mar 25 2008 by Cisco
> > !
> > version 12.3
> > no service pad
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > service password-encryption
> > !
> > hostname ap30
> > !
> > no logging console
> > enable secret 5 $1$2jwC$NHe..OkEaUL4fxHY22NDe0
> > !
> > clock timezone +0100 1
> > ip subnet-zero
> > ip domain name foo.tld
> > ip name-server 172.17.4.1
> > !
> > !
> > aaa new-model
> > !
> > !
> > aaa group server radius rad_eap
> > server 172.17.4.1 auth-port 1812 acct-port 1813
> > !
> > aaa group server radius rad_mac
> > !
> > aaa group server radius rad_acct
> > !
> > aaa group server radius rad_admin
> > !
> > aaa group server tacacs+ tac_admin
> > !
> > aaa group server radius rad_pmip
> > !
> > aaa group server radius dummy
> > !
> > aaa authentication login eap_methods group rad_eap
> > aaa authentication login mac_methods local
> > aaa authorization exec default local
> > aaa accounting network acct_methods start-stop group rad_acct
> > aaa session-id common
> > !
> > dot11 ssid oma
> > authentication open eap eap_methods
> > authentication network-eap eap_methods
> > authentication key-management wpa
> > guest-mode
> > !
> > !
> > !
> > username Cisco privilege 15 password 7 0005170B0D555B51
> > !
> > bridge irb
> > !
> > !
> > interface Dot11Radio0
> > no ip address
> > no ip route-cache
> > !
> > encryption mode ciphers tkip
> > !
> > ssid oma
> > !
> > speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0
> > basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
> > station-role root
> > bridge-group 1
> > bridge-group 1 subscriber-loop-control
> > bridge-group 1 block-unknown-source
> > no bridge-group 1 source-learning
> > no bridge-group 1 unicast-flooding
> > bridge-group 1 spanning-disabled
> > !
> > interface FastEthernet0
> > no ip address
> > no ip route-cache
> > duplex auto
> > speed auto
> > bridge-group 1
> > no bridge-group 1 source-learning
> > bridge-group 1 spanning-disabled
> > !
> > interface BVI1
> > ip address 172.17.4.30 255.255.255.0
> > no ip route-cache
> > !
> > ip default-gateway 172.17.4.1
> > ip http server
> > no ip http secure-server
> > ip http help-path
> > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
> > ip radius source-interface BVI1
> > !
> > logging facility auth
> > logging 172.17.4.20
> > access-list 111 permit tcp any any neq telnet
> > snmp-server view dot11view ieee802dot11 included
> > snmp-server community public view dot11view RO
> > snmp-server location OEST
> > snmp-server contact address@hidden
> > snmp-server chassis-id ap30
> > radius-server attribute 32 include-in-access-req format %h
> > radius-server host 172.17.4.1 auth-port 1812 acct-port 1813 key 7
> > 135647415A5F567978
> > radius-server vsa send accounting
> > bridge 1 route ip
> > !
> > !
> > !
> > line con 0
> > access-class 111 in
> > line vty 0 4
> > access-class 111 in
> > !
> > sntp server 83.221.136.68
> > sntp broadcast client
> > end
> >
> > config from the radius server:
> > # For detailed description, run:
> > # info Radius config
> >
> > # usedbm no;
> >
> > option {
> > # source-ip 172.17.4.1;
> > max-requests 1024;
> > resolve no;
> > };
> >
> > logging {
> > prefix-hook "default_log_prefix";
> > channel default {
> > file "radius.log";
> > print-category yes;
> > print-level yes;
> > };
> > channel info {
> > file "radius.info";
> > print-pid yes;
> > };
> > channel debug {
> > file "radius.debug";
> > };
> > category auth {
> > level high;
> > print-auth yes;
> > print-failed-pass yes;
> > };
> > category info {
> > channel info;
> > };
> > category =debug {
> > channel debug;
> > };
> > category * {
> > channel default;
> > };
> > };
> >
> > auth {
> > #listen 172.17.4.1;
> > #port 1645;
> > trace-rules yes;
> > max-requests 127;
> > request-cleanup-delay 2;
> > detail yes;
> > # detail-file-name "=nas_name(request_source_ip()) +
> > \"/detail.auth\"";
> > strip-names yes;
> > # checkrad-assume-logged yes;
> > };
> >
> > acct {
> > max-requests 127;
> > request-cleanup-delay 2;
> > detail-file-name "=nas_name(request_source_ip()) + \"/detail\"";
> > };
> >
> > rewrite {
> > load "checknas.rw";
> > load "log-hook.rw";
> > load "nas-ip.rw";
> > };
> >
> > # snmp {
> > # listen no;
> > # };
> >
> > users from the Gnu Radius:
> > # For detailed description, run:
> > # info Radius users
> >
> >
> > ## The following entry is supposed to be used with authentication probe
> > ## control. Please read `info --node 'Auth Probing' radius' for the
> > detailed
> > ## description of it
> > DEFAULT Group = "*LOCKED_ACCOUNT*",
> > Auth-Type = Reject
> > Reply-Message = "Your account is currently locked.\n\
> > Please, contact your system administrator\n"
> >
> >
> > ## Default entry.
> > DEFAULT Auth-Type = Crypt-Local,
> > Password-Location = SQL,
> > Simultaneous-Use = 1
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP
> >
> > sqlserver from the radius server:
> > Only changed a few things, like:
> > doauth yes;
> > user,pass,host,database so it can Auth, rest is default.
> >
> >
> > _______________________________________________
> > Help-gnu-radius mailing list
> > address@hidden
> > http://lists.gnu.org/mailman/listinfo/help-gnu-radius
> >
>
>
> --
> Senior Network Security Analyst
> CISSP, FCNSP, CCNP, CCDP, RCAS, CCAI
> address@hidden
> tel. 613.728.5504
> cell. 613-295-5504
>
> Marketbridge Technologies, Inc.
> 1066 Somerset St. West, Suite B-101
> Ottawa, ON, K1Y 4T3
>
>
>