- Cisco Community
- Technology and Support
- Wireless - Mobility
- Wireless
- WLC WPA2-Enterprise using FreeRadius: Starting point?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
WLC WPA2-Enterprise using FreeRadius: Starting point?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 10:25 AM - edited 07-03-2021 11:39 PM
I have a WLC 2106 with two AP's connected, But have not set up any authentication. I don't have CSACS at my disposal, so I thought I would try FreeRadius on my Linux Server. I am looking for User/Password auth, and for now I would expect to have those accounts local to the FreeRadius engine. (baby steps before I try PAM/LDAP/AD/Certs )
I have seen a number of posts asking final step questions. I was looking for more of a where to begin How To.
I have read the docs on Free Radius, and believe I have the method worked out on how to make a small change, run in debug mod to observe my change, to verify that I don't spend too much time pulling out my hair. I am fairly adept at CSACS 5.3 but it hides the magic of Radius from me
Would anyone be able to point me to a starting place?
Nick
- Labels:
-
Wireless LAN Controller
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 11:40 AM
I don't know FreeRadius, but can you stand up a Microsoft radius server?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 02:08 PM
Hi Scott,
I appear to have fallen into some dumb luck. Fo followed the initial test of adding a "testing" user with nothing more than a "password" for a password. And ran the simple radtest command to insure my radiusd was functional. That passed. So I added in the clients.conf an simple entry for my WLC, my 2950 switch, my 1841 router, so I would have test NAS's.
I added the radius server in the WLC, and noticed that the management GUI was already set to use RADIUS then LOCAL as it's method.. hrmm.. OK, so I logged out and back in, but used the testing user. It worked! Well, ok, I half expected it to, but perhaps not pass any of the AV pairs to set up proper menu permissions. But it was a baby step.
So I got bold. I tried using my iPhone to connect to one of the 16 SSID's I made... (yes.. I used all 16 to confuse my neighbors, I'm evil) Each of these were done by selecting NEW, giving only an SSID and then activating. It defaults to WPA2-Enterprise on the WLC for securtity.
What I say on my iPhone was a username/password prompt, and when i entered "testing/password" it prompted me to accept an untrusted certificate (I viewed it, and it was teh self signed one from FreeRadius that it built when I first ran it)I accepted that cert, and poof, I am online with an IP address and surfing the web.
So I am not using a PKI (that's trusted), I am not using the Multi Vlan concept per SSID, so all those fancy AV Pairs appear not to be required.
Well, this is awesome. I will now look at adding more than one VLAN (need to trunk a few things) and see if I can get VLAN selection based on login like the other posts I have seen.
Then I will tackle the whoel PKI mess of OpenCA and see if I can make this work without the cert warning on a commercial product like my iPhone/IPad. That will require something that is mutually trusted, ergo $$$...
But for my home project of teaching myself WLC, I am not quite as intimidated as I started out.
I used an SSID of ":-)" so you will see that in the radius handshake.
For those FreeRadius types out there, this is what my server spit up:
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=13, length=222
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
State = 0x73eb6eeb70ee77dbab4005972fb84a50
Message-Authenticator = 0x7717ccd50e30babb3b4117330cc2533d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 13 to 10.0.0.12 port 32769
EAP-Message = 0x0106021419000b6e698cff671a24470ba23bc5cd58214bf5e2f72f7ce934a859656561adabeb5bb310301c260600dc26eb1e704b19d880b8959a63bcd14ce893cf388f47ce8449dbbeca4e0f70822195627c0f53f77dcb3a6d08c9c99b8a645a9256443e6557df43c3f4a2603f0236d92c8e3c8e4540911ca150458160a6d3eeb5f8bf9afe6f7e06b3b55acc3950faeb1e6c66ec608789a161f8030d3298410c8d2b9d6a38785cc0f60980ba907d2acc0d664d7eb350afa492e926160301014b0c00014703001741044fc5812f5011824057125fea0e47d445c928c3af8fdc2ed228987a8605594a823a105b65344cf70a40a8d4d7a7141de7bb171899
EAP-Message = 0x20619bda0b8797eb97029f4701006e73e15be5138ed5c1cbfb7b96ca975c4073a48c159ba60bed89ab8115b7607c0965745bd0e229b929bac6b81802ceb9ab9ebc8c8187a5942f062905d0ffe21933dc05945ddfaf9f0ad577e4ceda8991adc9ef87706a94838d7d238e8b5b75507baabefd1a65153e27542b5645f4c71bc0d23a9196b54de55e8eaa76decbd8a5143ac8e38679efe536ddf6edf880406a7dcdf8bf7237f9dc2face142b0ba99fd3d4018da77035d9a1ffee9fff0b388ab3a9171d9af973d19703a2dd72a3f95bdd1d78f0bf797069e40d8e1ed610321b2042a1d7c75b5be9eee80ceaec539ab8f11425b676eae25046479d1e606b086
EAP-Message = 0x4a046de17f67e2ba30a0475079ae084d9116030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb77ed77dbab4005972fb84a50
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=14, length=360
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600901980000000861603010046100000424104d0c3847c755edc97193c3a7fc45b23a0b4412d001c0cc70f6a6aedde1d2c2148555026fc757c7a2f60bb913a6d944dedc563b4622f80e116cf44541113f6673514030100010116030100301a6d058f6952ec064d990521cf81885feb03ccc7bc646630ea09be594d2e7b9a510a5869f38eb7d702827b1f60f0d386
State = 0x73eb6eeb77ed77dbab4005972fb84a50
Message-Authenticator = 0x7057aff4addd943bacd17a1d0acd83d6
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 14 to 10.0.0.12 port 32769
EAP-Message = 0x01070041190014030100010116030100306159a51cb9e95e598443a58c28905f5b3401a36f6ade329c00e73237b55c8ad68be30867396f9018af88f4204d5f9054
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb76ec77dbab4005972fb84a50
Finished request 12.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=15, length=222
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700061900
State = 0x73eb6eeb76ec77dbab4005972fb84a50
Message-Authenticator = 0x68a0a32665a682a8105a90ce8170ba0f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 15 to 10.0.0.12 port 32769
EAP-Message = 0x0108002b1900170301002005753ba468b77ec20a43c1fb1ec19fea10a4f79c5932ef40d71b95fb93ab2d83
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb75e377dbab4005972fb84a50
Finished request 13.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=16, length=259
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208002b19001703010020422f8e62a8c3ece30b1359799e342131b09c4987db5750785545bf70fe4c0f18
State = 0x73eb6eeb75e377dbab4005972fb84a50
Message-Authenticator = 0xc680d244328d414f86cb2915466a5c70
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testing
[peap] Got inner identity 'testing'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0208000c0174657374696e67
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x0208000c0174657374696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010900211a0109001c10aca9799efad64499b615ffdc2f5165ae74657374696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df81899370636c4e7e5690d28c9
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010900211a0109001c10aca9799efad64499b615ffdc2f5165ae74657374696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df81899370636c4e7e5690d28c9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.0.0.12 port 32769
EAP-Message = 0x0109004b1900170301004021ce4449a2c6588c45533dc57939b60bef1717316ccf3ab5f2af9398f147abd4d75c6cbd5a69641ff2d2a164bfd6d565efe962801d03295a2b12a56727b91c8a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb74e277dbab4005972fb84a50
Finished request 14.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=17, length=323
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0209006b19001703010060e7318f96f70b28e945688da1bfd5b61c3ad00c1ba1246c3649258de8c95bb4f855fe652bc4db91999108f5434d61d86529111c29fb48e2cf9764b815bff073f2e3acab087b281b037d26d91f3b6a8390fe0ec2fb5d8a722dab3b7fcd11044687
State = 0x73eb6eeb74e277dbab4005972fb84a50
Message-Authenticator = 0x02bab4b58f5e310f02f9b2ebe13e0f05
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900421a0209003d319990ea2bed6e5013e9dbc121d5a69d41000000000000000075d3c40b381619618f977e958672926c2d56ac79c98ecd370074657374696e67
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x020900421a0209003d319990ea2bed6e5013e9dbc121d5a69d41000000000000000075d3c40b381619618f977e958672926c2d56ac79c98ecd370074657374696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
State = 0x18902df81899370636c4e7e5690d28c9
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: testing
[mschap] Client is using MS-CHAPv2 for testing, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a00331a0309002e533d41323041303437443538414334313144373441433641363143363143383038363542334346463242
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df8199a370636c4e7e5690d28c9
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a00331a0309002e533d41323041303437443538414334313144373441433641363143363143383038363542334346463242
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df8199a370636c4e7e5690d28c9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 17 to 10.0.0.12 port 32769
EAP-Message = 0x010a005b190017030100504fb5fcd04762cc15914b6d4af35311ba331de931aff368ca3c34138c7f03f02b068bbe134bb83999b6716bb64bc5adb24a95c01e8b61523831e0ab1d0081ed1e2d5342c3d57c379171cb0a86d118cb29
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb7be177dbab4005972fb84a50
Finished request 15.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=18, length=259
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a002b19001703010020f8a1f8d0933ad89c64731181d33da06aeff9eb035879fa8a62abbbd07d75616c
State = 0x73eb6eeb7be177dbab4005972fb84a50
Message-Authenticator = 0x7463a6818ee330c798e61dacb75b162c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
State = 0x18902df8199a370636c4e7e5690d28c9
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xd67428f2d8f04a7c7f48f820842baacf
MS-MPPE-Recv-Key = 0xf30b0f96dc8a2ba868b144c4cfe5333e
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xd67428f2d8f04a7c7f48f820842baacf
MS-MPPE-Recv-Key = 0xf30b0f96dc8a2ba868b144c4cfe5333e
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.0.0.12 port 32769
EAP-Message = 0x010b002b19001703010020a741d9ceb2c84aae144d08ee11b1aa9c8f7bdedc44c3036131bf62b981ea27dd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb7ae077dbab4005972fb84a50
Finished request 16.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=19, length=259
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b002b1900170301002023b9b430c65678f3ab95d0d06293c0995690f88114516f64eeb410b632b8d548
State = 0x73eb6eeb7ae077dbab4005972fb84a50
Message-Authenticator = 0x0a56d0c11f179ad0e657387c2aef95dc
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 19 to 10.0.0.12 port 32769
MS-MPPE-Recv-Key = 0x72b108b845fb9d5769b49058156b1725ef003e3ba7c81d4b632d0a496c3ea920
MS-MPPE-Send-Key = 0xe0a06ae4249976a28dd0da48338d722d11745099a0bb3d3ec752284952dfa6ad
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
Finished request 17.
Going to the next request
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 05:40 PM
Well glad you figured it out. One other thing, the more SSID's you create, the more RF noise you make for yourself. I run two SSID's at home... It is best practice to limit it to 4 or less. Less is better.
Sent from Cisco Technical Support iPhone App
*** Please rate helpful posts ***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2013 07:21 PM
Oh, of course if I was running this for full time home use, I would be using much less. The overload of SSID's was just to be silly (spelled out a Berma Shave like road sign ad with it).I will continue until I have tried a 16 VLAN system, and have been told to watch the power level function work I need 4 AP's ideally, so I will do that as well. But in two months after I have this stuff down, I will pair it back to two AP's, and maybe 2 SSID's going forward.
I'll collect my configs used and post as I go, for those that want to go FreeRadius.
Nick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
