03-03-2013 10:25 AM - edited 07-03-2021 11:39 PM
I have a WLC 2106 with two AP's connected, But have not set up any authentication. I don't have CSACS at my disposal, so I thought I would try FreeRadius on my Linux Server. I am looking for User/Password auth, and for now I would expect to have those accounts local to the FreeRadius engine. (baby steps before I try PAM/LDAP/AD/Certs )
I have seen a number of posts asking final step questions. I was looking for more of a where to begin How To.
I have read the docs on Free Radius, and believe I have the method worked out on how to make a small change, run in debug mod to observe my change, to verify that I don't spend too much time pulling out my hair. I am fairly adept at CSACS 5.3 but it hides the magic of Radius from me
Would anyone be able to point me to a starting place?
Nick
03-03-2013 11:40 AM
I don't know FreeRadius, but can you stand up a Microsoft radius server?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
03-03-2013 02:08 PM
Hi Scott,
I appear to have fallen into some dumb luck. Fo followed the initial test of adding a "testing" user with nothing more than a "password" for a password. And ran the simple radtest command to insure my radiusd was functional. That passed. So I added in the clients.conf an simple entry for my WLC, my 2950 switch, my 1841 router, so I would have test NAS's.
I added the radius server in the WLC, and noticed that the management GUI was already set to use RADIUS then LOCAL as it's method.. hrmm.. OK, so I logged out and back in, but used the testing user. It worked! Well, ok, I half expected it to, but perhaps not pass any of the AV pairs to set up proper menu permissions. But it was a baby step.
So I got bold. I tried using my iPhone to connect to one of the 16 SSID's I made... (yes.. I used all 16 to confuse my neighbors, I'm evil) Each of these were done by selecting NEW, giving only an SSID and then activating. It defaults to WPA2-Enterprise on the WLC for securtity.
What I say on my iPhone was a username/password prompt, and when i entered "testing/password" it prompted me to accept an untrusted certificate (I viewed it, and it was teh self signed one from FreeRadius that it built when I first ran it)I accepted that cert, and poof, I am online with an IP address and surfing the web.
So I am not using a PKI (that's trusted), I am not using the Multi Vlan concept per SSID, so all those fancy AV Pairs appear not to be required.
Well, this is awesome. I will now look at adding more than one VLAN (need to trunk a few things) and see if I can get VLAN selection based on login like the other posts I have seen.
Then I will tackle the whoel PKI mess of OpenCA and see if I can make this work without the cert warning on a commercial product like my iPhone/IPad. That will require something that is mutually trusted, ergo $$$...
But for my home project of teaching myself WLC, I am not quite as intimidated as I started out.
I used an SSID of ":-)" so you will see that in the radius handshake.
For those FreeRadius types out there, this is what my server spit up:
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=13, length=222
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
State = 0x73eb6eeb70ee77dbab4005972fb84a50
Message-Authenticator = 0x7717ccd50e30babb3b4117330cc2533d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 13 to 10.0.0.12 port 32769
EAP-Message = 0x0106021419000b6e698cff671a24470ba23bc5cd58214bf5e2f72f7ce934a859656561adabeb5bb310301c260600dc26eb1e704b19d880b8959a63bcd14ce893cf388f47ce8449dbbeca4e0f70822195627c0f53f77dcb3a6d08c9c99b8a645a9256443e6557df43c3f4a2603f0236d92c8e3c8e4540911ca150458160a6d3eeb5f8bf9afe6f7e06b3b55acc3950faeb1e6c66ec608789a161f8030d3298410c8d2b9d6a38785cc0f60980ba907d2acc0d664d7eb350afa492e926160301014b0c00014703001741044fc5812f5011824057125fea0e47d445c928c3af8fdc2ed228987a8605594a823a105b65344cf70a40a8d4d7a7141de7bb171899
EAP-Message = 0x20619bda0b8797eb97029f4701006e73e15be5138ed5c1cbfb7b96ca975c4073a48c159ba60bed89ab8115b7607c0965745bd0e229b929bac6b81802ceb9ab9ebc8c8187a5942f062905d0ffe21933dc05945ddfaf9f0ad577e4ceda8991adc9ef87706a94838d7d238e8b5b75507baabefd1a65153e27542b5645f4c71bc0d23a9196b54de55e8eaa76decbd8a5143ac8e38679efe536ddf6edf880406a7dcdf8bf7237f9dc2face142b0ba99fd3d4018da77035d9a1ffee9fff0b388ab3a9171d9af973d19703a2dd72a3f95bdd1d78f0bf797069e40d8e1ed610321b2042a1d7c75b5be9eee80ceaec539ab8f11425b676eae25046479d1e606b086
EAP-Message = 0x4a046de17f67e2ba30a0475079ae084d9116030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb77ed77dbab4005972fb84a50
Finished request 11.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=14, length=360
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600901980000000861603010046100000424104d0c3847c755edc97193c3a7fc45b23a0b4412d001c0cc70f6a6aedde1d2c2148555026fc757c7a2f60bb913a6d944dedc563b4622f80e116cf44541113f6673514030100010116030100301a6d058f6952ec064d990521cf81885feb03ccc7bc646630ea09be594d2e7b9a510a5869f38eb7d702827b1f60f0d386
State = 0x73eb6eeb77ed77dbab4005972fb84a50
Message-Authenticator = 0x7057aff4addd943bacd17a1d0acd83d6
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 134
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 14 to 10.0.0.12 port 32769
EAP-Message = 0x01070041190014030100010116030100306159a51cb9e95e598443a58c28905f5b3401a36f6ade329c00e73237b55c8ad68be30867396f9018af88f4204d5f9054
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb76ec77dbab4005972fb84a50
Finished request 12.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=15, length=222
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020700061900
State = 0x73eb6eeb76ec77dbab4005972fb84a50
Message-Authenticator = 0x68a0a32665a682a8105a90ce8170ba0f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 15 to 10.0.0.12 port 32769
EAP-Message = 0x0108002b1900170301002005753ba468b77ec20a43c1fb1ec19fea10a4f79c5932ef40d71b95fb93ab2d83
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb75e377dbab4005972fb84a50
Finished request 13.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=16, length=259
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208002b19001703010020422f8e62a8c3ece30b1359799e342131b09c4987db5750785545bf70fe4c0f18
State = 0x73eb6eeb75e377dbab4005972fb84a50
Message-Authenticator = 0xc680d244328d414f86cb2915466a5c70
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - testing
[peap] Got inner identity 'testing'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x0208000c0174657374696e67
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x0208000c0174657374696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010900211a0109001c10aca9799efad64499b615ffdc2f5165ae74657374696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df81899370636c4e7e5690d28c9
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010900211a0109001c10aca9799efad64499b615ffdc2f5165ae74657374696e67
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df81899370636c4e7e5690d28c9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.0.0.12 port 32769
EAP-Message = 0x0109004b1900170301004021ce4449a2c6588c45533dc57939b60bef1717316ccf3ab5f2af9398f147abd4d75c6cbd5a69641ff2d2a164bfd6d565efe962801d03295a2b12a56727b91c8a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb74e277dbab4005972fb84a50
Finished request 14.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=17, length=323
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0209006b19001703010060e7318f96f70b28e945688da1bfd5b61c3ad00c1ba1246c3649258de8c95bb4f855fe652bc4db91999108f5434d61d86529111c29fb48e2cf9764b815bff073f2e3acab087b281b037d26d91f3b6a8390fe0ec2fb5d8a722dab3b7fcd11044687
State = 0x73eb6eeb74e277dbab4005972fb84a50
Message-Authenticator = 0x02bab4b58f5e310f02f9b2ebe13e0f05
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020900421a0209003d319990ea2bed6e5013e9dbc121d5a69d41000000000000000075d3c40b381619618f977e958672926c2d56ac79c98ecd370074657374696e67
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x020900421a0209003d319990ea2bed6e5013e9dbc121d5a69d41000000000000000075d3c40b381619618f977e958672926c2d56ac79c98ecd370074657374696e67
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
State = 0x18902df81899370636c4e7e5690d28c9
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: testing
[mschap] Client is using MS-CHAPv2 for testing, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010a00331a0309002e533d41323041303437443538414334313144373441433641363143363143383038363542334346463242
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df8199a370636c4e7e5690d28c9
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010a00331a0309002e533d41323041303437443538414334313144373441433641363143363143383038363542334346463242
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x18902df8199a370636c4e7e5690d28c9
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 17 to 10.0.0.12 port 32769
EAP-Message = 0x010a005b190017030100504fb5fcd04762cc15914b6d4af35311ba331de931aff368ca3c34138c7f03f02b068bbe134bb83999b6716bb64bc5adb24a95c01e8b61523831e0ab1d0081ed1e2d5342c3d57c379171cb0a86d118cb29
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb7be177dbab4005972fb84a50
Finished request 15.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=18, length=259
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020a002b19001703010020f8a1f8d0933ad89c64731181d33da06aeff9eb035879fa8a62abbbd07d75616c
State = 0x73eb6eeb7be177dbab4005972fb84a50
Message-Authenticator = 0x7463a6818ee330c798e61dacb75b162c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x020a00061a03
server {
[peap] Setting User-Name to testing
Sending tunneled request
EAP-Message = 0x020a00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "testing"
State = 0x18902df8199a370636c4e7e5690d28c9
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testing at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xd67428f2d8f04a7c7f48f820842baacf
MS-MPPE-Recv-Key = 0xf30b0f96dc8a2ba868b144c4cfe5333e
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
[peap] Got tunneled reply RADIUS code 2
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Send-Key = 0xd67428f2d8f04a7c7f48f820842baacf
MS-MPPE-Recv-Key = 0xf30b0f96dc8a2ba868b144c4cfe5333e
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.0.0.12 port 32769
EAP-Message = 0x010b002b19001703010020a741d9ceb2c84aae144d08ee11b1aa9c8f7bdedc44c3036131bf62b981ea27dd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x73eb6eeb7ae077dbab4005972fb84a50
Finished request 16.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.0.12 port 32769, id=19, length=259
User-Name = "testing"
Calling-Station-Id = "60-c5-47-45-43-0c"
Called-Station-Id = "00-11-20-48-53-40::-)"
NAS-Port = 8
Cisco-AVPair = "audit-session-id=0c00000a000000005cc43351"
NAS-IP-Address = 10.0.0.12
NAS-Identifier = "Cisco_49:4b:40"
Airespace-Wlan-Id = 15
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b002b1900170301002023b9b430c65678f3ab95d0d06293c0995690f88114516f64eeb410b632b8d548
State = 0x73eb6eeb7ae077dbab4005972fb84a50
Message-Authenticator = 0x0a56d0c11f179ad0e657387c2aef95dc
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 19 to 10.0.0.12 port 32769
MS-MPPE-Recv-Key = 0x72b108b845fb9d5769b49058156b1725ef003e3ba7c81d4b632d0a496c3ea920
MS-MPPE-Send-Key = 0xe0a06ae4249976a28dd0da48338d722d11745099a0bb3d3ec752284952dfa6ad
EAP-Message = 0x030b0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
Finished request 17.
Going to the next request
03-03-2013 05:40 PM
Well glad you figured it out. One other thing, the more SSID's you create, the more RF noise you make for yourself. I run two SSID's at home... It is best practice to limit it to 4 or less. Less is better.
Sent from Cisco Technical Support iPhone App
03-03-2013 07:21 PM
Oh, of course if I was running this for full time home use, I would be using much less. The overload of SSID's was just to be silly (spelled out a Berma Shave like road sign ad with it).I will continue until I have tried a 16 VLAN system, and have been told to watch the power level function work I need 4 AP's ideally, so I will do that as well. But in two months after I have this stuff down, I will pair it back to two AP's, and maybe 2 SSID's going forward.
I'll collect my configs used and post as I go, for those that want to go FreeRadius.
Nick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide