Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius

help-gnu-radius
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius

From:	Martin Laflamme
Subject:	Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
Date:	Wed, 26 Mar 2008 16:23:35 -0400 (EDT)
User-agent:	SquirrelMail/1.4.8
Hi Mikael,

I've had a similar issue before with straightfoward PPPoE authentication.

Login incorrect [rrr/]

Some users would log in and I would see something like you're seeing
above.  I'd get them to retype their username and everything would be
fine.

I'm not sure if gnu-radius chomps the username (remove any carriage
returns or spaces from usernames) but it almost looks like that was the
issue.

Anyways... it's an idea.

Martin


> Hi,
>
> I having problems getting my AP auth with my radius. Below are various
> information.
>
> Windows client: ( I'm trying to translate the danish )
> WPA-Enterprise
> Encryption: TKIP
> Authentication method: PEAP ( the other one are chip or certificate )
> Dont validate server certificate
> EAP-MSCHAP v2 ( Do not use windows logon name and password )
> Under there are 3 check boxes all turned off ....
>
> So ... windows says this configuration is right and I get to type the
> username and password ...  but It never gets to the RADIUS box, as you
> can see from the log files below ....
>
> If you need more information, I will happily supply it .... as I'm
> really lost here ... dont know if GNU Radius even are able to do it
> ... only time will tell, but I sure hope so :-)
>
> best regards
> Mikael Syska
>
> ----------------------
>
> Here are some debug information:
> Debug from the Cisco AP:
> Mar 25 22:54:16.617: RADIUS/ENCODE(000000A1):Orig. component type = DOT11
> Mar 25 22:54:16.617: RADIUS:  AAA Unsupported Attr: ssid
> [263] 3
> Mar 25 22:54:16.617: RADIUS:   6F
>          [o]
> Mar 25 22:54:16.617: RADIUS:  AAA Unsupported Attr: location-name
> [530] 4
> Mar 25 22:54:16.617: RADIUS:   4F 45
>          [OE]
> Mar 25 22:54:16.618: RADIUS:  AAA Unsupported Attr: interface
> [156] 3
> Mar 25 22:54:16.618: RADIUS:   34
>          [4]
> Mar 25 22:54:16.618: RADIUS(000000A1): Storing nasport 412 in rad_db
> Mar 25 22:54:16.618: RADIUS(000000A1): Config NAS IP: 172.17.4.30
> Mar 25 22:54:16.619: RADIUS/ENCODE(000000A1): acct_session_id: 161
> Mar 25 22:54:16.619: RADIUS(000000A1): Config NAS IP: 172.17.4.30
> Mar 25 22:54:16.619: RADIUS(000000A1): sending
> Mar 25 22:54:16.619: RADIUS(000000A1): Send Access-Request to
> 172.17.4.1:1812 id 1645/31, len 121
> Mar 25 22:54:16.619: RADIUS:  authenticator 63 B4 AE 27 0B BF 68 D1 -
> 8E C2 A9 74 03 17 D7 38
> Mar 25 22:54:16.619: RADIUS:  User-Name           [1]   5   "rrr"
> Mar 25 22:54:16.620: RADIUS:  Framed-MTU          [12]  6   1400
> Mar 25 22:54:16.620: RADIUS:  Called-Station-Id   [30]  16
> "001e.be8e.03e0"
> Mar 25 22:54:16.620: RADIUS:  Calling-Station-Id  [31]  16
> "001b.77d2.b10c"
> Mar 25 22:54:16.620: RADIUS:  Service-Type        [6]   6   Login
>                [1]
> Mar 25 22:54:16.620: RADIUS:  Message-Authenticato[80]  18  *
> Mar 25 22:54:16.621: RADIUS:  EAP-Message         [79]  10
> Mar 25 22:54:16.621: RADIUS:   02 02 00 08 01 72 72 72
>          [?????rrr]
> Mar 25 22:54:16.621: RADIUS:  NAS-Port-Type       [61]  6   802.11
> wireless           [19]
> Mar 25 22:54:16.621: RADIUS:  NAS-Port            [5]   6   412
> Mar 25 22:54:16.621: RADIUS:  NAS-IP-Address      [4]   6
> 172.17.4.30
> Mar 25 22:54:16.621: RADIUS:  Nas-Identifier      [32]  6   "ap30"
> Mar 25 22:54:16.624: RADIUS: Received from id 1645/31 172.17.4.1:1812,
> Access-Reject, len 39
> Mar 25 22:54:16.624: RADIUS:  authenticator 4C 71 B8 6A A3 15 51 B7 -
> B5 4A 93 69 64 84 49 1C
> Mar 25 22:54:16.624: RADIUS:  Reply-Message       [18]  19
> Mar 25 22:54:16.625: RADIUS:   0D 0A 41 63 63 65 73 73 20 64 65 6E 69
> 65 64 0D  [??Access denied?]
> Mar 25 22:54:16.625: RADIUS:   0A
>          [?]
> Mar 25 22:54:16.625: RADIUS(000000A1): Received from id 1645/31
>
> Debug from the GNU Radius server:
> Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> Mar 25 23:23:19 [8658]: (Access-Request 172.17.4.30 28 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> /usr/local/etc/raddb/users:14; hints:4
> Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> Mar 25 23:27:54 [8658]: (Access-Request 172.17.4.30 29 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> /usr/local/etc/raddb/users:14; hints:4
> Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> Mar 25 23:28:31 [8658]: (Access-Request 172.17.4.30 30 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> /usr/local/etc/raddb/users:14; hints:4
> Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> Mar 25 23:54:08 [8658]: (Access-Request 172.17.4.30 31 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> /usr/local/etc/raddb/users:14; hints:4
> Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> Mar 26 00:08:40 [8658]: (Access-Request 172.17.4.30 32 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> /usr/local/etc/raddb/users:14; hints:4
> Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): Login incorrect [rrr/]
> Mar 26 00:09:36 [8658]: (Access-Request 172.17.4.30 33 "rrr"
> CLID=001b.77d2.b10c CSID=001e.be8e.03e0): rule trace:
> /usr/local/etc/raddb/users:14; hints:4
>
> Cisco config.txt:
> !
> ! Last configuration change at 23:25:11 +0100 Tue Mar 25 2008 by Cisco
> ! NVRAM config last updated at 23:25:11 +0100 Tue Mar 25 2008 by Cisco
> !
> version 12.3
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname ap30
> !
> no logging console
> enable secret 5 $1$2jwC$NHe..OkEaUL4fxHY22NDe0
> !
> clock timezone +0100 1
> ip subnet-zero
> ip domain name foo.tld
> ip name-server 172.17.4.1
> !
> !
> aaa new-model
> !
> !
> aaa group server radius rad_eap
>  server 172.17.4.1 auth-port 1812 acct-port 1813
> !
> aaa group server radius rad_mac
> !
> aaa group server radius rad_acct
> !
> aaa group server radius rad_admin
> !
> aaa group server tacacs+ tac_admin
> !
> aaa group server radius rad_pmip
> !
> aaa group server radius dummy
> !
> aaa authentication login eap_methods group rad_eap
> aaa authentication login mac_methods local
> aaa authorization exec default local
> aaa accounting network acct_methods start-stop group rad_acct
> aaa session-id common
> !
> dot11 ssid oma
>    authentication open eap eap_methods
>    authentication network-eap eap_methods
>    authentication key-management wpa
>    guest-mode
> !
> !
> !
> username Cisco privilege 15 password 7 0005170B0D555B51
> !
> bridge irb
> !
> !
> interface Dot11Radio0
>  no ip address
>  no ip route-cache
>  !
>  encryption mode ciphers tkip
>  !
>  ssid oma
>  !
>  speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0
> basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
>  station-role root
>  bridge-group 1
>  bridge-group 1 subscriber-loop-control
>  bridge-group 1 block-unknown-source
>  no bridge-group 1 source-learning
>  no bridge-group 1 unicast-flooding
>  bridge-group 1 spanning-disabled
> !
> interface FastEthernet0
>  no ip address
>  no ip route-cache
>  duplex auto
>  speed auto
>  bridge-group 1
>  no bridge-group 1 source-learning
>  bridge-group 1 spanning-disabled
> !
> interface BVI1
>  ip address 172.17.4.30 255.255.255.0
>  no ip route-cache
> !
> ip default-gateway 172.17.4.1
> ip http server
> no ip http secure-server
> ip http help-path
> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
> ip radius source-interface BVI1
> !
> logging facility auth
> logging 172.17.4.20
> access-list 111 permit tcp any any neq telnet
> snmp-server view dot11view ieee802dot11 included
> snmp-server community public view dot11view RO
> snmp-server location OEST
> snmp-server contact address@hidden
> snmp-server chassis-id ap30
> radius-server attribute 32 include-in-access-req format %h
> radius-server host 172.17.4.1 auth-port 1812 acct-port 1813 key 7
> 135647415A5F567978
> radius-server vsa send accounting
> bridge 1 route ip
> !
> !
> !
> line con 0
>  access-class 111 in
> line vty 0 4
>  access-class 111 in
> !
> sntp server 83.221.136.68
> sntp broadcast client
> end
>
> config from the radius server:
> # For detailed description, run:
> #       info Radius config
>
> # usedbm no;
>
> option {
>         # source-ip 172.17.4.1;
>         max-requests 1024;
>         resolve no;
> };
>
> logging {
>         prefix-hook "default_log_prefix";
>         channel default {
>                 file "radius.log";
>                 print-category yes;
>                 print-level yes;
>         };
>         channel info {
>                 file "radius.info";
>                 print-pid yes;
>         };
>         channel debug {
>                 file "radius.debug";
>         };
>         category auth {
>                 level high;
>                 print-auth yes;
>                 print-failed-pass yes;
>         };
>         category info {
>                 channel info;
>         };
>         category =debug {
>                 channel debug;
>         };
>         category * {
>                 channel default;
>         };
> };
>
> auth {
>         #listen 172.17.4.1;
>         #port 1645;
>         trace-rules yes;
>         max-requests 127;
>         request-cleanup-delay 2;
>         detail yes;
>         # detail-file-name "=nas_name(request_source_ip()) +
> \"/detail.auth\"";
>         strip-names yes;
>         # checkrad-assume-logged yes;
> };
>
> acct {
>         max-requests 127;
>         request-cleanup-delay 2;
>         detail-file-name "=nas_name(request_source_ip()) + \"/detail\"";
> };
>
> rewrite {
>         load "checknas.rw";
>         load "log-hook.rw";
>         load "nas-ip.rw";
> };
>
> # snmp {
> #       listen no;
> # };
>
> users from the Gnu Radius:
> # For detailed description, run:
> #       info Radius users
>
>
> ## The following entry is supposed to be used with authentication probe
> ## control. Please read `info --node 'Auth Probing' radius' for the
> detailed
> ## description of it
> DEFAULT Group = "*LOCKED_ACCOUNT*",
>                 Auth-Type = Reject
>         Reply-Message = "Your account is currently locked.\n\
> Please, contact your system administrator\n"
>
>
> ## Default entry.
> DEFAULT Auth-Type = Crypt-Local,
>                          Password-Location = SQL,
>                 Simultaneous-Use = 1
>         Service-Type = Framed-User,
>                 Framed-Protocol = PPP
>
> sqlserver from the radius server:
> Only changed a few things, like:
> doauth yes;
> user,pass,host,database so it can Auth, rest is default.
>
>
> _______________________________________________
> Help-gnu-radius mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-gnu-radius
>


-- 
Senior Network Security Analyst
CISSP, FCNSP, CCNP, CCDP, RCAS, CCAI
address@hidden
tel. 613.728.5504
cell. 613-295-5504

Marketbridge Technologies, Inc.
1066 Somerset St. West, Suite B-101
Ottawa, ON, K1Y 4T3
[Prev in Thread]
Current Thread
[Next in Thread]
[Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius, Mikael Syska, 2008/03/25
- Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius, Martin Laflamme <=
  - Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius, Mikael Syska, 2008/03/31
Prev by Date: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
Next by Date: Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
Previous by thread: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
Next by thread: Re: [Help-gnu-radius] Cisco Aironet 1100 & Gnu Radius
Index(es):
- Date
- Thread