FreeRADIUS &; AP1142n
I'll put up a supported LDAP server FreeRADIUS for use with a couple of AP1142n APs.
I put a shared secret and configured the AP to authenticate with FreeRADIUS.
The installation should be user names and passwords, no client certificate.
A Client Ubuntu I put in place as a test can authenicate very well.
However, when I try to authenticate to the AP I get the following in the RADIUS logs:
17:08:50 | --> Verify error: num = 20: unable to get local issuer certificate |
17:08:50 | An entry alert TLS: fatal: unknown CA |
17:08:50 | TLS_accept: error in SSLv3 read client certificate B |
17:08:50 | rlm_eap: error error SSL certificate: 140890B 2: SSL routines: SSL3_GET_CLIENT_CERTIFICATE:no returned |
17:08:50 | SSL: SSL_read failed during a call system (-1), the TLS session fails. |
17:08:50 | Incorrect connection (unable to get local issuer certificate): [noel.bourke] (from client port 521 00-26-BB-03-C5-09 cli AP4) |
I tried to add the cert CA self-issued at the AP, but no difference.
Can someone give some guidance on this?
which EAP method you have set?
This isn't a problem of AP, it is a problem of the FreeRadius client config.
FreeRadius offers a list of possible authentication and the client tries one so that it is configured. So if your Ubuntu client goes for EAP - TLS (which uses certificates), there is nothing that anyone can do.
PEAP-mschapv2 is your best bet. Check if it is what the client and freeradius.
Nicolas
Tags: Cisco Wireless
Similar Questions
-
configuration cisco air-ap1142n-a-k9 problem wpa2 wireless access point
HI people,
I am brand new to Cisco Wireless, just that I bought new wireless access point air-ap1142n-a-k9 cisco, try to configure the configuration of wpa2 for security reason, but impossible to configure in any mode security. So my AP is currently no security / encryption mode.
Could someone can help and suggest me I will appreciate if I get all documents, so the security problem can be solved.
Concerning
Sanjeev
OK great
----------------------------------------------------------------------------------------------------------------------
Be sure to note the correct answer and mark the thread as answered
-
SG300: Cant assign aw vlan 802. 1 x + freeradius
We recently got SG300-10 and try to get the assignment of vlan dynamic works via 802.1 x and freeradius. We got it so that the client connected to the SG300 would correctly auth, IE, I see this in "see the dot1x users:
MAC Auth Auth Session VLAN
Port Username Address Method Server Time
-------- ---------------- ----------------- ------ ------ -------------- ----
gi7 testuser 58:55:ca:24:19:d4 802.1X Remote 00:04:39
However, the client does not seem to be at all on the vlan correct or any vlan. If I change the port of "dot1x - radius attributes vlan static" to "dot1x - radius attributes vlan" then the customer cant auth at all (which is expected because it cannot retrieve the information of vlan).
The freeradius users file looks like this:
testuser Cleartext-Password := "testpassword"
##Tunnel-Tag = 0,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = "104"
There is this whole line in the eap.conf file:
copy_request_to_tunnel = yes
Running config:
net055#show running-config
config-file-header
net055
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
default-vlan vlan 3333
exit
vlan database
vlan 1,100,104,111
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname net055
line console
exec-timeout 30
exit
line ssh
exec-timeout 0
exit
encrypted radius-server host 172.16.200.57 key #REMOVED priority 10 usage dot1.x
radius-server host source-interface vlan 100
management access-list mlist2
permit ip-source 172.16.202.0 mask 255.255.255.0
permit ip-source 172.16.200.0 mask 255.255.255.0
exit
management access-class mlist2
logging buffered debugging
aaa authentication enable default enable none
aaa accounting dot1x start-stop group radius
enable password level 15 encrypted #REMOVED
no service password-recovery
no passwords complexity enable
passwords aging 0
username #REMOVED password encrypted #REMOVED privilege 15
username #REMOVED password encrypted #REMOVED privilege 15
ip ssh server
ip ssh password-auth
ip http timeout-policy 1800 https-only
no ip http server
tacacs-server timeout 10
clock timezone " " 0 minutes 0
clock source sntp
!
interface vlan 100
ip address 172.16.200.21 255.255.255.0
no ip address dhcp
!
interface vlan 104
name gen-0-Gnv-204.0
!
interface vlan 111
name guest-0-Gnv-10-66-61.0
dot1x guest-vlan
!
interface gigabitethernet1
switchport trunk allowed vlan add 100,104,111
!
interface gigabitethernet7
dot1x guest-vlan enable
dot1x reauthentication
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode general
switchport general allowed vlan add 104 untagged
no macro auto smartport
!
exit
ip default-gateway 172.16.200.1
Looks like there was a similar questions here, but it seems to have never been resolved:
https://supportforums.Cisco.com/message/3336810#3336810
Hi all
I'm working with Colin and that ends up being a problem of RADIUS. In the file eap.conf, for peap (auth phase 1).
We need to enable copy_request_to_tunnel AND use_tunneled_reply:
{PEAP
# The syringe EAP session needs a default value
# Type of EAP that is distinct from that of
# module EAP-tunneled. Inside of the
# PEAP tunnel, we recommend that you use MS-CHAPv2,
# as the default type is supported by
# Windows clients.
default_eap_type = mschapv2# module has PEAP also of these configuration
Articles of #, which are the same as TTLS.copy_request_to_tunnel = yes
use_tunneled_reply = yesSubsequently, we could see the answers of the test with id user vlan posting it once by response.
See you soon!
-
Hi all
I'm brand new on wireless and I would like to findout if AIR-AP1142N-T-K9 is stand-alone or light weight. I read some documents and they say that the series 1140 is autonomous, but nothing special to 1142 NTK9. If it is a stand-alone can become light weight and which WLC series support the converted AP.
Thank you.
I am brand new to wireless and i would like to findout whether AIR AP1142N-T-K9 is standalone or light weight
Your product code says it is autonomous (independent aka), but the best way to check is to console in the AP and see the IOS. If your IOS is "C1140-K9W8- M", so he focuses on the controller of IOS. If your IOS is "C1140-K9W7- M", then it is autonomous.
Conversion from IOS autonomous (aIOS) is quite easy. Everything you need to do is copy the file "RRS" TAR in the AP, it starts from him.
-
AP1142N "AP not supported" error converting to LWAPP
Try to update a standalone AP-AIR-AP1142N-E-K9 (C1140-K9W7M software, version 12.4 (21a) JA1) with the tool to upgrade but get the error message "unsupported AP. Version of the tool is: CiscoAironet-AP-to-LWAPP-Upgrade-Tool-v205.exe
What is conversion taken Lwapp supported for the AP1142N and how can I convert?
Thanks for any help.
Alexander
Here's another method:
Copy the IOS LWAP (with a prefix "RRs" in the name of the file) for the AP and let to the AP that the boot image. Your AP can now join a WLC.
-
SSID is not see on the pc (ap1142n, 802.11n).
AP is AIR-AP1142N.
SSID & RADIO 1 configuration is that...
Enable ssid on the radio 0-> I see the ssid (but 72mbps..)
but, close radio 0 after activate the radio 1-> I do not see the ssid
802.11n configuration is open authentication or encryption wpa2 and aes on radio 1 (5 GHz)
Help, please
CONFIGURATION
!
dot11 ssid TestN2
open authentication
Comments-mode
!interface Dot11Radio0
no ip address
no ip route cache
Shutdown
!
!
SSID TestN2
!
gain of antenna 0
long guard interval
channel 2412
root of station-role
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
Bridge-Group 1 covering-disabled people
end!
interface Dot11Radio1
no ip address
no ip route cache
!
!
SSID TestN2
!
no block of dfs
width of the channel above 40
channel 5745
root of station-role
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
!brief AP #show ip interface
Interface IP-Address OK? Method State Protocol
BVI1 YES DHCP 192.168.1.108 upward upwards
Dot11Radio0 unassigned YES NVRAM administratively down down
Dot11Radio1 unassigned YES TFTP upward upwards
GigabitEthernet0 unassigned YES NVRAM up upSounds stupid, but are you sure that the customer's cell phone is capable of 5 GHz?
Nicolas
-
FreeRadius user-password encoding
Hello
I'm trying to configure a RADIUS server to authenticate my users on a couple of routers.
Now, I did my initial configuration on a router in 1811 and everything works correctly, moving to 2801 production router that I get into trouble. Try our second production 2801 it works fine again. I'm breaking my head over what could be bad, but can't find anything!
What I see in my outputlog FreeRadius:
rad_recv: package of access request to the host 10.1.1.25:1645, id = 172, length = 96
Username = 'sander.
Reply-Message = "" password: ".
User-Password = "\204p\034\272\345\346K^\250s\346\200gN\035\250".
NAS-Port = 194
NAS-Port-Id = "tty194".
NAS-Port-Type = virtual
Calling-Station-Id = "10.2.1.112".
NAS-IP-Address = 10.1.1.25
(sql) rlm_sql: socket reserving sql id: 3
Therefore, the GET of the user-password is encrypted somehow by Cisco. The password is 'test' for now. If I connect my two other Cisco routers, I see the password for plaintex in FreeRadius log (as I expect).
Is there a reason why this 2801 router is acting weird and put a username-password different encoding in the mix?
The two 2801 running the same version of IOS.
Help, please!
Hello
Single password in encrypted with RADIUS. I would say key
Kind regards
Vivek
-
How to mount an AP1142n above a ceiling suspended?
Hello
You want to know that:
(1) adapter LWAP
(2) mounting hardware / media
have been used for deployments of LWAP 1142n above a suspended ceiling. Our installation will not work with the t-rail included mounting material and are looking for alternate mounting above a suspended ceiling options. Hardware Guide Cisco mentions an adapter to use with an adapter of Erico Caddy 512 t shaped. Has anyone had experience with this option?
Thank you
James
I used 512 Erico support in a brand new, that we have built. For aesthetics, they wouldn't have the visible APs. Anyway, they are not as smooth as the t-shaped suspension hooks that are included with the APs, but they do the job. Make sure you get the 512 which has a height of 8 "that you can adjust for the AP is not hit the top of the ceiling plate.
Oberon Wireless also makes very nice enclosers for different models of AP if you are wanting something a bit nicer and easier to access with a lock and key.
-
The AIR-AP1142N-E-K9 deployment options
Hello
I intend to buy two or three 1142N aironets and would like to know if they support root bridge & access point and bridge no root & Access point modes simultaneously the different SSID.
So the plan is to create a wireless bridge between two 1142N aironets more a SSID more on each other for wireless clients.
Is this possible?
Yes.
-
RADIUS server with no devices of the airport
Is there a way I can set up a radius server by using the OS X application but not a Terminal airport at el capitan? Thank you
See if that helps.
Mavericks of OS X Server - setting up FreeRADIUS
-
Key WPA - EAP business Wifi for OSX 10.11?
I'm looking for months for a Wifi key that supports OSX 10.11 WPA - EAP Enterprise. I ordered about 10 already, but most of them only support OSX 10.9 or lower. But I need 10.11. Those who work with OSX only sustained 10.11 until this WPA - PSK.
Any ideas? Any help?
(I know that my mac supports WPA - EAP, but I need a stick to place it as close to the point of access to a public network - which can't change, I can't use repeaters etc..)
I may be wrong since I have to confess I used only once WPA2-Enterprise, but I think that EAP would be part of the 802. 1 x security suite. EAP stands for Extensible Authentication Protocol.
OS X took in charge WPA2-Enterprise and 802. 1 x for a long time and don't always work. I believe that as long as the WiFi adapter supports WPA2 then it will also support WPA2-Enterprise and therefore 802.1 x and EAP.
Note: WPA2-Enterprise and 802. 1 x means also using a RADIUS authentication server. In theory it could be run on a Mac server and in fact Apple Server.app includes a copy of FreeRadius, even if you need to configure it manually.
I found the following https://eshop.macsales.com/item/Edimax/EW7711MAC/ which is listed as Mac, El Capitan, WPA2 and 802.1 product compatible x.
This adapter to the Web site less OWC is listed as including El Capitan drivers although the product on the Edimax website page lists only up to Yosemite.
(Update - I have now found a driver Edimax list download page which is El Capitan - see http://www.edimax.co.uk/edimax/download/download/data/edimax/global/download/for _home/wireless_adapters/wireless_adapter... )
This is why I feel that this adapter is admissible as Mac-compatible, El Capitan compatible and produced compatible WPA - EAP.
-
Hello
I would like to configure FreeRadius on my server OS X El Capitan. Someone did for me a couple of links on how to do this by using Terminal.
But I saw this on the App Store
http://servicemax.com.au/tips/admin-tool-RADIUS/
IT seems simple enough. I tried and I'm not able to make it work
My question is - anyone have this working? If Yes, what are the step-by-steps instructions on how to configure it?
I solved it by adding the router Wireless 'network access server. And use a SSL certificate purchased.
-
PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem
We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.
This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
Can someone help me with this problem?Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.But I studied a bit on the net and found this site useful:
http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
c. use ping to check the accessibility of router-server.
d. package watch LAN account to verify that RADIUS and answers queries are fluid.
e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection. -
Pwerconnect 5448, Windows Server 2008 R2
Hello from France,
One of my projects for a client is to create authentication secure via 802. 1 X. I chose to use freeradius.
But the customer would not integrate a linux solution.
So, I went to Microsoft Windows server 2008 R2 and the NPS. I've implemented two solutions
First of all, a NAP. The solution works without any problem.
But the second Setup dell powerconnect peripheral authentication via active directory active a does not. I have found and tried many HOWTO on the web, but none are compatible with my device.
someone must deploy this solution with the Microsoft NAP? Is there a CEP of dell, which allow to solve?
Thanks for your help
Theo
I'm looking for information here, and I don't see anything that could change the configuration of the switch. Everything works fine until we add the RADIUS of Windows in the mixture. With the Wireshark that you see even to make the request to the server, but then the server never sent a rear package to authenticate the user and the switch has expired for authentication and it connected as rejected.
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
Maybe you are looking for
-
A way to tell which projects the "used" bits are used?
Hello I have clips that show that parts are 'used' in a project. Is it possible to tell which project they are used in? The best Elmer
-
Re: Need repair manual for Satellite P200
Hi guy´sso, after 3 years my P200-1 | 2 harman/kardon collect a hell of dirt and dust.Is what I am looking for a repair manual so I can participate the notbook clean the fan´s and put everything back together.I hope that there is something?icesaint
-
Hello HP has a permanent solution to audio pests / problem caused by the last program of HP Power Assistance.exe? It is becoming boring and tiring that I have to keep uninstalling the last (HPA) driver and reinstall the old driver HPA to fix sounds j
-
power cord for hp psc 1315 all-in-one
where can I find a power cord for my printer. I have a hp psc 1315 all-in-one
-
my windows Explorer keeps restartin
problem reports showed whatApplication of vulnerabilities path: C:\Windows\explorer.exe Signature of the problemProblem event name: ShellBrowserCancelSignature of the problem 01: {F3364BA0-65B9-11CE-A9BA-00AA004AE837}Signature of the problem 02: Loca