Top-Themen

AppleEntwicklungHardwareInternetLinuxMicrosoftMultimediaNetzwerkeOff TopicSicherheitSonstige SystemeVirtualisierungWeiterbildungZusammenarbeit

Aktuelle Themen

Administrator.de FeedbackApache ServerAppleAssemblerAudioAusbildungAuslandBackupBasicBatch & ShellBenchmarksBibliotheken & ToolkitsBlogsCloud-DiensteClusterCMSCPU, RAM, MainboardsCSSC und C++DatenbankenDatenschutzDebianDigitiales FernsehenDNSDrucker und ScannerDSL, VDSLE-BooksE-BusinessE-MailEntwicklungErkennung und -AbwehrExchange ServerFestplatten, SSD, RaidFirewallFlatratesGoogle AndroidGrafikGrafikkarten & MonitoreGroupwareHardwareHosting & HousingHTMLHumor (lol)Hyper-VIconsIDE & EditorenInformationsdiensteInstallationInstant MessagingInternetInternet DomäneniOSISDN & AnaloganschlüsseiTunesJavaJavaScriptKiXtartKVMLAN, WAN, WirelessLinuxLinux DesktopLinux NetzwerkLinux ToolsLinux UserverwaltungLizenzierungMac OS XMicrosoftMicrosoft OfficeMikroTik RouterOSMonitoringMultimediaMultimedia & ZubehörNetzwerkeNetzwerkgrundlagenNetzwerkmanagementNetzwerkprotokolleNotebook & ZubehörNovell NetwareOff TopicOpenOffice, LibreOfficeOutlook & MailPapierkorbPascal und DelphiPeripheriegerätePerlPHPPythonRechtliche FragenRedHat, CentOS, FedoraRouter & RoutingSambaSAN, NAS, DASSchriftartenSchulung & TrainingSEOServerServer-HardwareSicherheitSicherheits-ToolsSicherheitsgrundlagenSolarisSonstige SystemeSoziale NetzwerkeSpeicherkartenStudentenjobs & PraktikumSuche ProjektpartnerSuseSwitche und HubsTipps & TricksTK-Netze & GeräteUbuntuUMTS, EDGE & GPRSUtilitiesVB for ApplicationsVerschlüsselung & ZertifikateVideo & StreamingViren und TrojanerVirtualisierungVisual StudioVmwareVoice over IPWebbrowserWebentwicklungWeiterbildungWindows 7Windows 8Windows 10Windows InstallationWindows MobileWindows NetzwerkWindows ServerWindows SystemdateienWindows ToolsWindows UpdateWindows UserverwaltungWindows VistaWindows XPXenserverXMLZusammenarbeit

Meine Cisco Access Points, der Radius Server, das LDAP und ich.

Frage Netzwerke LAN, WAN, Wireless

Mitglied: farenz

farenz (Level 1) - Jetzt verbinden

20.09.2012, aktualisiert 15:51 Uhr, 9355 Aufrufe, 8 Kommentare

Hallo Admins,

mir geht es ähnlich wie folgendem Kollegen: ( http://www.administrator.de/frage/Fehlende-Konfigurationsinformationen- ... )

Aktuell stellen wir den ca. 200 Mitarbeitern ein WLAN zur Verfügung, welches mittels Cisco Aironet 1130 WLAN Routern überall im Haus verfügbar ist. Verschlüsselt ist das WLAN mit WPA2-PSK, es gibt also ein allgemeines Passwort, ein so genanntes “Shared Secret”, das heißt, dass theoretisch jeder der 200 Mitarbeiter das Passwort kennen darf. Benötigt nun ein Mitarbeiter Zugriff auf das WLAN muss er bei der Administration das Passwort erfragen.

Da es sich bei dem Passwort um ein “Shared Secret” handelt, muss das Passwort bei jedem Austritt eines Mitarbeiters geändert werden, um unautorisierte Zugriffe zu vermeiden. Da es ab einer gewissen Größe eines Unternehmens unsicher ist den Zugriff über ein “Shared Secret” zu gewähren, zumal es eine hohe Mitarbeiterfluktuation gibt, verursacht die aktuelle Methode einen sehr hohen Arbeitsaufwand.

Um zukünftig das WLAN besser abzusichern und den hohen Arbeitsaufwand durch die ständige Änderung des WLAN Passwortes zu vermeiden, habe ich den Auftrag bekommen, eine Alternative mit LDAP Anbindung zu finden und umzusetzen.




4ab7e713f08d98118bad0f3e3f745acd - Klicke auf das Bild, um es zu vergrößern



Der LDAP Server ist mir Vorgegeben, als Radiusserver habe ich ein Debian Squeeze (6.0.5) installiert und FreeRADIUS Version 2.1.10 über die Paketquellen installiert. Wie oben erwähnt habe ich Cisco Aironet 1130 WLAN Router bzw. Access Points zur Verfügung. Ich selber nutze ein Ubuntu 12.04.

Verschiedensten Anleitungen aus den Tiefen des Internets habe ich entnommen das man dem Radiusserver den LDAP Server bekannt machen sollte.


-- Hier also meine radiusd.conf vom Radius-Server.
01.
##################################################################### 
02.
## radiusd.conf	-- FreeRADIUS server configuration file. 
03.
## 
04.
##	http://www.freeradius.org/ 
05.
##	$Id$ 
06.
## 
07.
 
08.
###################################################################### 
09.
10.
#	Read "man radiusd" before editing this file.  See the section 
11.
#	titled DEBUGGING.  It outlines a method where you can quickly 
12.
#	obtain the configuration you want, without running into 
13.
#	trouble. 
14.
15.
#	Run the server in debugging mode, and READ the output. 
16.
17.
#		$ radiusd -X 
18.
19.
#	We cannot emphasize this point strongly enough.  The vast 
20.
#	majority of problems can be solved by carefully reading the 
21.
#	debugging output, which includes warnings about common issues, 
22.
#	and suggestions for how they may be fixed. 
23.
24.
#	There may be a lot of output, but look carefully for words like: 
25.
#	"warning", "error", "reject", or "failure".  The messages there 
26.
#	will usually be enough to guide you to a solution. 
27.
28.
#	If you are going to ask a question on the mailing list, th 
29.
#	explain what you are trying to do, and include the output from 
30.
#	debugging mode (radiusd -X).  Failure to do so means that all 
31.
#	of the responses to your question will be people telling you 
32.
#	to "post the output of radiusd -X". 
33.
 
34.
###################################################################### 
35.
36.
#  	The location of other config files and logfiles are declared 
37.
#  	in this file. 
38.
39.
#  	Also general configuration for modules can be done in this 
40.
#  	file, it is exported through the API to modules that ask for 
41.
#  	it. 
42.
43.
#	See "man radiusd.conf" for documentation on the format of this 
44.
#	file.  Note that the individual configuration items are NOT 
45.
#	documented in that "man" page.  They are only documented here, 
46.
#	in the comments. 
47.
48.
#	As of 2.0.0, FreeRADIUS supports a simple processing language 
49.
#	in the "authorize", "authenticate", "accounting", etc. sections. 
50.
#	See "man unlang" for details. 
51.
52.
 
53.
prefix = /usr 
54.
exec_prefix = /usr 
55.
sysconfdir = /etc 
56.
localstatedir = /var 
57.
sbindir = ${exec_prefix}/sbin 
58.
logdir = /var/log/freeradius 
59.
raddbdir = /etc/freeradius 
60.
radacctdir = ${logdir}/radacct 
61.
 
62.
63.
#  name of the running server.  See also the "-n" command-line option. 
64.
name = freeradius 
65.
 
66.
#  Location of config and logfiles. 
67.
confdir = ${raddbdir} 
68.
run_dir = ${localstatedir}/run/${name} 
69.
 
70.
# Should likely be ${localstatedir}/lib/radiusd 
71.
db_dir = ${raddbdir} 
72.
 
73.
74.
# libdir: Where to find the rlm_* modules. 
75.
76.
#   This should be automatically set at configuration time. 
77.
78.
#   If the server builds and installs, but fails at execution time 
79.
#   with an 'undefined symbol' error, then you can use the libdir 
80.
#   directive to work around the problem. 
81.
82.
#   The cause is usually that a library has been installed on your 
83.
#   system in a place where the dynamic linker CANNOT find it.  When 
84.
#   executing as root (or another user), your personal environment MAY 
85.
#   be set up to allow the dynamic linker to find the library.  When 
86.
#   executing as a daemon, FreeRADIUS MAY NOT have the same 
87.
#   personalized configuration. 
88.
89.
#   To work around the problem, find out which library contains that symbol, 
90.
#   and add the directory containing that library to the end of 'libdir', 
91.
#   with a colon separating the directory names.  NO spaces are allowed. 
92.
93.
#   e.g. libdir = /usr/local/lib:/opt/package/lib 
94.
95.
#   You can also try setting the LD_LIBRARY_PATH environment variable 
96.
#   in a script which starts the server. 
97.
98.
#   If that does not work, then you can re-configure and re-build the 
99.
#   server to NOT use shared libraries, via: 
100.
101.
#	./configure --disable-shared 
102.
#	make 
103.
#	make install 
104.
105.
libdir = /usr/lib/freeradius 
106.
 
107.
#  pidfile: Where to place the PID of the RADIUS server. 
108.
109.
#  The server may be signalled while it's running by using this 
110.
#  file. 
111.
112.
#  This file is written when ONLY running in daemon mode. 
113.
114.
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid` 
115.
116.
pidfile = ${run_dir}/${name}.pid 
117.
 
118.
#  chroot: directory where the server does "chroot". 
119.
120.
#  The chroot is done very early in the process of starting the server. 
121.
#  After the chroot has been performed it switches to the "user" listed 
122.
#  below (which MUST be specified).  If "group" is specified, it switchs 
123.
#  to that group, too.  Any other groups listed for the specified "user" 
124.
#  in "/etc/group" are also added as part of this process. 
125.
126.
#  The current working directory (chdir / cd) is left *outside* of the 
127.
#  chroot until all of the modules have been initialized.  This allows 
128.
#  the "raddb" directory to be left outside of the chroot.  Once the 
129.
#  modules have been initialized, it does a "chdir" to ${logdir}.  This 
130.
#  means that it should be impossible to break out of the chroot. 
131.
132.
#  If you are worried about security issues related to this use of chdir, 
133.
#  then simply ensure that the "raddb" directory is inside of the chroot, 
134.
#  end be sure to do "cd raddb" BEFORE starting the server. 
135.
136.
#  If the server is statically linked, then the only files that have 
137.
#  to exist in the chroot are ${run_dir} and ${logdir}.  If you do the 
138.
#  "cd raddb" as discussed above, then the "raddb" directory has to be 
139.
#  inside of the chroot directory, too. 
140.
141.
#chroot = /path/to/chroot/directory 
142.
 
143.
# user/group: The name (or #number) of the user/group to run radiusd as. 
144.
145.
#   If these are commented out, the server will run as the user/group 
146.
#   that started it.  In order to change to a different user/group, you 
147.
#   MUST be root ( or have root privleges ) to start the server. 
148.
149.
#   We STRONGLY recommend that you run the server with as few permissions 
150.
#   as possible.  That is, if you're not using shadow passwords, the 
151.
#   user and group items below should be set to radius'. 
152.
153.
#  NOTE that some kernels refuse to setgid(group) when the value of 
154.
#  (unsigned)group is above 60000; don't use group nobody on these systems! 
155.
156.
#  On systems with shadow passwords, you might have to set 'group = shadow' 
157.
#  for the server to be able to read the shadow password file.  If you can 
158.
#  authenticate users while in debug mode, but not in daemon mode, it may be 
159.
#  that the debugging mode server is running as a user that can read the 
160.
#  shadow info, and the user listed below can not. 
161.
162.
#  The server will also try to use "initgroups" to read /etc/groups. 
163.
#  It will join all groups where "user" is a member.  This can allow 
164.
#  for some finer-grained access controls. 
165.
166.
user = freerad 
167.
group = freerad 
168.
 
169.
#  max_request_time: The maximum time (in seconds) to handle a request. 
170.
171.
#  Requests which take more time than this to process may be killed, and 
172.
#  a REJECT message is returned. 
173.
174.
#  WARNING: If you notice that requests take a long time to be handled, 
175.
#  then this MAY INDICATE a bug in the server, in one of the modules 
176.
#  used to handle a request, OR in your local configuration. 
177.
178.
#  This problem is most often seen when using an SQL database.  If it takes 
179.
#  more than a second or two to receive an answer from the SQL database, 
180.
#  then it probably means that you haven't indexed the database.  See your 
181.
#  SQL server documentation for more information. 
182.
183.
#  Useful range of values: 5 to 120 
184.
185.
max_request_time = 30 
186.
 
187.
#  cleanup_delay: The time to wait (in seconds) before cleaning up 
188.
#  a reply which was sent to the NAS. 
189.
190.
#  The RADIUS request is normally cached internally for a short period 
191.
#  of time, after the reply is sent to the NAS.  The reply packet may be 
192.
#  lost in the network, and the NAS will not see it.  The NAS will then 
193.
#  re-send the request, and the server will respond quickly with the 
194.
#  cached reply. 
195.
196.
#  If this value is set too low, then duplicate requests from the NAS 
197.
#  MAY NOT be detected, and will instead be handled as seperate requests. 
198.
199.
#  If this value is set too high, then the server will cache too many 
200.
#  requests, and some new requests may get blocked.  (See 'max_requests'.) 
201.
202.
#  Useful range of values: 2 to 10 
203.
204.
cleanup_delay = 5 
205.
 
206.
#  max_requests: The maximum number of requests which the server keeps 
207.
#  track of.  This should be 256 multiplied by the number of clients. 
208.
#  e.g. With 4 clients, this number should be 1024. 
209.
210.
#  If this number is too low, then when the server becomes busy, 
211.
#  it will not respond to any new requests, until the 'cleanup_delay' 
212.
#  time has passed, and it has removed the old requests. 
213.
214.
#  If this number is set too high, then the server will use a bit more 
215.
#  memory for no real benefit. 
216.
217.
#  If you aren't sure what it should be set to, it's better to set it 
218.
#  too high than too low.  Setting it to 1000 per client is probably 
219.
#  the highest it should be. 
220.
221.
#  Useful range of values: 256 to infinity 
222.
223.
max_requests = 1024 
224.
 
225.
#  listen: Make the server listen on a particular IP address, and send 
226.
#  replies out from that address. This directive is most useful for 
227.
#  hosts with multiple IP addresses on one interface. 
228.
229.
#  If you want the server to listen on additional addresses, or on 
230.
#  additionnal ports, you can use multiple "listen" sections. 
231.
232.
#  Each section make the server listen for only one type of packet, 
233.
#  therefore authentication and accounting have to be configured in 
234.
#  different sections. 
235.
236.
#  The server ignore all "listen" section if you are using '-i' and '-p' 
237.
#  on the command line. 
238.
239.
listen { 
240.
	#  Type of packets to listen for. 
241.
	#  Allowed values are: 
242.
	#	auth	listen for authentication packets 
243.
	#	acct	listen for accounting packets 
244.
	#	proxy   IP to use for sending proxied packets 
245.
	#	detail  Read from the detail file.  For examples, see 
246.
	#               raddb/sites-available/copy-acct-to-home-server 
247.
	#	status  listen for Status-Server packets.  For examples, 
248.
	#		see raddb/sites-available/status 
249.
	#	coa     listen for CoA-Request and Disconnect-Request 
250.
	#		packets.  For examples, see the file 
251.
	#		raddb/sites-available/coa-server 
252.
253.
	type = auth 
254.
 
255.
	#  Note: "type = proxy" lets you control the source IP used for 
256.
	#        proxying packets, with some limitations: 
257.
258.
	#    * A proxy listener CANNOT be used in a virtual server section. 
259.
	#    * You should probably set "port = 0". 
260.
	#    * Any "clients" configuration will be ignored. 
261.
262.
	#  See also proxy.conf, and the "src_ipaddr" configuration entry 
263.
	#  in the sample "home_server" section.  When you specify the 
264.
	#  source IP address for packets sent to a home server, the 
265.
	#  proxy listeners are automatically created. 
266.
 
267.
	#  IP address on which to listen. 
268.
	#  Allowed values are: 
269.
	#	dotted quad (1.2.3.4) 
270.
	#       hostname    (radius.example.com) 
271.
	#       wildcard    (*) 
272.
	ipaddr = * 
273.
 
274.
	#  OR, you can use an IPv6 address, but not both 
275.
	#  at the same time. 
276.
#	ipv6addr = ::	# any.  ::1 == localhost 
277.
 
278.
	#  Port on which to listen. 
279.
	#  Allowed values are: 
280.
	#	integer port number (1812) 
281.
	#	0 means "use /etc/services for the proper port" 
282.
	port = 0 
283.
 
284.
	#  Some systems support binding to an interface, in addition 
285.
	#  to the IP address.  This feature isn't strictly necessary, 
286.
	#  but for sites with many IP addresses on one interface, 
287.
	#  it's useful to say "listen on all addresses for eth0". 
288.
289.
	#  If your system does not support this feature, you will 
290.
	#  get an error if you try to use it. 
291.
292.
#	interface = eth0 
293.
 
294.
	#  Per-socket lists of clients.  This is a very useful feature. 
295.
296.
	#  The name here is a reference to a section elsewhere in 
297.
	#  radiusd.conf, or clients.conf.  Having the name as 
298.
	#  a reference allows multiple sockets to use the same 
299.
	#  set of clients. 
300.
301.
	#  If this configuration is used, then the global list of clients 
302.
	#  is IGNORED for this "listen" section.  Take care configuring 
303.
	#  this feature, to ensure you don't accidentally disable a 
304.
	#  client you need. 
305.
306.
	#  See clients.conf for the configuration of "per_socket_clients". 
307.
308.
#	clients = per_socket_clients 
309.
310.
 
311.
#  This second "listen" section is for listening on the accounting 
312.
#  port, too. 
313.
314.
listen { 
315.
	ipaddr = * 
316.
#	ipv6addr = :: 
317.
	port = 0 
318.
	type = acct 
319.
#	interface = eth0 
320.
#	clients = per_socket_clients 
321.
322.
 
323.
#  hostname_lookups: Log the names of clients or just their IP addresses 
324.
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off). 
325.
326.
#  The default is 'off' because it would be overall better for the net 
327.
#  if people had to knowingly turn this feature on, since enabling it 
328.
#  means that each client request will result in AT LEAST one lookup 
329.
#  request to the nameserver.   Enabling hostname_lookups will also 
330.
#  mean that your server may stop randomly for 30 seconds from time 
331.
#  to time, if the DNS requests take too long. 
332.
333.
#  Turning hostname lookups off also means that the server won't block 
334.
#  for 30 seconds, if it sees an IP address which has no name associated 
335.
#  with it. 
336.
337.
#  allowed values: {no, yes} 
338.
339.
hostname_lookups = no 
340.
 
341.
#  Core dumps are a bad thing.  This should only be set to 'yes' 
342.
#  if you're debugging a problem with the server. 
343.
344.
#  allowed values: {no, yes} 
345.
346.
allow_core_dumps = no 
347.
 
348.
#  Regular expressions 
349.
350.
#  These items are set at configure time.  If they're set to "yes", 
351.
#  then setting them to "no" turns off regular expression support. 
352.
353.
#  If they're set to "no" at configure time, then setting them to "yes" 
354.
#  WILL NOT WORK.  It will give you an error. 
355.
356.
regular_expressions	= yes 
357.
extended_expressions	= yes 
358.
 
359.
360.
#  Logging section.  The various "log_*" configuration items 
361.
#  will eventually be moved here. 
362.
363.
log { 
364.
365.
	#  Destination for log messages.  This can be one of: 
366.
367.
	#	files - log to "file", as defined below. 
368.
	#	syslog - to syslog (see also the "syslog_facility", below. 
369.
	#	stdout - standard output 
370.
	#	stderr - standard error. 
371.
372.
	#  The command-line option "-X" over-rides this option, and forces 
373.
	#  logging to go to stdout. 
374.
375.
	destination = files 
376.
 
377.
378.
	#  The logging messages for the server are appended to the 
379.
	#  tail of this file if destination == "files" 
380.
381.
	#  If the server is running in debugging mode, this file is 
382.
	#  NOT used. 
383.
384.
	file = ${logdir}/radius.log 
385.
 
386.
387.
	#  If this configuration parameter is set, then log messages for 
388.
	#  a *request* go to this file, rather than to radius.log. 
389.
390.
	#  i.e. This is a log file per request, once the server has accepted 
391.
	#  the request as being from a valid client.  Messages that are 
392.
	#  not associated with a request still go to radius.log. 
393.
394.
	#  Not all log messages in the server core have been updated to use 
395.
	#  this new internal API.  As a result, some messages will still 
396.
	#  go to radius.log.  Please submit patches to fix this behavior. 
397.
398.
	#  The file name is expanded dynamically.  You should ONLY user 
399.
	#  server-side attributes for the filename (e.g. things you control). 
400.
	#  Using this feature MAY also slow down the server substantially, 
401.
	#  especially if you do thinks like SQL calls as part of the 
402.
	#  expansion of the filename. 
403.
404.
	#  The name of the log file should use attributes that don't change 
405.
	#  over the lifetime of a request, such as User-Name, 
406.
	#  Virtual-Server or Packet-Src-IP-Address.  Otherwise, the log 
407.
	#  messages will be distributed over multiple files. 
408.
409.
	#  Logging can be enabled for an individual request by a special 
410.
	#  dynamic expansion macro:  %{debug: 1}, where the debug level 
411.
	#  for this request is set to '1' (or 2, 3, etc.).  e.g. 
412.
413.
	#	... 
414.
	#	update control { 
415.
	#	       Tmp-String-0 = "%{debug:1}" 
416.
	#	} 
417.
	#	... 
418.
419.
	#  The attribute that the value is assigned to is unimportant, 
420.
	#  and should be a "throw-away" attribute with no side effects. 
421.
422.
	requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log 
423.
 
424.
425.
	#  Which syslog facility to use, if ${destination} == "syslog" 
426.
427.
	#  The exact values permitted here are OS-dependent.  You probably 
428.
	#  don't want to change this. 
429.
430.
	syslog_facility = daemon 
431.
 
432.
	#  Log the full User-Name attribute, as it was found in the request. 
433.
434.
	# allowed values: {no, yes} 
435.
436.
	stripped_names = no 
437.
 
438.
	#  Log authentication requests to the log file. 
439.
440.
	#  allowed values: {no, yes} 
441.
442.
	auth = yes 
443.
 
444.
	#  Log passwords with the authentication requests. 
445.
	#  auth_badpass  - logs password if it's rejected 
446.
	#  auth_goodpass - logs password if it's correct 
447.
448.
	#  allowed values: {no, yes} 
449.
450.
	auth_badpass = no 
451.
	auth_goodpass = no 
452.
 
453.
	#  Log additional text at the end of the "Login OK" messages. 
454.
	#  for these to work, the "auth" and "auth_goopass" or "auth_badpass" 
455.
	#  configurations above have to be set to "yes". 
456.
457.
	#  The strings below are dynamically expanded, which means that 
458.
	#  you can put anything you want in them.  However, note that 
459.
	#  this expansion can be slow, and can negatively impact server 
460.
	#  performance. 
461.
462.
#	msg_goodpass = "" 
463.
#	msg_badpass = "" 
464.
465.
 
466.
#  The program to execute to do concurrency checks. 
467.
checkrad = ${sbindir}/checkrad 
468.
 
469.
# SECURITY CONFIGURATION 
470.
471.
#  There may be multiple methods of attacking on the server.  This 
472.
#  section holds the configuration items which minimize the impact 
473.
#  of those attacks 
474.
475.
security { 
476.
477.
	#  max_attributes: The maximum number of attributes 
478.
	#  permitted in a RADIUS packet.  Packets which have MORE 
479.
	#  than this number of attributes in them will be dropped. 
480.
481.
	#  If this number is set too low, then no RADIUS packets 
482.
	#  will be accepted. 
483.
484.
	#  If this number is set too high, then an attacker may be 
485.
	#  able to send a small number of packets which will cause 
486.
	#  the server to use all available memory on the machine. 
487.
488.
	#  Setting this number to 0 means "allow any number of attributes" 
489.
	max_attributes = 200 
490.
 
491.
492.
	#  reject_delay: When sending an Access-Reject, it can be 
493.
	#  delayed for a few seconds.  This may help slow down a DoS 
494.
	#  attack.  It also helps to slow down people trying to brute-force 
495.
	#  crack a users password. 
496.
497.
	#  Setting this number to 0 means "send rejects immediately" 
498.
499.
	#  If this number is set higher than 'cleanup_delay', then the 
500.
	#  rejects will be sent at 'cleanup_delay' time, when the request 
501.
	#  is deleted from the internal cache of requests. 
502.
503.
	#  Useful ranges: 1 to 5 
504.
	reject_delay = 1 
505.
 
506.
507.
	#  status_server: Whether or not the server will respond 
508.
	#  to Status-Server requests. 
509.
510.
	#  When sent a Status-Server message, the server responds with 
511.
	#  an Access-Accept or Accounting-Response packet. 
512.
513.
	#  This is mainly useful for administrators who want to "ping" 
514.
	#  the server, without adding test users, or creating fake 
515.
	#  accounting packets. 
516.
517.
	#  It's also useful when a NAS marks a RADIUS server "dead". 
518.
	#  The NAS can periodically "ping" the server with a Status-Server 
519.
	#  packet.  If the server responds, it must be alive, and the 
520.
	#  NAS can start using it for real requests. 
521.
522.
	#  See also raddb/sites-available/status 
523.
524.
	status_server = yes 
525.
526.
 
527.
# PROXY CONFIGURATION 
528.
529.
#  proxy_requests: Turns proxying of RADIUS requests on or off. 
530.
531.
#  The server has proxying turned on by default.  If your system is NOT 
532.
#  set up to proxy requests to another server, then you can turn proxying 
533.
#  off here.  This will save a small amount of resources on the server. 
534.
535.
#  If you have proxying turned off, and your configuration files say 
536.
#  to proxy a request, then an error message will be logged. 
537.
538.
#  To disable proxying, change the "yes" to "no", and comment the 
539.
#  $INCLUDE line. 
540.
541.
#  allowed values: {no, yes} 
542.
543.
proxy_requests  = no 
544.
$INCLUDE proxy.conf 
545.
 
546.
 
547.
# CLIENTS CONFIGURATION 
548.
549.
#  Client configuration is defined in "clients.conf".   
550.
551.
 
552.
#  The 'clients.conf' file contains all of the information from the old 
553.
#  'clients' and 'naslist' configuration files.  We recommend that you 
554.
#  do NOT use 'client's or 'naslist', although they are still 
555.
#  supported. 
556.
557.
#  Anything listed in 'clients.conf' will take precedence over the 
558.
#  information from the old-style configuration files. 
559.
560.
$INCLUDE clients.conf 
561.
 
562.
 
563.
# THREAD POOL CONFIGURATION 
564.
565.
#  The thread pool is a long-lived group of threads which 
566.
#  take turns (round-robin) handling any incoming requests. 
567.
568.
#  You probably want to have a few spare threads around, 
569.
#  so that high-load situations can be handled immediately.  If you 
570.
#  don't have any spare threads, then the request handling will 
571.
#  be delayed while a new thread is created, and added to the pool. 
572.
573.
#  You probably don't want too many spare threads around, 
574.
#  otherwise they'll be sitting there taking up resources, and 
575.
#  not doing anything productive. 
576.
577.
#  The numbers given below should be adequate for most situations. 
578.
579.
thread pool { 
580.
	#  Number of servers to start initially --- should be a reasonable 
581.
	#  ballpark figure. 
582.
	start_servers = 5 
583.
 
584.
	#  Limit on the total number of servers running. 
585.
586.
	#  If this limit is ever reached, clients will be LOCKED OUT, so it 
587.
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to 
588.
	#  keep a runaway server from taking the system with it as it spirals 
589.
	#  down... 
590.
591.
	#  You may find that the server is regularly reaching the 
592.
	#  'max_servers' number of threads, and that increasing 
593.
	#  'max_servers' doesn't seem to make much difference. 
594.
595.
	#  If this is the case, then the problem is MOST LIKELY that 
596.
	#  your back-end databases are taking too long to respond, and 
597.
	#  are preventing the server from responding in a timely manner. 
598.
599.
	#  The solution is NOT do keep increasing the 'max_servers' 
600.
	#  value, but instead to fix the underlying cause of the 
601.
	#  problem: slow database, or 'hostname_lookups=yes'. 
602.
603.
	#  For more information, see 'max_request_time', above. 
604.
605.
	max_servers = 32 
606.
 
607.
	#  Server-pool size regulation.  Rather than making you guess 
608.
	#  how many servers you need, FreeRADIUS dynamically adapts to 
609.
	#  the load it sees, that is, it tries to maintain enough 
610.
	#  servers to handle the current load, plus a few spare 
611.
	#  servers to handle transient load spikes. 
612.
613.
	#  It does this by periodically checking how many servers are 
614.
	#  waiting for a request.  If there are fewer than 
615.
	#  min_spare_servers, it creates a new spare.  If there are 
616.
	#  more than max_spare_servers, some of the spares die off. 
617.
	#  The default values are probably OK for most sites. 
618.
619.
	min_spare_servers = 3 
620.
	max_spare_servers = 10 
621.
 
622.
	#  There may be memory leaks or resource allocation problems with 
623.
	#  the server.  If so, set this value to 300 or so, so that the 
624.
	#  resources will be cleaned up periodically. 
625.
626.
	#  This should only be necessary if there are serious bugs in the 
627.
	#  server which have not yet been fixed. 
628.
629.
	#  '0' is a special value meaning 'infinity', or 'the servers never 
630.
	#  exit' 
631.
	max_requests_per_server = 0 
632.
633.
 
634.
# MODULE CONFIGURATION 
635.
636.
#  The names and configuration of each module is located in this section. 
637.
638.
#  After the modules are defined here, they may be referred to by name, 
639.
#  in other sections of this configuration file. 
640.
641.
modules { 
642.
643.
	#  Each module has a configuration as follows: 
644.
645.
	#	name [ instance ] { 
646.
	#		config_item = value 
647.
	#		... 
648.
	#	} 
649.
650.
	#  The 'name' is used to load the 'rlm_name' library 
651.
	#  which implements the functionality of the module. 
652.
653.
	#  The 'instance' is optional.  To have two different instances 
654.
	#  of a module, it first must be referred to by 'name'. 
655.
	#  The different copies of the module are then created by 
656.
	#  inventing two 'instance' names, e.g. 'instance1' and 'instance2' 
657.
658.
	#  The instance names can then be used in later configuration 
659.
	#  INSTEAD of the original 'name'.  See the 'radutmp' configuration 
660.
	#  for an example. 
661.
662.
 
663.
664.
	#  As of 2.0.5, most of the module configurations are in a 
665.
	#  sub-directory.  Files matching the regex /[a-zA-Z0-9_.]+/ 
666.
	#  are loaded.  The modules are initialized ONLY if they are 
667.
	#  referenced in a processing section, such as authorize, 
668.
	#  authenticate, accounting, pre/post-proxy, etc. 
669.
670.
	$INCLUDE ${confdir}/modules/ 
671.
 
672.
	#  Extensible Authentication Protocol 
673.
674.
	#  For all EAP related authentications. 
675.
	#  Now in another file, because it is very large. 
676.
677.
	$INCLUDE eap.conf 
678.
 
679.
	#  Include another file that has the SQL-related configuration. 
680.
	#  This is another file only because it tends to be big. 
681.
682.
#	$INCLUDE sql.conf 
683.
 
684.
685.
	#  This module is an SQL enabled version of the counter module. 
686.
687.
	#  Rather than maintaining seperate (GDBM) databases of 
688.
	#  accounting info for each counter, this module uses the data 
689.
	#  stored in the raddacct table by the sql modules. This 
690.
	#  module NEVER does any database INSERTs or UPDATEs.  It is 
691.
	#  totally dependent on the SQL module to process Accounting 
692.
	#  packets. 
693.
694.
#	$INCLUDE sql/mysql/counter.conf 
695.
 
696.
697.
	#  IP addresses managed in an SQL table. 
698.
699.
#	$INCLUDE sqlippool.conf 
700.
701.
 
702.
# Instantiation 
703.
704.
#  This section orders the loading of the modules.  Modules 
705.
#  listed here will get loaded BEFORE the later sections like 
706.
#  authorize, authenticate, etc. get examined. 
707.
708.
#  This section is not strictly needed.  When a section like 
709.
#  authorize refers to a module, it's automatically loaded and 
710.
#  initialized.  However, some modules may not be listed in any 
711.
#  of the following sections, so they can be listed here. 
712.
713.
#  Also, listing modules here ensures that you have control over 
714.
#  the order in which they are initalized.  If one module needs 
715.
#  something defined by another module, you can list them in order 
716.
#  here, and ensure that the configuration will be OK. 
717.
718.
instantiate { 
719.
720.
	#  Allows the execution of external scripts. 
721.
	#  The entire command line (and output) must fit into 253 bytes. 
722.
723.
	#  e.g. Framed-Pool = `%{exec:/bin/echo foo}` 
724.
	exec 
725.
 
726.
727.
	#  The expression module doesn't do authorization, 
728.
	#  authentication, or accounting.  It only does dynamic 
729.
	#  translation, of the form: 
730.
731.
	#	Session-Timeout = `%{expr:2 + 3}` 
732.
733.
	#  So the module needs to be instantiated, but CANNOT be 
734.
	#  listed in any other section.  See 'doc/rlm_expr' for 
735.
	#  more information. 
736.
737.
	expr 
738.
 
739.
740.
	# We add the counter module here so that it registers 
741.
	# the check-name attribute before any module which sets 
742.
	# it 
743.
#	daily 
744.
	expiration 
745.
	logintime 
746.
 
747.
	# subsections here can be thought of as "virtual" modules. 
748.
749.
	# e.g. If you have two redundant SQL servers, and you want to 
750.
	# use them in the authorize and accounting sections, you could 
751.
	# place a "redundant" block in each section, containing the 
752.
	# exact same text.  Or, you could uncomment the following 
753.
	# lines, and list "redundant_sql" in the authorize and 
754.
	# accounting sections. 
755.
756.
	#redundant redundant_sql { 
757.
	#	sql1 
758.
	#	sql2 
759.
	#} 
760.
761.
 
762.
###################################################################### 
763.
764.
#	Policies that can be applied in multiple places are listed 
765.
#	globally.  That way, they can be defined once, and referred 
766.
#	to multiple times. 
767.
768.
###################################################################### 
769.
$INCLUDE policy.conf 
770.
 
771.
###################################################################### 
772.
773.
#	Load virtual servers. 
774.
775.
#	This next $INCLUDE line loads files in the directory that 
776.
#	match the regular expression: /[a-zA-Z0-9_.]+/ 
777.
778.
#	It allows you to define new virtual servers simply by placing 
779.
#	a file into the raddb/sites-enabled/ directory. 
780.
781.
$INCLUDE sites-enabled/ 
782.
 
783.
###################################################################### 
784.
785.
#	All of the other configuration sections like "authorize {}", 
786.
#	"authenticate {}", "accounting {}", have been moved to the 
787.
#	the file: 
788.
789.
#		raddb/sites-available/default 
790.
791.
#	This is the "default" virtual server that has the same 
792.
#	configuration as in version 1.0.x and 1.1.x.  The default 
793.
#	installation enables this virtual server.  You should 
794.
#	edit it to create policies for your local site. 
795.
796.
#	For more documentation on virtual servers, see: 
797.
798.
#		raddb/sites-available/README 
799.
800.
######################################################################
Im Bereich "MODULE CONFIGURATION" steht, dass viele Modul configs nach /etc/freeradius/modules/ ausgelagert wurden.

Da ich einen Ldap-Server eintragen möchte schaue ich mir die /etc/freeradius/modules/ldap an.


-- Hier meine /etc/freeradius/modules/ldap vom Radius-Server.
01.
ldap { 
02.
 
03.
        server = 172.26.100.1 
04.
        basedn = "dc=tarent,dc=de" 
05.
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" 
06.
        base_filter = "(objectclass=posixAccount)" 
07.
        groupname_attribute = cn 
08.
        dictionary_mapping = /etc/freeradius/ldap.attrmap 
09.
        password_attribute = userPassword 
10.
        set_auth_type = yes 
11.
     }
Die /etc/freeradius/modules/ldap war vorher leer, es stand nur "ldap{}" drin.
Dann habe ich meinen Ldap Server dort eingetragen und jetzt sieht die /etc/freeradius/modules/ldap so aus wie oben zu sehen.


Weil ich dann mal testen wollte ob der Radius-Server auch mit dem Ldap Server spricht habe ich den Befehl "radtest" rausgekramt.

-- Der Befehl radtest
01.
[root@radius-bn-01 ~]# radtest ? 
02.
 
03.
Usage: radtest [OPTIONS] user passwd radius-server[:port] nas-port-number secret [ppphint] [nasname] 
04.
        -d RADIUS_DIR       Set radius directory 
05.
        -t <type>           Set authentication method 
06.
                            type can be pap, chap, mschap, or eap-md5 
07.
        -x                  Enable debug output
-- Erster Versuch mit radtest
01.
[root@radius-bn-01 ~]# radtest testuser passwort123 172.26.100.1:389 10 testing123 
02.
 
03.
Sending Access-Request of id 146 to 172.26.100.1 port 389 
04.
	User-Name = "testuser" 
05.
	User-Password = "passwort123" 
06.
	NAS-IP-Address = 10.10.20.36 
07.
	NAS-Port = 10 
08.
 
09.
radclient: no response from server for ID 146 socket 3
testuser und passwort123 sind verfremdet, aber garantiert im Ldap vorhanden. Richtig sind die Zugangsdaten auch.
172.26.100.1 ist die IP-Adresse vom Radius-Server.
Die NAS-Port-Number kann man sich laut http://linux.die.net/man/1/radtest aussuchen.
Das Secret ist das was ich vorher in der /etc/freeradius/clients.conf festgelegt habe.


-- Zweiter Versuch mit radtest
01.
[root@radius-bn-01 ~]# radtest testuser passwort123 127.0.0.1 0 testing123 
02.
 
03.
Sending Access-Request of id 242 to 127.0.0.1 port 1812 
04.
	User-Name = "testuser" 
05.
	User-Password = "passwort123" 
06.
	NAS-IP-Address = 10.10.20.36 
07.
	NAS-Port = 0 
08.
 
09.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=242, length=20
Ähnlich wie der erste Versuch, diesmal allerdings mit der localhost Adresse.
Beim Radius-Server bekomme ich dann folgende Reaktion raus.

-- Radius-Server Reaktion auf meinen zweiten Login Versuch
01.
rad_recv: Access-Request packet from host 127.0.0.1 port 36972, id=242, length=58 
02.
	User-Name = "testuser" 
03.
	User-Password = "passwort123" 
04.
	NAS-IP-Address = 10.10.20.36 
05.
	NAS-Port = 0 
06.
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel 
07.
+- entering group authorize {...} 
08.
++[chap] returns noop 
09.
++[mschap] returns noop 
10.
[eap] No EAP-Message, not doing EAP 
11.
++[eap] returns noop 
12.
[ldap] performing user authorization for testuser 
13.
[ldap] 	expand: %{Stripped-User-Name} ->  
14.
[ldap] 	... expanding second conditional 
15.
[ldap] 	expand: %{User-Name} -> testuser 
16.
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) 
17.
[ldap] 	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
18.
  [ldap] ldap_get_conn: Checking Id: 0 
19.
  [ldap] ldap_get_conn: Got Id: 0 
20.
  [ldap] attempting LDAP reconnection 
21.
  [ldap] (re)connect to 172.26.100.1:389, authentication 0 
22.
  [ldap] bind as / to 172.26.100.1:389 
23.
  [ldap] waiting for bind result ... 
24.
  [ldap] Bind was successful 
25.
  [ldap] performing search in dc=tarent,dc=de, with filter (uid=testuser) 
26.
[ldap] No default NMAS login sequence 
27.
[ldap] looking for check items in directory... 
28.
[ldap] looking for reply items in directory... 
29.
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly? 
30.
[ldap] Setting Auth-Type = LDAP 
31.
[ldap] user farenz authorized to use remote access 
32.
  [ldap] ldap_release_conn: Release Id: 0 
33.
++[ldap] returns ok 
34.
Found Auth-Type = LDAP 
35.
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel 
36.
+- entering group LDAP {...} 
37.
[ldap] login attempt by "testuser" with password "passwort123" 
38.
[ldap] user DN: uid=testuser,cn=users,dc=tarent,dc=de 
39.
  [ldap] (re)connect to 172.26.100.1:389, authentication 1 
40.
  [ldap] bind as uid=testuser,cn=users,dc=tarent,dc=de/passwort123 to 172.26.100.1:389 
41.
  [ldap] waiting for bind result ... 
42.
  [ldap] Bind was successful 
43.
[ldap] user testuser authenticated succesfully 
44.
++[ldap] returns ok 
45.
Login OK: [testuser] (from client localhost port 0) 
46.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel 
47.
+- entering group post-auth {...} 
48.
++? if (!(Ldap-Group == "WLAN" )) 
49.
  [ldap] Entering ldap_groupcmp() 
50.
	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
51.
	expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) 
52.
  [ldap] ldap_get_conn: Checking Id: 0 
53.
  [ldap] ldap_get_conn: Got Id: 0 
54.
  [ldap] performing search in dc=tarent,dc=de, with filter (&(cn=WLAN)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) 
55.
  [ldap] object not found 
56.
  [ldap] ldap_release_conn: Release Id: 0 
57.
rlm_ldap::ldap_groupcmp: Group WLAN not found or user is not a member. 
58.
?? Evaluating (Ldap-Group == "WLAN" ) -> FALSE 
59.
? Converting !FALSE -> TRUE 
60.
++? if (!(Ldap-Group == "WLAN" )) -> TRUE 
61.
++- entering if (!(Ldap-Group == "WLAN" )) {...} 
62.
+++[fail] returns fail 
63.
++- if (!(Ldap-Group == "WLAN" )) returns fail 
64.
Delaying reject of request 0 for 1 seconds 
65.
Going to the next request 
66.
Waking up in 0.9 seconds. 
67.
Sending delayed reject for request 0 
68.
Sending Access-Reject of id 242 to 127.0.0.1 port 36972 
69.
Waking up in 4.9 seconds. 
70.
Cleaning up request 0 ID 242 with timestamp +5825 
71.
Ready to process requests.

Daraus habe ich entnommen, dass der testuser nicht in der LDAP-Gruppe WLAN ist. Als ich den testuser aber hinzugefügt habe und die Anfrage immer noch nicht geklappt hat, habe ich mir die Debug-Ausgabe gründlicher durchgelesen und festgestellt, dass der Standard "groupmembership-filter" verwendet wird, welcher in der /etc/freeradius/sites-enabled/inner-tunnel definiert ist.

Also habe ich mir einen neuen "groupmembership-filter" gebastelt.

01.
ldap { 
02.
 
03.
        server = 172.26.100.1 
04.
        basedn = "dc=tarent,dc=de" 
05.
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" 
06.
        base_filter = "(objectclass=posixAccount)" 
07.
 
08.
        groupname_attribute = cn 
09.
 
10.
      # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" 
11.
        groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" 
12.
 
13.
      # groupmembership_attribute = radiusGroupName 
14.
        groupmembership_attribute = WLAN 
15.
 
16.
      # compare_check_items = yes 
17.
      # do_xlat = yes 
18.
      # access_attr_used_for_allow = yes 
19.
 
20.
        dictionary_mapping = /etc/freeradius/ldap.attrmap 
21.
        password_attribute = userPassword 
22.
        set_auth_type = yes 
23.
     }

Welcher überraschenderweise funktioniert.


-- Nächster Versuch mit radtest
01.
radtest -x testuser passwort123 127.0.0.1 10 testing123 
02.
 
03.
Sending Access-Request of id 197 to 127.0.0.1 port 1812 
04.
	User-Name = "testuser" 
05.
	User-Password = "passwort123" 
06.
	NAS-IP-Address = 10.10.20.36 
07.
	NAS-Port = 10 
08.
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=197, length=20
819841df220a2eddef30dc6875869572 - Klicke auf das Bild, um es zu vergrößern



Nun stehe ich vor der Herausforderung meinen Cisco Access Point dazu zu bringen mit meinem Radius-Server zu sprechen.
Bitten und betteln sowie dem AP gut zureden hat bis jetzt nicht funktioniert. Genau so wenig wie einige der vielen Tutorials welche ich in den untiefen des Internets (unter anderem auch hier auf administrator.de) gefunden habe.

Hat jemand einen Tipp für mich oder vielleicht auch eine Anleitung wie ich meinen Cisco Aironet 1130ag konfigurieren muss damit er mit meinem Radius spricht?

Auf der Weboberfläche des AP habe ich den Radius-Server eingetragen, allerdings sieht es so aus, dass die Anfrage nie beim Radius ankommt. Kann ich dem AP irgendwie die Logfiles entlocken? Vielleicht über das Terminal per ssh Verbindung?


-- Ein telnet von meinem AP auf den Radius-Server funktioniert nicht.
01.
telnet 10.10.20.36 1812 
02.
Trying 10.10.20.36, 1812 ...  
03.
% Connection refused by remote host

-- netstat -tulpen sagt mir, dass der Radius-Server aber eigentlich zuhören sollte.
01.
netstat -tulpen 
02.
Active Internet connections (only servers) 
03.
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name 
04.
...   
05.
udp        0      0 0.0.0.0:1812            0.0.0.0:*                           104        156230      1935/freeradius  
06.
udp        0      0 0.0.0.0:1813            0.0.0.0:*                           104        156233      1935/freeradius  
07.
...     
Bin mittlerweile zu dem Schluss gekommen, dass telnet kein udp kann.
Bei einem telnet auf einen port der tcp kann kam der Kommentar "Open" zurück.

Vielen Dank und viele Grüße
farenz
Mitglied: Kneuzgi
20.09.2012 um 12:05 Uhr
Hi

Ist schon sehr lange her wo ich das mal ausprobiert habe ...
Aber evtl. hilft's ja

Meine Konfig sah damals so aus:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TESTWLAN
!
enable secret 5
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.100 auth-port 1645 acct-port 1646
server 10.11.10.101 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name mydomain.com
ip name-server 10.10.9.100
!
!
!
dot11 ssid USERWLAN
vlan 56
authentication open eap eap_methods
authentication key-management wpa
!
dot11 ssid PDAWLAN
vlan 55
authentication open eap eap_methods
authentication key-management wpa
!
dot11 network-map
power inline negotiation prestandard source
!
!
username
* password
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 56 mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 55 mode ciphers tkip
!
broadcast-key vlan 56 change 600
!
broadcast-key vlan 55 change 600
!
!
ssid USERWLAN
!
ssid PDAWLAN
!
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.55
encapsulation dot1Q 55
no ip route-cache
bridge-group 55
bridge-group 55 subscriber-loop-control
bridge-group 55 block-unknown-source
no bridge-group 55 source-learning
no bridge-group 55 unicast-flooding
bridge-group 55 spanning-disabled
!
interface Dot11Radio0.56
encapsulation dot1Q 56
no ip route-cache
bridge-group 56
bridge-group 56 subscriber-loop-control
bridge-group 56 block-unknown-source
no bridge-group 56 source-learning
no bridge-group 56 unicast-flooding
bridge-group 56 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.55
encapsulation dot1Q 55
no ip route-cache
bridge-group 55
no bridge-group 55 source-learning
bridge-group 55 spanning-disabled
!
interface FastEthernet0.56
encapsulation dot1Q 56
no ip route-cache
bridge-group 56
no bridge-group 56 source-learning
bridge-group 56 spanning-disabled
!
interface BVI1
ip address 10.10.200.100 255.255.254.0
no ip route-cache
!
ip default-gateway 10.10.200.1
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging trap notifications
logging source-interface BVI1
logging 10.10.200.200
access-list 13 permit 10.10.10.0 0.0.0.255
access-list 13 deny any log
access-list 19 deny any log
access-list 20 permit 20.130.15.41
access-list 20 deny any log
access-list 99 permit 10.10.200.200
access-list 99 permit 10.10.10.9
access-list 99 permit 10.10.10.100
access-list 99 permit 10.10.10.200
access-list 99 permit 10.10.11.200
access-list 199 permit ip any any log
snmp-server community
* RO 13
snmp-server community
* RW 20
snmp-server community
* RO 19
snmp-server location Test
snmp-server contact Test
snmp-server system-shutdown
snmp-server enable traps tty
snmp-server host 10.10.200.200

snmp-server host 10.10.200.200
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.100 auth-port 1645 acct-port 1646 key

radius-server host 10.10.10.101 auth-port 1645 acct-port 1646 key
radius-server vsa send accounting
bridge 1 route ip
!
!
banner login ^CCC SECURITY NOTICE

If you are not an authorised user please disconnect immediately. ^C
!
line con 0
exec-timeout 5 0
password

logging synchronous
transport output all
line vty 0 4
session-timeout 60
access-class 199 in
exec-timeout 15 0
password 7
logging synchronous
transport input telnet
transport output all
line vty 5 15
session-timeout 60
access-class 199 in
exec-timeout 15 0
password 7

logging synchronous
transport input telnet
!
sntp server 10.10.10.222
end
Bitte warten ..
Mitglied: farenz
20.09.2012 um 15:08 Uhr
Hi Kneuzgi,

erstmal Danke für deine config.

Zitat von Kneuzgi:
Hi

Ist schon sehr lange her wo ich das mal ausprobiert habe ...
Aber evtl. hilft's ja

Meine Konfig sah damals so aus:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TESTWLAN
!
enable secret 5 **
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.10.10.100 auth-port 1645 acct-port 1646
server 10.11.10.101 auth-port 1645 acct-port 1646
!
...
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!


Meine sieht sehr ähnlich aus, es gibt aber ein paar Unterschiede.

z.B.
01.
aaa group server radius rad_eap 
02.
server 10.10.20.36 auth-port 1812 acct-port 1813
Hast du an deinem Radius-Server die Ports umgestellt?
Meiner hört auf den ports 1812 und 1813 deswegen habe ich das hier auch so eingetragen. War das korrekt?


Ich habe daraufhin auch nochmal die Cisco-Website durchforstet und habe folgendes gefunden:

-- http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configu ...
01.
aaa group server radius rad_eap  
02.
 server 10.77.244.194 auth-port 1812 acct-port 1813 
03.
 
04.
!--- A server group for RADIUS is created called "rad_eap" 
05.
!--- that uses the server at 10.77.244.194 on ports 1812 and 1813.
Es wird eine Gruppe (auf dem Radius-Server) angelegt.

01.
aaa authentication login eap_methods group rad_eap 
02.
 
03.
!--- Authentication [user validation] is to be done for 
04.
!--- users in a group called "eap_methods" who use server group "rad_eap".
Aber was ist nun hiermit gemeint?
User die auf dem LDAP in der Gruppe "eap_methods" sind?
Und zur Identifikation wird der radiusserver in der Gruppe "rad_eap" gefragt?

Viele Grüße
farenz
Bitte warten ..
Mitglied: aqui
21.09.2012 um 08:04 Uhr
Ansonsten findest du auch hier weitere Infos:

http://www.administrator.de/contentid/142241
Bitte warten ..
Mitglied: farenz
22.09.2012 um 13:58 Uhr
Hi aqui,

vielen Dank für den Hinweis.
Ich werde mich nochmal durch das Tutorial kämpfen und einige Sachen ausprobieren.

Schönes und erholsames Wochenende
farenz
Bitte warten ..
Mitglied: farenz
27.09.2012 um 16:04 Uhr
Hallo,

mittlerweile habe ich mich durch auqi's Tutorial durchgearbeitet, nun kommen meine Anfragen beim Radiusserver an, allerdings wird der Login nicht akzeptiert, obwohl die Logindaten (username & passwort) korrekt sind.
Ich habe versucht mich von meinem Smartphone mit Android 4.0.4 mit der EAP-Methode TLS anzumelden.
Die Sicherheit des Netzwerks ist "802.1x EAP". Ähnlich sieht es auch aus wenn ich mich per PEAP oder TTLS anmelden möchte.

-- Loginversuch über das Smartphone mit TLS
01.
rad_recv: Access-Request packet from host 10.10.20.37 port 1645, id=207, length=147 
02.
	User-Name = "testuser" 
03.
	Framed-MTU = 1400 
04.
	Called-Station-Id = "001b.8f8a.ac30" 
05.
	Calling-Station-Id = "1cb0.9475.d65a" 
06.
	Service-Type = Login-User 
07.
	Message-Authenticator = 0xfabc46f7b90861d63196f83da86d4a45 
08.
	EAP-Message = 0x020300060300 
09.
	NAS-Port-Type = Wireless-802.11 
10.
	NAS-Port = 314 
11.
	NAS-Port-Id = "314" 
12.
	State = 0xe5f8d74ce4fbda331659a77e003acc41 
13.
	NAS-IP-Address = 10.10.20.37 
14.
	NAS-Identifier = "ap-3-2" 
15.
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel 
16.
+- entering group authorize {...} 
17.
++[chap] returns noop 
18.
++[mschap] returns noop 
19.
[eap] EAP packet type response id 3 length 6 
20.
[eap] No EAP Start, assuming it's an on-going EAP conversation 
21.
++[eap] returns updated 
22.
[ldap] performing user authorization for testuser 
23.
[ldap] 	expand: %{Stripped-User-Name} ->  
24.
[ldap] 	... expanding second conditional 
25.
[ldap] 	expand: %{User-Name} -> testuser 
26.
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) 
27.
[ldap] 	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
28.
  [ldap] ldap_get_conn: Checking Id: 0 
29.
  [ldap] ldap_get_conn: Got Id: 0 
30.
  [ldap] performing search in dc=tarent,dc=de, with filter (uid=testuser) 
31.
[ldap] No default NMAS login sequence 
32.
[ldap] looking for check items in directory... 
33.
[ldap] looking for reply items in directory... 
34.
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly? 
35.
[ldap] user farenz authorized to use remote access 
36.
  [ldap] ldap_release_conn: Release Id: 0 
37.
++[ldap] returns ok 
38.
Found Auth-Type = EAP 
39.
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel 
40.
+- entering group authenticate {...} 
41.
[eap] Request found, released from the list 
42.
[eap] EAP NAK 
43.
[eap] NAK asked for bad type 0 
44.
[eap] Failed in EAP select 
45.
++[eap] returns invalid 
46.
Failed to authenticate the user. 
47.
Login incorrect: [testuser] (from client man-netz port 314 cli 1cb0.9475.d65a) 
48.
Delaying reject of request 26 for 1 seconds 
49.
Going to the next request 
50.
Waking up in 0.9 seconds. 
51.
Sending delayed reject for request 26 
52.
Sending Access-Reject of id 207 to 10.10.20.37 port 1645 
53.
	EAP-Message = 0x04030004 
54.
	Message-Authenticator = 0x00000000000000000000000000000000

-- Loginversuch per PEAP
01.
rad_recv: Access-Request packet from host 10.10.20.37 port 1645, id=209, length=147 
02.
	User-Name = "testuser" 
03.
	Framed-MTU = 1400 
04.
	Called-Station-Id = "001b.8f8a.ac30" 
05.
	Calling-Station-Id = "1cb0.9475.d65a" 
06.
	Service-Type = Login-User 
07.
	Message-Authenticator = 0x702c7a058ddb03358db5a14e48bd33d9 
08.
	EAP-Message = 0x020200060319 
09.
	NAS-Port-Type = Wireless-802.11 
10.
	NAS-Port = 316 
11.
	NAS-Port-Id = "316" 
12.
	State = 0xac29a870ac2bac2b8214139470e401e0 
13.
	NAS-IP-Address = 10.10.20.37 
14.
	NAS-Identifier = "ap-3-2" 
15.
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel 
16.
+- entering group authorize {...} 
17.
++[chap] returns noop 
18.
++[mschap] returns noop 
19.
[eap] EAP packet type response id 2 length 6 
20.
[eap] No EAP Start, assuming it's an on-going EAP conversation 
21.
++[eap] returns updated 
22.
[ldap] performing user authorization for testuser 
23.
[ldap] 	expand: %{Stripped-User-Name} ->  
24.
[ldap] 	... expanding second conditional 
25.
[ldap] 	expand: %{User-Name} -> testuser 
26.
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) 
27.
[ldap] 	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
28.
  [ldap] ldap_get_conn: Checking Id: 0 
29.
  [ldap] ldap_get_conn: Got Id: 0 
30.
  [ldap] performing search in dc=tarent,dc=de, with filter (uid=testuser) 
31.
[ldap] No default NMAS login sequence 
32.
[ldap] looking for check items in directory... 
33.
[ldap] looking for reply items in directory... 
34.
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly? 
35.
[ldap] user farenz authorized to use remote access 
36.
  [ldap] ldap_release_conn: Release Id: 0 
37.
++[ldap] returns ok 
38.
Found Auth-Type = EAP 
39.
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel 
40.
+- entering group authenticate {...} 
41.
[eap] Request found, released from the list 
42.
[eap] EAP NAK 
43.
[eap] EAP-NAK asked for EAP-Type/peap 
44.
[eap] processing type tls 
45.
[tls] Initiate 
46.
[tls] Start returned 1 
47.
++[eap] returns handled 
48.
Sending Access-Challenge of id 209 to 10.10.20.37 port 1645 
49.
	EAP-Message = 0x010300061920 
50.
	Message-Authenticator = 0x00000000000000000000000000000000 
51.
	State = 0xac29a870ad2ab12b8214139470e401e0 
52.
Finished request 28.
-- Loginversuch per TTLS
01.
rad_recv: Access-Request packet from host 10.10.20.37 port 1645, id=219, length=337 
02.
	User-Name = "testuser" 
03.
	Framed-MTU = 1400 
04.
	Called-Station-Id = "001b.8f8a.ac30" 
05.
	Calling-Station-Id = "1cb0.9475.d65a" 
06.
	Service-Type = Login-User 
07.
	Message-Authenticator = 0x12517bd118d5db2f306f55e116735265 
08.
	EAP-Message = 0x020300c4150016030100b9010000b5030150645303e91f8c551a6c11a7d49ce4d96af1d519a75c04d076bfcafb6a57f7f3000048c014c00a00390038c00fc0050035c012c00800160013c00dc003000ac013c00900330032c00ec004002fc011c007c00cc002000500040015001200090014001100080006000300ff01000044000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f001000110012001300140015001600170018001900230000 
09.
	NAS-Port-Type = Wireless-802.11 
10.
	NAS-Port = 319 
11.
	NAS-Port-Id = "319" 
12.
	State = 0xadfd523facfe47c23ea1d89fef22e7cf 
13.
	NAS-IP-Address = 10.10.20.37 
14.
	NAS-Identifier = "ap-3-2" 
15.
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel 
16.
+- entering group authorize {...} 
17.
++[chap] returns noop 
18.
++[mschap] returns noop 
19.
[eap] EAP packet type response id 3 length 196 
20.
[eap] Continuing tunnel setup. 
21.
++[eap] returns ok 
22.
Found Auth-Type = EAP 
23.
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel 
24.
+- entering group authenticate {...} 
25.
[eap] Request found, released from the list 
26.
[eap] EAP/ttls 
27.
[eap] processing type ttls 
28.
[ttls] Authenticate 
29.
[ttls] processing EAP-TLS 
30.
[ttls] eaptls_verify returned 7  
31.
[ttls] Done initial handshake 
32.
[ttls]     (other): before/accept initialization 
33.
[ttls]     TLS_accept: before/accept initialization 
34.
[ttls] <<< TLS 1.0 Handshake [length 00b9], ClientHello   
35.
[ttls]     TLS_accept: SSLv3 read client hello A 
36.
[ttls] >>> TLS 1.0 Handshake [length 0031], ServerHello   
37.
[ttls]     TLS_accept: SSLv3 write server hello A 
38.
[ttls] >>> TLS 1.0 Handshake [length 0816], Certificate   
39.
[ttls]     TLS_accept: SSLv3 write certificate A 
40.
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange   
41.
[ttls]     TLS_accept: SSLv3 write key exchange A 
42.
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone   
43.
[ttls]     TLS_accept: SSLv3 write server done A 
44.
[ttls]     TLS_accept: SSLv3 flush data 
45.
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A 
46.
In SSL Handshake Phase  
47.
In SSL Accept mode   
48.
[ttls] eaptls_process returned 13  
49.
++[eap] returns handled 
50.
Sending Access-Challenge of id 219 to 10.10.20.37 port 1645 
51.
	EAP-Message = 0x0104040015c000000a6c16030100310200002d0301506452ff531eb2e92091d9811030d8e25d3268b8d832da3b9ae3a8c9761b38fd000039000005ff0100010016030108160b00081200080f00038e3082038a30820272a003020102020103300d06092a864886f70d0101040500308183310b3009060355040613024445310f300d06035504081306526164697573310d300b06035504071304426f6e6e311e301c060355040a1315746172656e742d736f6c7574696f6e732d476d6248311f301d06092a864886f70d010901161061646d696e7340746172656e742e6465311330110603550403130a72616469757374657374301e170d3132303932 
52.
	EAP-Message = 0x313134343434355a170d3137303932313134343434355a3074310b3009060355040613024445310f300d06035504081306526164697573311e301c060355040a1315746172656e742d736f6c7574696f6e732d476d6248311330110603550403130a72616469757374657374311f301d06092a864886f70d010901161061646d696e7340746172656e742e646530820122300d06092a864886f70d01010105000382010f003082010a0282010100cb9d9c69b984ae18dbfc34c1acc81fa8e7013cdab9f8fab442e02f550d2785abe81c8944753720552afc450c87d4fffd9bf207d0cfa61b0eaed1875c74a01f28b0102c5169a7874a9fa347d23761db 
53.
	EAP-Message = 0xed5a42f2059bd097d86a27cd7b3643168d8d33de65fc8ba5aea4df36cc628f3be86ed3cf61b2e8390719655e1c0fd49ce4b843f8de40abb8f98bb42c0cfb7514b1d0358ae9e9a1c5dc1aa54b88856f8820c91abf7eca75274f8033a6511f2fe20c661d156373654182013a3976ed11703b46362611bf98c0b35a13d19ebd40411ee72ac8aed4b485cf4d187169a72c55e7ea45cc3c78a87e462d3e248aa0fa65e0c28b9018ccac5153fb59aae1b763f32b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010024ee2d377b2ebbdaf27c3f7fdd091fd410497f3ef62a36a4d712 
54.
	EAP-Message = 0x54a70e0c986dc69b2d0ff54c58cab25777cf6633b4f9ee650c879bf516c764734f6c86c97c4db8b94b7d7d11b0ac06094bed52c7178a3f19a68cb9396d1e189a2e31a360657ba153ba57e6b37c240a3b3defbaf6e20bb62b5f36db7130c94864b43cd498059c3333222b1dccc9ce36fe693f5e5e9cf5dd3441903c46237b058ae20e30ec513646840ef5410b75ee55c795fe11e727e10a90c8c8faf383c5346311f0dfe79aaf916598225b5155f902669005997d1db33f60a5ee91995f6e9977d8c5ac6651e892c242582e7b192ba61dfbb06ec1d059f13088813ed5061bc237311e2332f59500047b308204773082035fa003020102020900e0ebe876 
55.
	EAP-Message = 0x8d83010a300d06092a864886 
56.
	Message-Authenticator = 0x00000000000000000000000000000000 
57.
	State = 0xadfd523faff947c23ea1d89fef22e7cf 
58.
Finished request 38.
Habt ihr einen Tipp für mich?

Grüße
farenz
Bitte warten ..
Mitglied: aqui
28.09.2012 um 13:44 Uhr
Bei TLS und PEAP hast du ein LDAP Problem mit dem User:
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
sagt das ja eindeutig !
TTLS sieht OK aus. Kann das sein das der Response irgendwo an einer Firewall hängenbleibt ?!
Bitte warten ..
Mitglied: farenz
09.10.2012 um 10:42 Uhr
Hallo aqui,

entschuldige die späte Antwort, die vergangenen Wochen sind nicht so einwandfrei gelaufen.
Ich habe keine Firewall-Regeln definiert, und bei dem Userproblem habe ich "einfach" einen binduser definiert.
Also einen User der sich im LDAP umschauen darf und die ganzen Attribute wie z.B. passwort und Gruppenzugehörigkeit auslesen darf.

Mittlerweile will aber nicht mal mehr der Cisco AP mit dem Radius reden und immer wenn ich den AP konfigurieren will bekomme ich einfach nur eine weiße Seite angezeigt. Firmware etc. ist alles aktuell und irgendwelche besonderen Änderungen gab es auch nicht.

Was mich zur Zeit wahnsinnig (macht) fasziniert ist, dass der Befehl "radtest" auf dem Radius selber ausgeführt wunderbar funktioniert:

01.
radtest -x -t pap testuser passwort123 127.0.0.1 10 testing123 
02.
 
03.
Sending Access-Request of id 237 to 127.0.0.1 port 1812 
04.
	User-Name = "testuser" 
05.
	User-Password = "passwort123" 
06.
	NAS-IP-Address = 10.10.20.36 
07.
	NAS-Port = 10 
08.
 
09.
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=237, length=20

01.
rad_recv: Access-Request packet from host 127.0.0.1 port 40253, id=129, length=58 
02.
	User-Name = "testuser" 
03.
	User-Password = "passwort123" 
04.
	NAS-IP-Address = 10.10.20.36 
05.
	NAS-Port = 10 
06.
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel 
07.
+- entering group authorize {...} 
08.
++[preprocess] returns ok 
09.
[auth_log] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20121009 
10.
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20121009 
11.
[auth_log] 	expand: %t -> Tue Oct  9 10:33:20 2012 
12.
++[auth_log] returns ok 
13.
++[chap] returns noop 
14.
++[mschap] returns noop 
15.
[eap] No EAP-Message, not doing EAP 
16.
++[eap] returns noop 
17.
[ldap] performing user authorization for testuser 
18.
[ldap] 	expand: %{Stripped-User-Name} ->  
19.
[ldap] 	... expanding second conditional 
20.
[ldap] 	expand: %{User-Name} -> testuser 
21.
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) 
22.
[ldap] 	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
23.
  [ldap] ldap_get_conn: Checking Id: 0 
24.
  [ldap] ldap_get_conn: Got Id: 0 
25.
  [ldap] attempting LDAP reconnection 
26.
  [ldap] (re)connect to 172.26.100.1:389, authentication 0 
27.
  [ldap] bind as uid=binduser,cn=users,ou=Infrastruktur,dc=tarent,dc=de/pw-vom-binduser to 172.26.100.1:389 
28.
  [ldap] waiting for bind result ... 
29.
  [ldap] Bind was successful 
30.
  [ldap] performing search in dc=tarent,dc=de, with filter (uid=testuser) 
31.
[ldap] No default NMAS login sequence 
32.
[ldap] looking for check items in directory... 
33.
  [ldap] userPassword -> Password-With-Header == "{crypt}$1$l4Je/bMr$IEKzWS2SQ78eEfM/a6VB7/" 
34.
[ldap] looking for reply items in directory... 
35.
[ldap] Setting Auth-Type = LDAP 
36.
[ldap] user testuser authorized to use remote access 
37.
  [ldap] ldap_release_conn: Release Id: 0 
38.
++[ldap] returns ok 
39.
++[expiration] returns noop 
40.
++[logintime] returns noop 
41.
[pap] WARNING: Auth-Type already set.  Not setting to PAP 
42.
++[pap] returns noop 
43.
Found Auth-Type = LDAP 
44.
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel 
45.
+- entering group LDAP {...} 
46.
[ldap] login attempt by "testuser" with password "passwort123" 
47.
[ldap] user DN: uid=testuser,cn=users,dc=tarent,dc=de 
48.
  [ldap] (re)connect to 172.26.100.1:389, authentication 1 
49.
  [ldap] bind as uid=testuser,cn=users,dc=tarent,dc=de/passwort123 to 172.26.100.1:389 
50.
  [ldap] waiting for bind result ... 
51.
  [ldap] Bind was successful 
52.
[ldap] user testuser authenticated succesfully 
53.
++[ldap] returns ok 
54.
Login OK: [testuser] (from client localhost port 10) 
55.
# Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel 
56.
+- entering group post-auth {...} 
57.
++? if (!(Ldap-Group == "WLAN" )) 
58.
  [ldap] Entering ldap_groupcmp() 
59.
	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
60.
	expand: %{Stripped-User-Name} ->  
61.
	... expanding second conditional 
62.
	expand: %{User-Name} -> testuser 
63.
	expand: (&(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=testuser)) 
64.
  [ldap] ldap_get_conn: Checking Id: 0 
65.
  [ldap] ldap_get_conn: Got Id: 0 
66.
  [ldap] performing search in dc=tarent,dc=de, with filter (&(cn=WLAN)(&(objectClass=posixGroup)(memberUid=testuser))) 
67.
rlm_ldap::ldap_groupcmp: User found in group WLAN 
68.
  [ldap] ldap_release_conn: Release Id: 0 
69.
?? Evaluating (Ldap-Group == "WLAN" ) -> TRUE 
70.
? Converting !TRUE -> FALSE 
71.
++? if (!(Ldap-Group == "WLAN" )) -> FALSE 
72.
Sending Access-Accept of id 129 to 127.0.0.1 port 40253 
73.
Finished request 0. 
74.
Going to the next request 
75.
Waking up in 4.9 seconds.

Das einzige Warning hier ist:
01.
[pap] WARNING: Auth-Type already set.  Not setting to PAP
Das kommt daher, dass ich in meine /etc/freeradius/sites-enabled/inner-tunnel zusätzliche Auth-Type's eingetragen habe.
Wenn ich diese entferne funktioniert es trotzdem weiterhin.

Grüße
farenz
Bitte warten ..
Mitglied: farenz
09.10.2012 um 16:16 Uhr
Mittlerweile rennt der AP wieder.

Anmeldung mit peap/pap sieht folgendermaßen aus:
01.
rad_recv: Access-Request packet from host 10.10.20.43 port 1645, id=44, length=138 
02.
	User-Name = "farenz" 
03.
	Framed-MTU = 1400 
04.
	Called-Station-Id = "001b.8f8a.ac30" 
05.
	Calling-Station-Id = "1cb0.9475.d65a" 
06.
	Service-Type = Login-User 
07.
	Message-Authenticator = 0x4b7a404e761d36514315bab2ec38d9e7 
08.
	EAP-Message = 0x0201000b01666172656e7a 
09.
	NAS-Port-Type = Wireless-802.11 
10.
	NAS-Port = 299 
11.
	NAS-Port-Id = "299" 
12.
	NAS-IP-Address = 10.10.20.43 
13.
	NAS-Identifier = "ap-bn-test" 
14.
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel 
15.
+- entering group authorize {...} 
16.
++[chap] returns noop 
17.
++[mschap] returns noop 
18.
[ldap] performing user authorization for farenz 
19.
[ldap] 	expand: %{Stripped-User-Name} ->  
20.
[ldap] 	... expanding second conditional 
21.
[ldap] 	expand: %{User-Name} -> farenz 
22.
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=farenz) 
23.
[ldap] 	expand: dc=tarent,dc=de -> dc=tarent,dc=de 
24.
  [ldap] ldap_get_conn: Checking Id: 0 
25.
  [ldap] ldap_get_conn: Got Id: 0 
26.
  [ldap] performing search in dc=tarent,dc=de, with filter (uid=farenz) 
27.
[ldap] No default NMAS login sequence 
28.
[ldap] looking for check items in directory... 
29.
  [ldap] userPassword -> Password-With-Header == "{crypt}$1$wNTQUAjn$f0ragZNFWuArJ3FMbA2WW1" 
30.
[ldap] looking for reply items in directory... 
31.
[ldap] user farenz authorized to use remote access 
32.
  [ldap] ldap_release_conn: Release Id: 0 
33.
++[ldap] returns ok 
34.
[pap] No clear-text password in the request.  Not performing PAP. 
35.
++[pap] returns noop 
36.
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt' 
37.
WARNING: Use the PAP module instead. 
38.
No User-Password or CHAP-Password attribute in the request 
39.
Failed to authenticate the user. 
40.
Login incorrect: [farenz] (from client man-netz port 299 cli 1cb0.9475.d65a) 
41.
Delaying reject of request 2 for 1 seconds 
42.
Going to the next request 
43.
Waking up in 0.9 seconds. 
44.
Sending delayed reject for request 2 
45.
Sending Access-Reject of id 44 to 10.10.20.43 port 1645 
46.
Waking up in 4.9 seconds. 
47.
Cleaning up request 2 ID 44 with timestamp +420 
48.
Ready to process requests.


Die/Den Fehler sehe ich.

01.
[pap] No clear-text password in the request.  Not performing PAP. 
02.
++[pap] returns noop 
03.
WARNING: Please update your configuration, and remove 'Auth-Type = Crypt' 
04.
WARNING: Use the PAP module instead. 
05.
No User-Password or CHAP-Password attribute in the request
Nur habe ich nirgendwo Auth-Type = Crypt verwendet.
'find' und 'grep' sagen mir das zumindest.
Bitte warten ..
Neuester Wissensbeitrag
Humor (lol)

Linkliste für Adventskalender

(3)

Information von nikoatit zum Thema Humor (lol) ...

Ähnliche Inhalte
LAN, WAN, Wireless
Bessere Access Points als Cisco WAP (30)

Frage von stephan902 zum Thema LAN, WAN, Wireless ...

LAN, WAN, Wireless
Dd-wrt Hotspot mit Radius Server und Traffic Volume Limit (19)

Frage von Kubus0815 zum Thema LAN, WAN, Wireless ...

LAN, WAN, Wireless
gelöst Access Points mit gleicher SSID Bereitstellen? (7)

Frage von KMUlife zum Thema LAN, WAN, Wireless ...

Windows Server
gelöst Radius-Server auf Win. Srv. 2008R2 (5)

Frage von anak1m zum Thema Windows Server ...

Heiß diskutierte Inhalte
Router & Routing
gelöst Ipv4 mieten (22)

Frage von homermg zum Thema Router & Routing ...

Exchange Server
gelöst Exchange 2010 Berechtigungen wiederherstellen (20)

Frage von semperf1delis zum Thema Exchange Server ...

Windows Server
DHCP Server switchen (20)

Frage von M.Marz zum Thema Windows Server ...

Hardware
gelöst Negative Erfahrungen LAN-Karten (19)

Frage von MegaGiga zum Thema Hardware ...