Authentication problem Cisco WAP4410N + FreeRadius + OpenLDAP

Discussion in 'Server Operation' started by skrollan, Sep 2, 2011.

  1. skrollan

    skrollan Guest

    Hello! I'm having trouble to authenticate with my Cisco WAP4410N AP to my radiusserver (Debian6).
    The thing is i'm using LDAP to login to the wireless network, which seems to work because i can do:
    radtest testuser "password" \ localhost 2 testing123
    Where testuser is an LDAP-user.
    Where i get an "Access-Accept" answer.
    But when i then try to login to the wireless network, radius refuses to accept the Cisco AP. Which in follow blocks every attempt to login.
    Current errormessage is printed by freeradius -X

    ++[eap] returns ok 
    Found Auth-Type = EAP 
    # Executing group from file /etc/freeradius/sites-enabled/default 
    +- entering group authenticate {...} 
    [eap] Request found, released from the list 
    [eap] EAP/peap 
    [eap] processing type peap 
    [peap] processing EAP-TLS 
    [peap] eaptls_verify returned 7 
    [peap] Done initial handshake 
    [peap] eaptls_process returned 7 
    [peap] EAPTLS_OK 
    [peap] Session established. Decoding tunneled attributes. 
    [peap] Peap state send tlv failure 
    [peap] Received EAP-TLV response. 
    [peap] The users session was previously rejected: returning reject (again.) 
    [peap] *** This means you need to read the PREVIOUS messages in the debug output 
    [peap] *** to find out the reason why the user was rejected. 
    [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. 
    [peap] *** what went wrong, and how to fix the problem. 
    [eap] Handler failed in EAP/peap 
    [eap] Failed in EAP select 
    ++[eap] returns invalid 
    Failed to authenticate the user. 
    Using Post-Auth-Type Reject 
    # Executing group from file /etc/freeradius/sites-enabled/default 
    +- entering group REJECT {...} 
    [attr_filter.access_reject] expand: %{User-Name} -> host/robert-laptop 
    attr_filter: Matched entry DEFAULT at line 11 
    ++[attr_filter.access_reject] returns updated 
    Delaying reject of request 59 for 1 seconds 
    Going to the next request 
    Waking up in 0.9 seconds. 
    Sending delayed reject for request 59 
    Sending Access-Reject of id 55 to port 2070 
    EAP-Message = 0x04080004 
    Message-Authenticator = 0x00000000000000000000000000000000 
    Waking up in 3.9 seconds. 
    Cleaning up request 51 ID 47 with timestamp +2345 
    I have added an entry for the AP in clients.conf which looks like following:

    client { 
    secret = testing123 
    shortname = wireless_ap 
    nastype = cisco 
    Does anyone on have a clue on where I did go wrong with this, and what I can do to fix this.

    Thanks in advance

Share This Page