802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment
Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.
SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.
Similar Messages
-
Hi
Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?Hello,
There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
Regards,
Belal -
802.1x authetication with dynamic Vlan assignment by a radius server
Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra -
802.1x dynamic VLAN assignment with Radius NPS Server
I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
I have followed this documentation,
http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
that basically says to use these Radius attributes,
Tunnel-Medium-Type : 802
Tunnel-Pvt-Group-ID : My_VLAN_Number (also tried VLAN name)
Tunnel-Type : VLAN
There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
and I have also tried that,
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
My user authenticates on the port fine, but doesn't get put into a VLAN. If I add "sw acc vlan 110" then the user authenticates and then does get an IP address in that VLAN and all is well.
Anybody know how to get dynamic VLAN assignment working with NPS?
NPS on Win 2012 R2
Domain controller separate Win 2012 R2 server
Cisco 3550 switchHi All, Can any one guide me to
configure 802.1x with acs 5.0. Its totally new look and m not able to
find document related to 802.1x.Thanks
Hi,
Check out the below link on how to configure 802.1x and ACS administration hope to help !!
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
Ganesh.H -
Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points
Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps -
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc Vlan 10
bbbb.cccc.dddd Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .Hi Guys,
Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward. -
WLC- dynamic Vlan assignment with Radius
Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
Could you please help me?There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
-
Dynamic vlan assignment with 1242AG and IAS not working
I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine. I've tried everything I can think of. Any suggestions?
IAS and AD is running on Windows Server 2003
Everything works fine except the vlan assignment. Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
PEAP is the authentication method, using MS-CHAP v2. Naturally I have the attributes in the policy set appropriately, ie:
Tunnel-Medium-Type > 802
Tunnel-Pvt-Group-ID > vlanid
Tunnel-Type > VLAN
On the AP:
Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
I see I don't have that line "aaa authorization network default group rad_eap",
So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
Thanks,
Jason -
Dynamic VLAN assignment with WLC and ACS for
Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this? -
802.1x dynamic vlan assignment using ACS 4.2
Hi
we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
is the above scenario doable using dot1x with the ACS server?
waiting your replies
MohamedHi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
802.1x Dynamic Vlan assignment using ACS
Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication based on the Network Device Group. Please refer the attached diagramHi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post -
Dynamic vlan assignment with openldap
Hi,
I have a scenario where my customer has an ACS 5.2 and couple WLCs. the customer has also a openldap database and needs to do dynamic vlan assignement for his wireless user against this database. I know that for Active directory it works, please advise if it does as well for openldap and how?
Regards,No it doesnt work if you are using mschap v2 here is a grid of the supported eap based protocols and the directory services:
You can find this information here:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1045863
Hope this helps. -
Is dynamic VLAN assignment supported with web-authentication?
The 7.6.130.0 WLC configuration guides says this:
"Dynamic VLAN assignment is not supported for web authentication from a controller with Access Control Server (ACS)"
How should we interpret this, exactly? Does this mean that dynamic VLAN assignment is supported with web authentication from a controller if some other RADIUS server is used (Eg: FreeRadius, ISE)?It is not supported with any kind of radius server. The radius attributes ACS uses for pushing those settings (64,65,81) are the same for every other radius implementation. Pushing a QoS profile does work.
-
WLAN Security - EAP-TLS EAP-Identity exposed in the clear
Hi Guys,
As a well known point on eap-tls, is the eap-identity message from (lets say) a workstantion is exposed in the clear and any packet capture can pick this up.
How does this affect organisations deploying eap-tls and are there any recommend mitigation techniques to use?
If you are using eap-tls, and active directory, this machine name could be in the CN, SAN comparison from the Cisco ACS to AD DC so could be a problem? Not sure?
But the underlying certificate exchange is the real security method here correct? So should I not worry about this?
Many thx and kind regards,
kenHi Fella, Excellent response.
So, Couple of points here :
We use EAP-TLS and WPA2/AES
EAP-TLS = Authentication Layer only
WPA2/AES = Encrpytion Layer only
Is that correct?
Also, if correct
EAP-TLS Authentication Only
What does this authenticate in the certificate, and how?
All I know is that it is working and the client cert and ACS server cert are authenticating each other, and we have the ACS consulting the active directory DC with a CN, SAN or binary comparison
So the way I see it, there are two layers of authentication here
1st Layer
Laptop <---> ACS certificate verification/authentication (the two certs have some field in them that say they are linked) and are happy to proceed?
2nd Layer
The ACS-AD comparison, so if this field in the cert appears in an AD GPO, it allows access, if not, no eap-sucess messge is sent?
Can you clarify this as you have done a good job in explaing thus far?
Many thx indeed,
Ken -
WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment
WLC 5508: software version 7.0.98.0
Windows 7 Client
Radius Server: Fedora Core 13 / Freeradius with LDAP storage backend
I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server. 802.1x authorization and authenication correctly work. The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.
However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly. From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:
AVP: l=4 t=Tunnel-Private-Group-Id(81): 10
AVP: l=6 t=Tunnel-Medium-Type(65): IEEE-802(6)
AVP: l=6 t=Tunnel-Type(64): VLAN(13)
I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept. I wrote up a medium high level config for any future viewers of this thread:
The following was tested and verified on a fedora 13 installation. This is a minimal setup; not meant for a "live" network (security issues with cleartext passwords, ldap not indexed properly for performance)
Install Packages
1. Install needed packages.
yum install openldap*
yum install freeradius*
2. Set the services to automatically start of system startup
chkconfig --level 2345 slapd on
chkconfig --level 2345 radiusd on
Configure and start LDAP
1. Copy the needed ladp schemas for radius. Your path may vary a bit
cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema
2. Create a admin password for slapd. Record this password for later use when configuring the slapd.conf file
slappasswd
3. Add the ldap user and group; if it doesn't exisit. Depending on the install rpm, it may have been created
useradd ldap
groupadd ldap
4. Create the directory and assign permissions for the database files
mkdir /var/lib/ldap
chmod 700 /var/lib/ldap
chown ldap:ldap /var/lib/ldap
5. Edit the slapd.conf file.
cd /etc/openldap
vi slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#Default needed schemas
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
#Radius include
include /etc/openldap/schema/radius.schema
#Samba include
#include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# ldbm and/or bdb database definitions
#Use the berkely database
database bdb
#dn suffix, domain components read in order
suffix "dc=cisco,dc=com"
checkpoint 1024 15
#root container node defined
rootdn "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw
{SSHA}
cVV/4zKquR4IraFEU7NTG/PIESw8l4JI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index uid,memberUid eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
by dn.exact="cn=Manager,dc=cisco,dc=com" read
by * none
6. Remove the slapd.d directory
cd /etc/openldap
rm -rf slapd.d
7. Hopefully if everything is correct, should be able to start up slapd with no problem
service slapd start
8. Create the initial database in a text file called /tmp/initial.ldif
dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg
9. Add the file to the database
ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif
10. Issue a basic query to the ldap db, makes sure that we can request and receive results back
ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"
Configure and Start FreeRadius
1. Configure ldap.attrmap, if needed. This step is only needed if we need to map and pass attributes back to the authenicator (dynamic vlan assignments as an example). Below is an example for dynamic vlan addresses
cd /etc/raddb
vi ldap.attrmap
For dynamic vlan assignments, verify the follow lines exist:
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Since we are planning to use the userpassword, we will let the mschap module perform the NT translations for us. Add the follow line to check ldap object for userpassword and store as Cleartext-Password:
checkItem Cleartext-Password userPassword
2. Configure eap.conf. The following sections attributes below should be verified. You may change other attributes as needed, they are just not covered in this document.
eap
{ default_eap_type = peap ..... }
tls {
#I will not go into details here as this is beyond scope of setting up freeradisu. The defaults will work, as freeradius comes with generated self signed certificates.
peap {
default_eap_type = mschapv2
#you will have to set this to allowed the inner tls tunnel attributes into the final accept message
use_tunneled_reply = yes
3. Change the authenication and authorization modules and order.
cd /etc/raddb/sites-enabled
vi default
For the authorize section, uncomment the ldap module.
For the authenicate section, uncomment the ldap module
vi inner-tunnel
Very importants, for the authorize section, ensure the ldap module is first, before mschap. Thus authorize will look like:
authorize
{ ldap mschap ...... }
4. Configure ldap module
cd /etc/raddb/modules
ldap
{ server=localhost identify = "cn=Manager,dc=cisco,dc=com" password=admin basedn="dc=cisco,dc=com" base_filter = "(objectclass=radiusprofile)" access_attr="uid" ............ }
5. Start up radius in debug mode on another console
radiusd -X
6. radtest localhost 12 testing123
You should get a Access-Accept back
7. Now to perform an EAP-PEAP test. This will require a wpa_supplicant test libarary called eapol_test
First install openssl support libraries, required to compile
yum install openssl*
yum install gcc
wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz
tar xvf wpa_supplicant-0.6.10.tar.gz
cd wpa_supplicant-0.6.10/wpa_supplicant
vi defconfig
Uncomment CONFIG_EAPOL_TEST = y and save/exit
cp defconfig .config
make eapol_test
cp eapol_test /usr/local/bin
chmod 755 /usr/local/bin/eapol_test
8. Create a test config file named eapol_test.conf.peap
network=
{ eap=PEAP eapol_flags=0 key_mgmt=IEEE8021X identity="jonatstr" password="ggsg" \#If you want to verify the Server certificate the below would be needed \#ca_cert="/root/ca.pem" phase2="auth=MSCAHPV2" }
9. Run the test
eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123
Maybe you are looking for
-
HT3529 Can I send pictures from my iPhone to a Galaxy S4?
My friend has a Galaxy S4 and we've been trying to send pictures back and forth from my iPhone and from her Galaxy with no success. Is it possible to send pics from an Apple device to Galaxy/Android device? Thanks!
-
Work flow in error when executed with a user decision.
Hi, I am executing a workflow for notification of absence. It has a user decision step to Revise the request or to withdraw it when the absence request is rejected by the approver. When I am executing this the workflow is going into error state. User
-
Hi, I wonder if anyone can help me? I'm running wordpress 2.0 with the plugin podpress. I have submitted a podcast RSS feed and it has been accepted but it is now asking for a feed title? In the podpress options I have specified a title (I'm not sure
-
Screen doesnt get blacked out when on call after the new update
Since the time i Have updated the firmware screen doesnt gets blacked out, when on call after the new update. Because of this option automatically get selected by getting touched cheecks. any solution?
-
HT204053 how do i put the imforation from my iphone to my new comupter
I got a new computer for christmas and i'm having a little trouble putting all the information onto my computer. Can anyone be of assistance?