LEAP + Freeradius + RFS7000

// Expert user has replied.
M Matthieu Dierick 2 years 11 months ago
1 11 0

Hi guys, I need your help regarding LEAP support on RFS7k with freeradius behind.

RFS7000 used as authenticator

Freeradius used as radius server

Laptop with LEAP authentication and WPA1-TKIP encryption

We are encountering an issue with the encryption. Actually, with only LEAP authentication, it works.But when we select an encryption (whatever encrytion used), we can not send frames to the network.After several investigations, we discovered this log message :Jun 29 20:27:47 2009: %CC-6-STATIONASSOC: Station 00-1B-63-C2-56-FE associated to radio 175 wlan 19 vlan 1130Jun 29 20:27:53 2009: %CC-6-EAPAUTHSUCCESS: Station 00-1B-63-C2-56-FE eap (802.1x) authentication success on wlan 19Jun 29 20:27:53 2009: %CC-4-NORADIUSKEY: MPPE keying information not received from Radius server for Station 00-1B-63-C2-56-FEThis message means the station is authenticated but the freeradius does not send the key to the RFS7k.Have you got any idea how to configure the freeradius so that it sends this key?Help will be really appreciated.Matt

Please register or login to post a reply

11 Replies

M Matthieu Dierick

Guys, as Kevin said, our WING infrastructure does not support LEAP. My customer has to move to PEAP.

K Kevin Marshall

This is a good suggestion and is something Cisco also recomends (check out http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml). We can fully support the following EAP methods on our infrastructure: - EAP-FAST (with or without automatic PAC provisioning) - PEAP (EAP-GTC) - PEAP (EAP-MSCHAPv2) - EAP-TLS Regards, Kevin 

S Sukhdeep Singh Johar

You will find plenty on stuff pointing LEAP weaknesses. The attached paper lists the key points in a concise manner. Might be useful. regards, sukhdeep

J Juan-Antonio Martinez

Thanks, Kevin. So... maybe the root problem is trying to use a RFS7000 (instead a Cisco AP) rather than auth'ing to a FreeRadius, don't you think?

K Kevin Marshall

There is no LEAP support in WiNG of our APs! I would not expect LEAP to work with any of our infrastructure. Regards, Kevin

J Juan-Antonio Martinez

Matthieu, would it then be possible to make your customer move from LEAP to PEAP ?

A Adrian Vesa
J Juan-Antonio Martinez

I always thought that AP-side LEAP protocol was Cisco propietary (unlike Client-side, such as Fusion, Mobile Companion or Aegis etc). Only Cisco APs could be used with LEAP auth. I also guess (I am not sure on that one) ACS should be used. Definitely, I am missing something. Did this change? Please someone tell me if so.

K Kevin Marshall

LEAP is actually supported by various popular RADIUS servers including FreeRADIUS, Steel-Belted RADIUS and  Radiator and is supported by various supplicants (AEGIS, Odyssey, Open1X). From a AP perspective LEAP is only supported by Cisco Aironet Access Points as its pre IEEE and proprietary in nature. No commercial AP vendor that I am aware of provides support for LEAP on their APs. Regards, Kevin

a art gabriellini

Matt, My experience with FreeRADIUS from a Motorola client integration standpoint (support case 1669249; McDonalds Corp), is that test & validation had never authorized our client devices against this authentication server. Marketing (I was told) had never placed this server onto the required list of auth servers. I believe that the aforementioned support case escalated to the CPR team, but I don't know the outcome. Cisco thick AP's were used under this scenario, but the WLAN backbone shouldn't make a difference here... The report was that our client was unable to interpret the de-auth/auth failure message sent by FreeRADIUS whenever the client sent invalid/misstyped PEAP credentials. This caused our client supplicant (within Fusion) to continue retrying these invalid credentials (worked fine to a Cisco ACS). Hope the above helps...

A Adrian Vesa

Matthieu, Use Microsoft IAS instead of FreeRADIUS and I think it's going to solve the issue (and save you of a lot of trouble). However, if that's not possible (though I hope it is), please see the link below: http://wiki.freeradius.org/PopTop

CONTACT
Can’t find what you’re looking for?