Hi guys, I need your help regarding LEAP support on RFS7k with freeradius behind.
RFS7000 used as authenticator
Freeradius used as radius server
Laptop with LEAP authentication and WPA1-TKIP encryption
We are encountering an issue with the encryption. Actually, with only LEAP authentication, it works.But when we select an encryption (whatever encrytion used), we can not send frames to the network.After several investigations, we discovered this log message :Jun 29 20:27:47 2009: %CC-6-STATIONASSOC: Station 00-1B-63-C2-56-FE associated to radio 175 wlan 19 vlan 1130Jun 29 20:27:53 2009: %CC-6-EAPAUTHSUCCESS: Station 00-1B-63-C2-56-FE eap (802.1x) authentication success on wlan 19Jun 29 20:27:53 2009: %CC-4-NORADIUSKEY: MPPE keying information not received from Radius server for Station 00-1B-63-C2-56-FEThis message means the station is authenticated but the freeradius does not send the key to the RFS7k.Have you got any idea how to configure the freeradius so that it sends this key?Help will be really appreciated.Matt
11 Replies
Guys, as Kevin said, our WING infrastructure does not support LEAP. My customer has to move to PEAP.
This is a good suggestion and is something Cisco also recomends (check out http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml). We can fully support the following EAP methods on our infrastructure: - EAP-FAST (with or without automatic PAC provisioning) - PEAP (EAP-GTC) - PEAP (EAP-MSCHAPv2) - EAP-TLS Regards, Kevin
You will find plenty on stuff pointing LEAP weaknesses. The attached paper lists the key points in a concise manner. Might be useful. regards, sukhdeep
Thanks, Kevin. So... maybe the root problem is trying to use a RFS7000 (instead a Cisco AP) rather than auth'ing to a FreeRadius, don't you think?
There is no LEAP support in WiNG of our APs! I would not expect LEAP to work with any of our infrastructure. Regards, Kevin
Matthieu, would it then be possible to make your customer move from LEAP to PEAP ?
Here's another useful link: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg10…
I always thought that AP-side LEAP protocol was Cisco propietary (unlike Client-side, such as Fusion, Mobile Companion or Aegis etc). Only Cisco APs could be used with LEAP auth. I also guess (I am not sure on that one) ACS should be used. Definitely, I am missing something. Did this change? Please someone tell me if so.
LEAP is actually supported by various popular RADIUS servers including FreeRADIUS, Steel-Belted RADIUS and Radiator and is supported by various supplicants (AEGIS, Odyssey, Open1X). From a AP perspective LEAP is only supported by Cisco Aironet Access Points as its pre IEEE and proprietary in nature. No commercial AP vendor that I am aware of provides support for LEAP on their APs. Regards, Kevin
Matt, My experience with FreeRADIUS from a Motorola client integration standpoint (support case 1669249; McDonalds Corp), is that test & validation had never authorized our client devices against this authentication server. Marketing (I was told) had never placed this server onto the required list of auth servers. I believe that the aforementioned support case escalated to the CPR team, but I don't know the outcome. Cisco thick AP's were used under this scenario, but the WLAN backbone shouldn't make a difference here... The report was that our client was unable to interpret the de-auth/auth failure message sent by FreeRADIUS whenever the client sent invalid/misstyped PEAP credentials. This caused our client supplicant (within Fusion) to continue retrying these invalid credentials (worked fine to a Cisco ACS). Hope the above helps...
Matthieu, Use Microsoft IAS instead of FreeRADIUS and I think it's going to solve the issue (and save you of a lot of trouble). However, if that's not possible (though I hope it is), please see the link below: http://wiki.freeradius.org/PopTop