LEAP + Freeradius + RFS7000

Hi guys,

I need your help regarding LEAP support on RFS7k with freeradius behind.



  • RFS7000 used as authenticator

  • Freeradius used as radius server

  • Laptop with LEAP authentication and WPA1-TKIP encryption


We are encountering an issue with the encryption. Actually, with only LEAP authentication, it works.
But when we select an encryption (whatever encrytion used), we can not send frames to the network.
After several investigations, we discovered this log message :

Jun 29 20:27:47 2009: %CC-6-STATIONASSOC: Station 00-1B-63-C2-56-FE associated to radio 175 wlan 19 vlan 1130
Jun 29 20:27:53 2009: %CC-6-EAPAUTHSUCCESS: Station 00-1B-63-C2-56-FE eap (802.1x) authentication success on wlan 19
Jun 29 20:27:53 2009: %CC-4-NORADIUSKEY: MPPE keying information not received from Radius server for Station 00-1B-63-C2-56-FE

This message means the station is authenticated but the freeradius does not send the key to the RFS7k.

Have you got any idea how to configure the freeradius so that it sends this key?

Help will be really appreciated.

Matt

art gabriellini
Matt, My experience with

Matt,
My experience with FreeRADIUS from a Motorola client integration standpoint (support case 1669249; McDonalds Corp), is that test & validation had never authorized our client devices against this authentication server.
Marketing (I was told) had never placed this server onto the required list of auth servers.
I believe that the aforementioned support case escalated to the CPR team, but I don't know the outcome. Cisco thick AP's were used under this scenario, but the WLAN backbone shouldn't make a difference here...
The report was that our client was unable to interpret the de-auth/auth failure message sent by FreeRADIUS whenever the client sent invalid/misstyped PEAP credentials. This caused our client supplicant (within Fusion) to continue retrying these invalid credentials (worked fine to a Cisco ACS).
Hope the above helps...
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Adrian Vesa
Matthieu, Use Microsoft IAS

Matthieu,

Use Microsoft IAS instead of FreeRADIUS and I think it's going to solve the issue (and save you of a lot of trouble). However, if that's not possible (though I hope it is), please see the link below:
http://wiki.freeradius.org/PopTop
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Adrian Vesa
Here's another useful link:
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
I always thought that AP-side

I always thought that AP-side LEAP protocol was Cisco propietary (unlike Client-side, such as Fusion, Mobile Companion or Aegis etc).
Only Cisco APs could be used with LEAP auth.

I also guess (I am not sure on that one) ACS should be used.

Definitely, I am missing something. Did this change? Please someone tell me if so.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Kevin Marshall
LEAP is actually supported by

LEAP is actually supported by various popular RADIUS servers including FreeRADIUS, Steel-Belted RADIUS and  Radiator and is supported by various supplicants (AEGIS, Odyssey, Open1X).

From a AP perspective LEAP is only supported by Cisco Aironet Access Points as its pre IEEE and proprietary in nature. No commercial AP vendor that I am aware of provides support for LEAP on their APs.

Regards,
Kevin
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
Thanks, Kevin. So... maybe

Thanks, Kevin.

So... maybe the root problem is trying to use a RFS7000 (instead a Cisco AP) rather than auth'ing to a FreeRadius, don't you think?
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Kevin Marshall
There is no LEAP support in

There is no LEAP support in WiNG of our APs! I would not expect LEAP to work with any of our infrastructure.

Regards,
Kevin

Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Juan-Antonio Ma...
Matthieu, would it then be

Matthieu, would it then be possible to make your customer move from LEAP to PEAP ?
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Kevin Marshall
This is a good suggestion and

This is a good suggestion and is something Cisco also recomends (check out http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml).

We can fully support the following EAP methods on our infrastructure:
- EAP-FAST (with or without automatic PAC provisioning)
- PEAP (EAP-GTC)
- PEAP (EAP-MSCHAPv2)
- EAP-TLS

Regards,
Kevin 
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Sukhdeep Singh Johar
You will find plenty on stuff

You will find plenty on stuff pointing LEAP weaknesses. The attached paper lists the key points in a concise manner. Might be useful.

regards,
sukhdeep
Vote: 
Vote up!
Vote down!

Points: 1

You voted ‘up’


Matthieu Dierick
Guys, as Kevin said, our WING

Guys, as Kevin said, our WING infrastructure does not support LEAP. My customer has to move to PEAP.
Vote: 
Vote up!
Vote down!

Points: 0

You voted ‘up’


Log in to post comments