solved(ish) Re: WPA-Enterprise (PEAP-MSCAPv2) problem with N810/OS2008

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I finally got some time to work with the RADIUS administrator and
troubleshoot this.  In the end, I was able to get authenticated, but there
are some definite bugs in the wireless connection manager, because I
shouldn't have had this much trouble.

Our network (to briefly re-summarize):
Cisco LWAPs (Light-Weight Access Points) (1131 and 1242)
Cisco Wireless Controllers (WISM blades for Cisco 6500 chassis)
MS Internet Authentication Service RADIUS with PEAP/MS-CHAPv2 over WPA1
(TKIP) and WPA2(CCMP) with named user authentication.

The setup that worked:
---
WLAN :)
---
Network Name (SSID): blah
Network is hidden: checked (and true)
Network Mode: Infrastructure
Security Method: WPA with EAP
---
EAP type: PEAP
---
Select Certificate: None (we don't use client certs)
EAP method: EAP MSCHAPv2
---
User name: WHATEVER (doesn't matter as it doesn't seem to actually use this
field)
Password: password
Prompt for password: UNCHECKED
---
Advanced:EAP
-
Use Manual user name: checked
Manual user name: username
Require Client Authentication: unchecked
---

Ok, so this looks pretty normal, except for a few things:
1) if you don't enter the manual username in the advanced properties, it
sends totally garbled credentials which (obviously) fail authentication and
the log shows the EAP type as undetermined:
---
User qQVHj2kwcIhtnSA6QhmpIm was denied access.
Fully-Qualified-User-Name = OBFUSCATED\qQVHj2kwcIhtnSA6QhmpIm
NAS-IP-Address = OBFUSCATED
NAS-Identifier = OBFUSCATED
Called-Station-Identifier = OBFUSCATED
Calling-Station-Identifier = OBFUSCATED
Client-Friendly-Name = OBFUSCATED
Client-IP-Address = OBFUSCATED
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows 
Authentication-Server = <undetermined> 
Policy-Name = <undetermined> 
Authentication-Type = EAP
EAP-Type = <undetermined> 
Reason-Code = 8
Reason = The specified user account does not exist. 
---
2) if you select prompt for password AND you have manual user name checked
AND you have an entry for the manual username, you will get a password
prompt, which will fail and nothing will even make it to the RADIUS logs...

Basically: as far as I can tell, the username field is not used in the main
configuration tab, only the 'manual user name' is used in the advanced
settings.  Secondarily, the 'prompt for password' option does does not seem
to authenticate properly, as it didn't even show in the RADIUS logs.

So I guess the result is mixed - _I_ have my issue fixed (and hopefully
these steps help somebody else), but this doesn't seem to be proper
behavior on the part of the wireless configuration manager.

On Fri, 30 Nov 2007 08:20:10 -0700, Tim <tim at samoff.com> wrote:
> Joshua,
> 
> Please add your comments/experiences here:
> 
> https://bugs.maemo.org/show_bug.cgi?id=1017

I will add the text of this email to the bug, need to set up an account.

Rgds,
Josh



[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Big List of Linux Books]    

  Powered by Linux