| View previous topic :: View next topic |
| Author |
Message |
MadOtis
Apprentice
Joined: 14 Dec 2002
Posts: 163
Location: Georgia
|
 Posted: Fri Jul 23, 2004 1:59 pm Post subject: Cisco CB21AG LEAP woes |
 |
|
Good morning all,
I have an IBM T41 laptop that has an internal IPW2100 card (works great) and a Cisco-Aironet CB21AG PCMCIA card. At home, both wireless cards work great, but at work, where I have to use LEAP (thus, the Cisco card), I can't get either to authenticate using Leap. Although, with the Cisco card, I have to use the MadWiFi drivers instead of Airo or Airo_cs.
I HAVE installed the cisco drivers, I have installed the kernel drivers, neither help at all (following all the posts I've read here). The card (from here on out, I'm only targeting the Cisco pcmcia card), seems to initialize properly, I can see the two status leds flash as it tries to connect, but nothing... after several seconds the net.ath0 script bombs and no connection.
The specifics of my installation are:
Gentoo 2004.1 - 2.6.7-r11 kernel
IBM T41 laptop
Cisco AIR-CB21AG pcmcia card.
Thanks in advance!
Randy |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Fri Jul 23, 2004 6:48 pm Post subject: |
|
|
Q1: Do you use AP350 in the office or AP12xx?
Q2: If AP350 - which firmware version do they have?
Q3: Do the AP use broadcast key rotation?
Q4: Do the AP use MIC?
There are various issues with the new cards 
HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
MadOtis
Apprentice
Joined: 14 Dec 2002
Posts: 163
Location: Georgia
|
| Posted: Fri Jul 23, 2004 7:01 pm Post subject: |
|
|
A1) I'm approx. 90% sure they are using AP12xx
A2) I'm not sure.
A3) No, no key rotation. At least, not from what my lan support admin tells me.
A4) No, no MIC
The only values we enter anywhere are the SSID1, 802.1x 54Mb, and LEAP. These are the only values we specify in the Winders ACU client. |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Tue Jan 31, 2006 5:48 pm Post subject: |
|
|
Randy did you ever get the card to work?
I did get the older 353 cards to work with ACU utility but the CB21AG Is not found by Gentoo box.
Cisco does not list a Driver for linux for the new CB21AG. it does look to be AGR5212 in DMESG.
Bryan |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Wed Feb 01, 2006 3:04 am Post subject: |
|
|
I can do LEAP with wpa_supplicant on my ipw2200. You may not need to use your Cisco card. If you want I will post my section of wpa_supplicant.conf when I get back to my laptop. Of course ipw2100 might be different, but they use a common wireless stack now and all the crypto is generally done in software.
EDIT: Oops, thread necro. Hope you have an ipw2x00 too, linuxbum  . |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Wed Feb 01, 2006 7:00 pm Post subject: |
|
|
RoundsToZero
as a matter of fact I do have 2915 card.
But the SSID is not broadcast and I tried the wpa-supplicant and wireless examples but no auth.
Tired the cicso util leapscript and leaplogin.
If you would share your wpa_supplicant file I would love to see if I missed something.
I have got it working on the WPS-PSK TKIP site at home with no problems.
Bryan |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Sun Feb 05, 2006 3:57 pm Post subject: |
|
|
Here it is, look at the "LEAP SECTION".
| Code: |
##### Example wpa_supplicant configuration file ###############################
# Empty lines and lines starting with # are ignored
# NOTE! This file may contain password information and should probably be made
# readable only by root user on multiuser systems.
# global configuration (shared by all network blocks)
#
# Interface for separate control program. If this is specified, wpa_supplicant
# will create this directory and a UNIX domain socket for listening to requests
# from external programs (CLI/GUI, etc.) for status information and
# configuration. The socket file will be named based on the interface name, so
# multiple wpa_supplicant processes can be run at the same time if more than
# one interface is used.
# /var/run/wpa_supplicant is the recommended directory for sockets and by
# default, wpa_cli will use it when trying to connect with wpa_supplicant.
ctrl_interface=/var/run/wpa_supplicant
# Access control for the control interface can be configured by setting the
# directory to allow only members of a group to use sockets. This way, it is
# possible to run wpa_supplicant as root (since it needs to change network
# configuration and open raw sockets) and still allow GUI/CLI components to be
# run as non-root users. However, since the control interface can be used to
# change the network configuration, this access needs to be protected in many
# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
# want to allow non-root users to use the control interface, add a new group
# and change this value to match with that group. Add users that should have
# control interface access to this group. If this variable is commented out or
# not included in the configuration file, group will not be changed from the
# value it got by default when the directory or socket was created.
#
# This variable can be a group name or gid.
#ctrl_interface_group=wheel
ctrl_interface_group=0
# IEEE 802.1X/EAPOL version
# wpa_supplicant was implemented based on IEEE 802-1X-REV-d8 which defines
# EAPOL version 2. However, there are many APs that do not handle the new
# version number correctly (they seem to drop the frames completely). In order
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
eapol_version=1
# AP scanning/selection
# By default, wpa_supplicant requests driver to perform AP scanning and then
# uses the scan results to select a suitable AP. Another alternative is to
# allow the driver to take care of AP scanning and selection and use
# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
# information from the driver.
# 1: wpa_supplicant initiates scanning and AP selection
# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
# parameters (e.g., WPA IE generation); this mode can also be used with
# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
# APs (i.e., external program needs to control association)
# 2: like 0, but associate with APs using security policy and SSID (but not
# BSSID); this can be used, e.g., with ndiswrapper and NDIS driver to
# enable operation with hidden SSIDs and optimized roaming; in this mode,
# only the first network block in the configuration file is used and this
# configuration should have explicit security policy (i.e., only one option
# in the lists) for key_mgmt, pairwise, group, proto variables
ap_scan=1
# EAP fast re-authentication
# By default, fast re-authentication is enabled for all EAP methods that
# support it. This variable can be used to disable fast re-authentication.
# Normally, there is no need to disable this.
fast_reauth=1
# network block
#
# Each network (usually AP's sharing the same SSID) is configured as a separate
# block in this configuration file. The network blocks are in preference order
# (the first match is used).
#
# network block fields:
#
# ssid: SSID (mandatory); either as an ASCII string with double quotation or
# as hex string; network name
#
# scan_ssid:
# 0 = do not scan this SSID with specific Probe Request frames (default)
# 1 = scan with SSID-specific Probe Request frames (this can be used to
# find APs that do not accept broadcast SSID or use multiple SSIDs;
# this will add latency to scanning, so enable this only when needed)
#
# bssid: BSSID (optional); if set, this network block is used only when
# associating with the AP using the configured BSSID
#
# priority: priority group (integer)
# By default, all networks will get same priority group (0). If some of the
# networks are more desirable, this field can be used to change the order in
# which wpa_supplicant goes through the networks when selecting a BSS. The
# priority groups will be iterated in decreasing priority (i.e., the larger the
# priority value, the sooner the network is matched against the scan results).
# Within each priority group, networks will be selected based on security
# policy, signal strength, etc.
# Please note that AP scanning with scan_ssid=1 is not using this priority to
# select the order for scanning. Instead, it uses the order the networks are in
# the configuration file.
#
# mode: IEEE 802.11 operation mode
# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
# 1 = IBSS (ad-hoc, peer-to-peer)
# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has
# to be set to 2 for IBSS. WPA-None requires following network block options:
# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
# both), and psk must also be set.
#
# proto: list of accepted protocols
# WPA = WPA/IEEE 802.11i/D3.0
# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
# If not set, this defaults to: WPA RSN
#
# key_mgmt: list of accepted authenticated key management protocols
# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
# WPA-EAP = WPA using EAP authentication (this can use an external
# program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication
# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
# generated WEP keys
# NONE = WPA is not used; plaintext or static WEP could be used
# If not set, this defaults to: WPA-PSK WPA-EAP
#
# auth_alg: list of allowed IEEE 802.11 authentication algorithms
# OPEN = Open System authentication (required for WPA/WPA2)
# SHARED = Shared Key authentication (requires static WEP keys)
# LEAP = LEAP/Network EAP (only used with LEAP)
# If not set, automatic selection is used (Open System with LEAP enabled if
# LEAP is allowed as one of the EAP methods).
#
# pairwise: list of accepted pairwise (unicast) ciphers for WPA
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# NONE = Use only Group Keys (deprecated, should not be included if APs support
# pairwise keys)
# If not set, this defaults to: CCMP TKIP
#
# group: list of accepted group (broadcast/multicast) ciphers for WPA
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
# If not set, this defaults to: CCMP TKIP WEP104 WEP40
#
# psk: WPA preshared key; 256-bit pre-shared key
# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
# generated using the passphrase and SSID). ASCII passphrase must be between
# 8 and 63 characters (inclusive).
# This field is not needed, if WPA-EAP is used.
# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
# startup and reconfiguration time can be optimized by generating the PSK only
# only when the passphrase or SSID has actually changed.
#
# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
# Dynamic WEP key require for non-WPA mode
# bit0 (1): require dynamically generated unicast WEP key
# bit1 (2): require dynamically generated broadcast WEP key
# (3 = require both keys; default)
#
# Following fields are only used with internal EAP implementation.
# eap: space-separated list of accepted EAP methods
# MD5 = EAP-MD5 (unsecure and does not generate keying material ->
# cannot be used with WPA; to be used as a Phase 2 method
# with EAP-PEAP or EAP-TTLS)
# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
# OTP = EAP-OTP (cannot be used separately with WPA; to be used
# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
# GTC = EAP-GTC (cannot be used separately with WPA; to be used
# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
# TLS = EAP-TLS (client and server certificate)
# PEAP = EAP-PEAP (with tunnelled EAP authentication)
# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
# authentication)
# If not set, all compiled in methods are allowed.
#
# identity: Identity string for EAP
# anonymous_identity: Anonymous identity string for EAP (to be used as the
# unencrypted identity with EAP types that support different tunnelled
# identity, e.g., EAP-TTLS)
# password: Password string for EAP
# ca_cert: File path to CA certificate file. This file can have one or more
# trusted CA certificates. If ca_cert is not included, server certificate
# will not be verified. This is insecure and the CA file should always be
# configured.
# client_cert: File path to client certificate file (PEM/DER)
# private_key: File path to client private key file (PEM/DER/PFX)
# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
# commented out. Both the private key and certificate will be read from
# the PKCS#12 file in this case.
# private_key_passwd: Password for private key file
# dh_file: File path to DH/DSA parameters file (in PEM format)
# This is an optional configuration file for setting parameters for an
# ephemeral DH key exchange. In most cases, the default RSA
# authentication does not use this configuration. However, it is possible
# setup RSA to use ephemeral DH key exchange. In addition, ciphers with
# DSA keys always use ephemeral DH keys. This can be used to achieve
# forward secrecy. If the file is in DSA parameters format, it will be
# automatically converted into DH params.
# subject_match: Substring to be matched against the subject of the
# authentication server certificate. If this string is set, the server
# sertificate is only accepted if it contains this string in the subject.
# The subject string is in following format:
# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
# (string with field-value pairs, e.g., "peapver=0" or
# "peapver=1 peaplabel=1")
# 'peapver' can be used to force which PEAP version (0 or 1) is used.
# 'peaplabel=1' can be used to force new label, "client PEAP encryption",
# to be used during key derivation when PEAPv1 or newer. Most existing
# PEAPv1 implementation seem to be using the old label, "client EAP
# encryption", and wpa_supplicant is now using that as the default value.
# Some servers, e.g., Radiator, may require peaplabel=1 configuration to
# interoperate with PEAPv1; see eap_testing.txt for more details.
# 'peap_outer_success=0' can be used to terminate PEAP authentication on
# tunneled EAP-Success. This is required with some RADIUS servers that
# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
# include_tls_length=1 can be used to force wpa_supplicant to include
# TLS Message Length field in all TLS messages even if they are not
# fragmented.
# sim_min_num_chal=3 can be used to configure EAP-SIM to require three
# challenges (by default, it accepts 2 or 3)
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
# Following certificate/private key fields are used in inner Phase2
# authentication when using EAP-TTLS or EAP-PEAP.
# ca_cert2: File path to CA certificate file. This file can have one or more
# trusted CA certificates. If ca_cert2 is not included, server
# certificate will not be verified. This is insecure and the CA file
# should always be configured.
# client_cert2: File path to client certificate file
# private_key2: File path to client private key file
# private_key2_passwd: Password for private key file
# dh_file2: File path to DH/DSA parameters file (in PEM format)
# subject_match2: Substring to be matched against the subject of the
# authentication server certificate.
#
# EAP-PSK variables:
# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
# nai: user NAI
# server_nai: authentication server NAI
#
# EAP-FAST variables:
# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
# to create this file and write updates to it when PAC is being
# provisioned or refreshed.
# phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST
# credentials (PAC)
#
# wpa_supplicant supports number of "EAP workarounds" to work around
# interoperability issues with incorrectly behaving authentication servers.
# These are enabled by default because some of the issues are present in large
# number of authentication servers. Strict EAP conformance mode can be
# configured by disabling workarounds with eap_workaround=0.
network={
ssid="abend"
priority=5
scan_ssid=1
key_mgmt=NONE
wep_key0=XXX
wep_tx_keyidx=0
auth_alg=OPEN
}
network={
ssid="nashua"
priority=10
proto=WPA
key_mgmt=WPA-PSK
pairwise=TKIP
group=TKIP
psk=XXX
}
network={
ssid="ninigret"
priority=5
scan_ssid=1
key_mgmt=NONE
wep_key0=XXX
wep_tx_keyidx=0
auth_alg=OPEN
}
# LEAP SECTION
network={
ssid="IBM"
priority=0
key_mgmt=IEEE8021X
eap=LEAP
identity="gmishkin@us.ibm.com"
password="XXX"
}
network={
ssid="localset"
priority=0
key_mgmt=NONE
wep_key0=XXX
wep_tx_keyidx=0
auth_alg=OPEN
}
network={
ssid="LMC's wireless"
key_mgmt=NONE
priority=0
}
|
|
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Mon Feb 06, 2006 4:04 pm Post subject: |
|
|
Roundstozero.
Yes that what I have and I still can't get the LEAP to authentacate.
At work they don't broadcast the SSID which I know has caused some errors for others using wpa.
here is my wpa_supplicant.conf
| Code: |
network{
ssid"workssid"
key_mgt=IEEE8021X
auth_alg=LEAP
eap=LEAP
idenity"XXXXXX"
paasword="***********"
priority=0
}
|
I know the ssid and credentials are right as I use these for windows box 
and other UNIX services via proxy. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Mon Feb 06, 2006 6:48 pm Post subject: |
|
|
| Try changing ap_scan to 2. |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Mon Feb 06, 2006 7:11 pm Post subject: |
|
|
Roundstozero,
did you install the Cisco Client "net/cisco-aironet-client-utils" ?
I have it installed to use the CISCO card.
How does wpa supply the LEAP CKIP if not installed as TKIP is standard but CKIP is Cisco version.
No help with the ap_scan =2 |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Mon Feb 06, 2006 7:42 pm Post subject: |
|
|
No, I do not have the Cisco tools installed. I do not even have a Cisco card. I got LEAP working with just ipw2200 and wpa_supplicant. If you in fact have an Intel 2915 card you should be able to use the ipw2200 driver with it (this is the same driver I use for my card, an Intel 2200).
At this point just make sure that you have set up your /etc/conf.d/net file to reflect that the network interface for your 2915 should use wpa_supplicant. Also in that file you should use -Dwext instead of -Dipw as the latter doesn't seem to work (for wpa_supplicant options in the net file). Then when you bring up the 2195 interface (eth1 for me), you should see that it starts wpa_supplicant. It should associate with the LEAP-enabled AP. ap_scan=2 is just a different way to force the association; I think you only use it if it doesn't work with the default. |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Mon Feb 06, 2006 8:37 pm Post subject: |
|
|
Yep all set like you said.
If I run command line wpa_supplicant -i eth1 -c /etc/wpa_supplicant.conf
I get
| Code: |
ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not supported
Failed to set encryption.
|
I am now Checking for the ieee80211 modules.
Took laptop home and it works fine for the WPA_PSK TKIP still even emerge -sync and emerge world -udv just to make sure.
Still works on the home network after changing back to "1"
Will try in am at work again. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Tue Feb 07, 2006 5:11 pm Post subject: |
|
|
It doesn't look like you put -Dwext. It looks like it's trying to use another driver, PRISM2 maybe that's the default. That's almost definitely not your card. In any case, you should be able to get it working from the initscript.
EDIT: By the way, this is my command line for wpa_supplicant that the initscript runs:
/sbin/wpa_supplicant -Dwext -B -c/etc/wpa_supplicant.conf -i eth1 |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Tue Feb 07, 2006 7:14 pm Post subject: |
|
|
Looks like you put the -D in command line instead of letting it be set from /etc/conf.d/net file
Interesting I will test and l will post back.
Thanks for the continued help
EDIT
Ok that stopped PRISM error guess that command line ignors /etc/conf.d/net file
Still working the LEAP issue. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Tue Feb 07, 2006 9:14 pm Post subject: |
|
|
It might just be ignoring wpa_supplicant completely. In the net file, try this:
Make sure this is uncommented. This will disable the iwconfig method of setting up wireless.
modules=( "!iwconfig" )
Make sure these lines are uncommented. This will enable wpa_supplicant.
modules=( "wpa_supplicant" )
wpa_supplicant_eth1="-Dwext"
wpa_timeout_eth1=60
Then you should be able to use the initscript. Make sure you have output like this when you start the initscript.
| Code: |
snowshoe ~ # /etc/init.d/net.eth1 start
* Starting eth1
* Starting wpa_supplicant on eth1 ... [ ok ]
* eth1 connected to "XXX" at XX:XX:XX:XX:XX:XX
* Bringing up eth1
* dhcp
* Running dhcpcd ... [ ok ]
* eth1 received address a.b.c.d
|
If you're not even seeing the part about wpa_supplicant, then the initscript isn't even trying to use your leap configuration in wpa_supplicant.conf.
EDIT: That command line I posted early did come from the initscript, I just started the initscript, looked up wpa_supplicant's pid, and copied /proc/[pid]/cmdline.
EDIT 2: Once wpa_supplicant has started, you can check its status with the "wpa_cli" tool. Simply run it, and type "status" at the prompt. You should get something like this:
| Code: |
snowshoe ~ # wpa_cli
wpa_cli v0.4.7
Copyright (c) 2004-2005, Jouni Malinen <jkmaline@cc.hut.fi> and contributors
This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.
Alternatively, this software may be distributed under the terms of the
BSD license. See README and COPYING for more details.
Selected interface 'eth1'
Interactive mode
> status
bssid=XX:XX:XX:XX:XX:XX
ssid=XXX
pairwise_cipher=TKIP
group_cipher=TKIP
key_mgmt=WPA-PSK
wpa_state=COMPLETED
|
Well that's what it'll look like if it works, in any case. Obviously the values may change, but if you post the output, including wpa_state, that would help. |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Tue Feb 07, 2006 9:30 pm Post subject: |
|
|
Roundtozero
Thanks for all your help:.
here are the init.d scripts output;
| Code: |
cruz18 init.d # ./net.eth1 start
* Caching service dependencies ...
* Service 'sysklogd' already provided by 'logger'!;
* Not adding service 'metalog'... [ ok ]
* Starting eth1
* Starting wpa_supplicant on eth1 ... [ ok ]
* timed out [ !! ]
|
and here is a wpa_cli during that start:
| Code: |
cruz18 etc # wpa_cli status
Selected interface 'eth1'
wpa_state=DISCONNECTED
Supplicant PAE state=DISCONNECTED
suppPortStatus=Unauthorized
EAP state=DISABLED
cruz18 etc # wpa_cli status
Selected interface 'eth1'
wpa_state=DISCONNECTED
Supplicant PAE state=DISCONNECTED
suppPortStatus=Unauthorized
EAP state=DISABLED
|
I don't think it's trying LEAP at all. |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Tue Feb 07, 2006 9:35 pm Post subject: |
|
|
| Try adding -d or -dd to wpa_supplicant_eth1 in /etc/conf.d/net (along with your -D flag). Then you should get some more output when you do /etc/init.d/net.eth1 start. |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Wed Feb 08, 2006 12:39 am Post subject: |
|
|
roundstozero
also I was able to check WAP logs and see this station fail at authentication;;
| Code: |
Station 0012f0e03ca4 Failed Authentication, status "Unsupported Authentication Algorithm"
|
So it reaching the WAP.
I also know id and password are ok use them everyday for windows and Cisco 353 or CS21AG Pcmcia Card.
Hey I just though of something do you know how to tell it which WINDOWS AD DOMAIN id and password is in?
The Windows Intel software asks for ID, DOMAIN, and password thats got to be it!! |
|
| Back to top |
|
|
RoundsToZero
Guru
Joined: 17 Nov 2003
Posts: 478
Location: New York, NY
|
| Posted: Wed Feb 08, 2006 2:26 am Post subject: |
|
|
You could try setting your username in wpa_supplicant.conf as DOMAIN\username. The "unsupported algorithm" section is suspect, though. I can't think of any other things to add to your section in wpa_supplicant.conf, but if you read through the wpa_supplicant.conf.example file and learn what each of the methods is, one of them might ring a bell, like if you saw something similar in the Windows program.
Do you have everything selected for CryptoAPI in the kernel configuration? It's under "Cryptographic Options" or "Cryptographic API". You should see a list of crypto algorithms, make sure they are all either compiled in or configured as modules (except LZF, which needs to be compiled in if you are using suspend2). I know that WEP uses the arc4 module, and TKIP uses michael_mic, your AP could be using something else. Best to just have everything enabled. |
|
| Back to top |
|
|
1shot1kill
n00b
Joined: 09 Feb 2006
Posts: 17
Location: Akron, Ohio
|
| Posted: Thu Feb 09, 2006 1:09 am Post subject: |
|
|
| I have leap working on my laptop a Dell D610 with a Cisco Aironet 350 card the Airo_cs drivers for it. I downloaded a script called leaplogin that authenticates (which you can download on ciscos website) then i just run dhclient. That might be the way to go. |
|
| Back to top |
|
|
linuxbum
Tux's lil' helper
Joined: 20 Dec 2003
Posts: 131
Location: USA
|
| Posted: Fri Feb 10, 2006 5:44 am Post subject: |
|
|
1shotkill
Yes I have the 350 series working fine.
the 2200 and 2915 Intel cards fail when using LEAP.
The CB21AG card Cisco does not have a Linux version of the driver like they did for the 350 series cards. Using the ACU drivers and software.
Cisco may never create a Linux Driver fro the CB21AG.
I am try to get the Intel cards to do LEAP and the EAP_FAST next.
I need to test these 
Thnaks for the reply.. |
|
| Back to top |
|
|
mfrafique
n00b
Joined: 09 Apr 2008
Posts: 1
|
| Posted: Wed Apr 09, 2008 1:46 pm Post subject: NavisRadius |
|
|
Dear All
Good morning,we are using NavisRadius 4. in our organization and we have 2 conditions to follow,given below is the conditions:
In first condition for e.g a user login id 'test' came from access server '1.1.1.1' we need to append "-khi" and its breturns "test-khi" to database .
In second condition if a user login id 'test@khi' we need to trim "@khi" and it returns "test" only to database server.
if any1 help me in this regards i wl highly appreciated. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
