namikiri's questions

我在 Cisco WLC 2504 控制器上安装 StartCom 的用于 WebAuth 的 SSL 证书时遇到问题。它有7.2.103.0软件版本。

我已经完成了思科指南中描述的所有步骤，但它显示“安装证书时出错”。是的，我确定证书的顺序是正确的（设备、中间件、根）。是的，我有此证书的有效密钥。我使用了 OpenSSL 版本0.9.8，按照 Cisco 的建议从 Sourceforge 下载。没有什么帮助。我在下面提供了 TFTP 事务的日志。

Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 172.16.10.5
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... wlc.pem

This may take some time.
Are you sure you want to start? (y/N) y
*TransferTask: Oct 13 23:08:29.319: Memory overcommit policy changed from 0 to 1
*TransferTask: Oct 13 23:08:29.647: Delete ramdisk for ap bundle
*TransferTask: Oct 13 23:08:29.897: RESULT_STRING: TFTP Webauth cert transfer starting.
*TransferTask: Oct 13 23:08:29.898: RESULT_CODE:1

TFTP Webauth cert transfer starting.
*emWeb: Oct 13 23:08:32.318: Still waiting!  Status = 2
*TransferTask: Oct 13 23:08:33.906: Locking tftp semaphore, pHost=172.16.10.5 pFilename=/wlc.pem
*TransferTask: Oct 13 23:08:33.907: Semaphore locked, now unlocking, pHost=172.16.10.5 pFilename=/wlc.pem
*TransferTask: Oct 13 23:08:33.907: Semaphore successfully unlocked, pHost=172.16.10.5 pFilename=/wlc.pem
*TransferTask: Oct 13 23:08:33.908: TFTP: Binding to remote=172.16.10.5
*TransferTask: Oct 13 23:08:33.950: TFP End: 10021 bytes transferred (0 retransmitted packets)
*TransferTask: Oct 13 23:08:33.951: tftp rc=0, pHost=172.16.10.5 pFilename=/wlc.pem pLocalFilename=cert.p12

*TransferTask: Oct 13 23:08:33.951: RESULT_STRING: TFTP receive complete... Installing Certificate.

TFTP receive complete... Installing Certificate.
*TransferTask: Oct 13 23:08:33.951: RESULT_CODE:13
*emWeb: Oct 13 23:08:35.317: Still waiting!  Status = 2
*TransferTask: Oct 13 23:08:37.953: Adding cert (9941 bytes) with certificate key password.
*emWeb: Oct 13 23:08:38.317: Still waiting!  Status = 1
*emWeb: Oct 13 23:08:41.317: Still waiting!  Status = 1
*TransferTask: Oct 13 23:08:42.540: RESULT_STRING: Error installing certificate.
*TransferTask: Oct 13 23:08:42.540: RESULT_CODE:12

*TransferTask: Oct 13 23:08:42.541: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application
*TransferTask: Oct 13 23:08:42.622: finished umounting
*TransferTask: Oct 13 23:08:43.031: Create ramdisk for ap bundle
Error installing certificate.

重要的是，我已经执行了相同的步骤并在另一个 WLAN 控制器（使用SW 版本）上发送了相同的PEM 文件，并且运行良好。7.0.240.0所以文件本身没有问题。如何解决这个问题？有任何想法吗？

我在使用 Cisco Aironet AP1260 独立接入点和 FreeRADIUS 服务器时遇到问题。我正在尝试在 FreeRADIUS 服务器上设置具有身份验证的 802.11x 接入点。我已经设置了 AP 和服务器，在其中创建了一个临时用户并使用实用程序/etc/raddb/users测试了 RADIUS 服务器。radtest但是当我尝试连接到我的 AP 时，我被拒绝了，并且根本没有登录FreeRADIUS。我确定我的日志配置没问题（启用了非常详细的日志）。我尝试运行radiusd -X以实时查看活动，但它没有给我任何结果：radtest活动显示良好，但 AP 没有活动。

我确实检查了 UDP 流量tcpdump，并且 AP 的请求到达了服务器，但被 FreeRADIUS 守护进程忽略了。端口也设置正确（默认1812为 auth）。

那么，如何让 FreeRADIUS 接受 Cisco 的认证请求呢？

更新：radtest命令仅适用于本地主机。即使我直接将两台机器与 Linux 连接并radiusd -X在第一台上运行，然后尝试radtest在第二台上运行，FreeRADIUS 服务器也不会有任何反应。我认为 FreeRADIUS 中存在一些错误配置，但它在哪里？

有我的配置：

sasaika#sh run
Building configuration...

Current configuration : 2030 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sasaika
!
logging rate-limit console 9
enable secret 5 *omitted*
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 172.16.10.13 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
aaa session-id common
ip domain name ex.example.com
!
!
dot11 syslog
!
dot11 ssid Edhelwen
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode
!
!
!
username *omitted* privilege 15 secret 5 *omitted*
!
!
ip ssh time-out 60
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
 description Test-WiFi
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid Edhelwen
 !
 antenna gain 0
 station-role root access-point
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 172.16.10.12 255.255.255.128
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 172.16.10.13 auth-port 1812 acct-port 1813 key 7 *omitted*
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
end

/etc/raddb/radiusd.conf：

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
        type = auth
        ipaddr = *
        port = 1812
}

listen {
        ipaddr = *
        port = 1813
        type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log {
    destination = files
    file = ${logdir}/radius.log
    requests = ${logdir}/radiusd-%Y%m%d.log
    syslog_facility = daemon
    stripped_names = yes
    auth = yes
    auth_badpass = yes
    auth_goodpass = yes
    msg_goodpass = "Good: "
    msg_badpass = "Bad: "
}
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = yes
}
proxy_requests  = off
$INCLUDE clients.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        $INCLUDE ${confdir}/modules/
        $INCLUDE eap.conf
}
instantiate {
        exec
        expr
        expiration
        logintime
}

$INCLUDE policy.conf
$INCLUDE sites-enabled/

/etc/raddb/clients.conf：

client cisco-ap {
        ipaddr = 172.16.10.12
        nastype = cisco # i tried to disable it, no effect
        secret = *omitted*
        require_message_authenticator = no
}

client localhost {
        ipaddr = 127.0.0.1
        secret = *omitted*
        require_message_authenticator = no
}