(RADIATOR) 802.1X with Radiator and EnterAsys R2
Luís Guido
lguido at fccn.pt
Tue Jan 25 05:11:38 CST 2005
Hi all,
I guess this question was mentioned some while ago (in the beginning of
2004) but I can't seam to find an answer to my problem.
Terry said (http://www.open.com.au/archives/radiator/2004-01/msg00057.html)
:
"Enterasys claims this is a problem with Radiator, and we have had some
disagreements with them about this.
When every other AP on the market works but theirs, I doubt it's a server
problem. ;-)
Try setting your chunk size to <= 1000 or so and see if that works... I
believe that was the problem."
For Radiator the value for EAPTLS_MaxFragmentSize must be <= 1010 as pointed
by Michael (http://www.open.com.au/archives/radiator/2004-01/msg00058.html)
I have tested the R2 with FreeRadius (for PEAP):
(...)
eap {
(...)
tls {
(...)
fragment_size = 1400
}
(...)
}
And IAS and I have succeeded with both Radius servers.
I'm not saying it is a Radiator problem or an R2 problem....
One thing I know! This is one major problem for our network.
Our network is a 802.1X distributed network with multiple AP vendors and
multiple Radius Servers (Radiator, FreeRadius and IAS).
The Radius Hierarchy is responsible for the transportation of the user
credentials from a Visited Site (VS) (where the user is physically located)
to the Home Site (HS) (where the user is known). Must probably the VS and HS
do not know each other and have no way of knowing what is
installed/configured on the other side.
If the user HS have a Radiator (with EAPTLS_MaxFragmentSize > 1010) and the
VS has EnterAsys R2, the user CANNOT AUTHENTICATE! In my tests, the
authentication blocks when the Radiator sends the second EAP message with
the server certificate (typically a big Radius packet)...
The server does send the 2nd Challenge with the certificate but no response
from the AP... But it does work with FreeRadius with a similar chunk size.
Does anyone have any ideas?
Thanks in advance!
Best regards,
---------------
Luís Guido
FCCN - Portugal
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list