[RADIATOR] 802.1x authentication questions

[Heikki Vatiainen]

On 06/01/2011 07:17 PM, Alexander Hartmaier wrote:

> Everything is working good so far but for the case that a non-company
> client has dot1x enabled on the interface I'd like to switch the port to
> our guest lan.

What happens when you detect a non-company client? Have you configured
Radiator to return Access-Accept with appropriate attributes for guest VLAN?

> This is working fine on the switch, but a Windows 7 client receives the
> EAP auth failure from Radiator and doesn't try to send a dhcp request
> although the switch port has already been set to the guest lan.

If the Windows 7 client is using PEAP/EAP-MSCHAP-V2 and Radiator returns
Access-Accept without really having access to the user's password or
NThash of the password, the client will notice that Radiator did not
return a correct MS-CHAP-V2 response.

The response needs to prove the server (Radiator) really has access to
the user's credentials. In other words, the server must be able to
authenticate itself too. That is the V2 part in the protocol.

> Is there a solution for this problem?
> 
> For the wireless part we're getting the following error on the WLC:
> %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state
> transition to state 0 failed; port status 0, key available 1, key tx
> enabled 1
> 
> If someone encountered this error and knows a solution while we wait for
> the Cisco TAC please respond!

If this is not a MS-CHAP-V2 problem I described above, and there is a
way to do this, it would be very interesting to hear more.

Thanks!

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.