[RADIATOR] 802.1x authentication questions

Alexander Hartmaier alexander.hartmaier at t-systems.at
Fri Jun 3 03:35:40 CDT 2011



Am 2011-06-02 09:54, schrieb Heikki Vatiainen:
> On 06/01/2011 07:17 PM, Alexander Hartmaier wrote:
>
>> Everything is working good so far but for the case that a non-company
>> client has dot1x enabled on the interface I'd like to switch the port to
>> our guest lan.
> What happens when you detect a non-company client? Have you configured
> Radiator to return Access-Accept with appropriate attributes for guest VLAN?
Yes, the switch configures the guest-vlan on the port, but the client
gets an EAP auth failure through the EAP tunnel.
>> This is working fine on the switch, but a Windows 7 client receives the
>> EAP auth failure from Radiator and doesn't try to send a dhcp request
>> although the switch port has already been set to the guest lan.
> If the Windows 7 client is using PEAP/EAP-MSCHAP-V2 and Radiator returns
> Access-Accept without really having access to the user's password or
> NThash of the password, the client will notice that Radiator did not
> return a correct MS-CHAP-V2 response.
>
> The response needs to prove the server (Radiator) really has access to
> the user's credentials. In other words, the server must be able to
> authenticate itself too. That is the V2 part in the protocol.

We're using PEAP/EAP-TLS with machine certs.
>> Is there a solution for this problem?
>>
>> For the wireless part we're getting the following error on the WLC:
>> %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state
>> transition to state 0 failed; port status 0, key available 1, key tx
>> enabled 1
>>
>> If someone encountered this error and knows a solution while we wait for
>> the Cisco TAC please respond!
> If this is not a MS-CHAP-V2 problem I described above, and there is a
> way to do this, it would be very interesting to hear more.
Also same PEAP/EAP-TLS here.

> Thanks!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*


More information about the radiator mailing list