[RADIATOR] 802.1x authentication questions
Heikki Vatiainen
hvn at open.com.au
Fri Jun 3 09:47:15 CDT 2011
On 06/03/2011 11:35 AM, Alexander Hartmaier wrote:
>> What happens when you detect a non-company client? Have you configured
>> Radiator to return Access-Accept with appropriate attributes for guest VLAN?
> Yes, the switch configures the guest-vlan on the port, but the client
> gets an EAP auth failure through the EAP tunnel.
Ok. The client would probably have to get an Access-Accept to continue.
Just to check: is your plan to have the the non-company users to use a
WPA-Enteriprise secured network too?
> We're using PEAP/EAP-TLS with machine certs.
This sounds to me like a setup that might be easier to get working with
two different WLANs. One SSID (wlan name) would be for company clients
and another SSID (with different parameters) would be for non-company
clients.
Enterprise WLAN access points and controllers support multiple SSIDs and
differently configured WLANs/VLANs so that should be possible to do. And
then you would not need to modify company users' authentication settings
to allow redirecting visitors to their VLAN.
With EAP-TLS too the client wants to see server authentication. Also,
the server does want to see a certificate from the client that it
trusts. If you can assign certificates to non-company clients, you could
use that information to do VLAN selection.
What kind of non-company clients do you plan supporting? Visitors or
possibly employees' own devices which could be considered more long term
than just those who occasionally come to meetings etc.
>>> If someone encountered this error and knows a solution while we wait for
>>> the Cisco TAC please respond!
>> If this is not a MS-CHAP-V2 problem I described above, and there is a
>> way to do this, it would be very interesting to hear more.
> Also same PEAP/EAP-TLS here.
Please also let us know if you get something from TAC too.
Thanks!
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list