[RADIATOR] 802.1x authentication questions
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Mon Jun 6 03:06:07 CDT 2011
Am 2011-06-03 16:47, schrieb Heikki Vatiainen:
> On 06/03/2011 11:35 AM, Alexander Hartmaier wrote:
>
>>> What happens when you detect a non-company client? Have you configured
>>> Radiator to return Access-Accept with appropriate attributes for guest VLAN?
>> Yes, the switch configures the guest-vlan on the port, but the client
>> gets an EAP auth failure through the EAP tunnel.
> Ok. The client would probably have to get an Access-Accept to continue.
> Just to check: is your plan to have the the non-company users to use a
> WPA-Enteriprise secured network too?
The VLAN assignment is just for the wired network, for the wireless we
have different SSIDs.
>> We're using PEAP/EAP-TLS with machine certs.
> This sounds to me like a setup that might be easier to get working with
> two different WLANs. One SSID (wlan name) would be for company clients
> and another SSID (with different parameters) would be for non-company
> clients.
>
> Enterprise WLAN access points and controllers support multiple SSIDs and
> differently configured WLANs/VLANs so that should be possible to do. And
> then you would not need to modify company users' authentication settings
> to allow redirecting visitors to their VLAN.
See above.
> With EAP-TLS too the client wants to see server authentication. Also,
> the server does want to see a certificate from the client that it
> trusts. If you can assign certificates to non-company clients, you could
> use that information to do VLAN selection.
We've already got all necessary certificates and the client config in place.
I only want to improve the guest experience.
> What kind of non-company clients do you plan supporting? Visitors or
> possibly employees' own devices which could be considered more long term
> than just those who occasionally come to meetings etc.
Visitor devices that are not under our control.
>>>> If someone encountered this error and knows a solution while we wait for
>>>> the Cisco TAC please respond!
>>> If this is not a MS-CHAP-V2 problem I described above, and there is a
>>> way to do this, it would be very interesting to hear more.
>> Also same PEAP/EAP-TLS here.
> Please also let us know if you get something from TAC too.
>
> Thanks!
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list