[RADIATOR] 802.1x authentication questions

Heikki Vatiainen hvn at open.com.au
Wed Sep 14 01:54:57 CDT 2011


On 09/13/2011 03:38 PM, Alexander Hartmaier wrote:
> I found out what is required to make 802.1x work with WPA2-Enterprise + AES:
> the AuthBy of the outer handler needs AutoMPPEKeys configured so that
> the Cisco WLC generates the PMK and starts the 4-way PTK handshake.
> 
> This graph shows the complete flow:
> http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png

Looks good. With e.g., PEAP there's also the possibility for a "fast
reconnect" where the first full TLS negotiation is reused. This reduces
the number of exchanged packets and processing time. I thought I'd add
this so that in case you need to check logs you may notice not every
authentication does the equal request exchange.

> Please add this info the the reference manual AutoMPPEKeys section and
> extend the the goodies/eap_peap_tls.cfg description of the config option!

Hmm, true, looks like the description for AutoMPPEKeys describes the
situation that was when dynamic WEP keys and such were in use. I'll make
a note about upgrading the description. The option is these days
required when you want to use EAP-PEAP, -TTLS, -TLS and such.

Going back to original thread on June, did you get the guest access with
PEAP working?

At that time I thought there will be a problem with server failing to
prove to the client it knows the client's credentials. This is needed
with MS-CHAP-V2 and normally causes PEAP failure.

Thanks!

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list