[RADIATOR] 802.1x authentication questions
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Wed Sep 14 06:37:37 CDT 2011
Hi Heikki,
Am 2011-09-14 08:54, schrieb Heikki Vatiainen:
> On 09/13/2011 03:38 PM, Alexander Hartmaier wrote:
>> I found out what is required to make 802.1x work with WPA2-Enterprise + AES:
>> the AuthBy of the outer handler needs AutoMPPEKeys configured so that
>> the Cisco WLC generates the PMK and starts the 4-way PTK handshake.
>>
>> This graph shows the complete flow:
>> http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png
> Looks good. With e.g., PEAP there's also the possibility for a "fast
> reconnect" where the first full TLS negotiation is reused. This reduces
> the number of exchanged packets and processing time. I thought I'd add
> this so that in case you need to check logs you may notice not every
> authentication does the equal request exchange.
>
>> Please add this info the the reference manual AutoMPPEKeys section and
>> extend the the goodies/eap_peap_tls.cfg description of the config option!
> Hmm, true, looks like the description for AutoMPPEKeys describes the
> situation that was when dynamic WEP keys and such were in use. I'll make
> a note about upgrading the description. The option is these days
> required when you want to use EAP-PEAP, -TTLS, -TLS and such.
>
> Going back to original thread on June, did you get the guest access with
> PEAP working?
>
> At that time I thought there will be a problem with server failing to
> prove to the client it knows the client's credentials. This is needed
> with MS-CHAP-V2 and normally causes PEAP failure.
No, I haven't invested any more time into this.
Note that this was for the wired dot1x, now I was doing the same thing
for wireless.
We do PEAP-TLS for both and any Windows client we've tested (XP and 7)
doesn't try to get an ip address by dhcp when the EAP auth fails (which
is the case for guests that have PEAP-TLS for another CA configured or
PEAP-MS-CHAP-V2).
For those cases you would have to always send an EAP success message to
the client but a different reply to the switch on the radius level.
Can you force an EAP success?
>
> Thanks!
>
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
More information about the radiator
mailing list