[RADIATOR] 802.1x authentication questions

Heikki Vatiainen hvn at open.com.au
Wed Sep 14 07:12:29 CDT 2011


On 09/14/2011 02:37 PM, Alexander Hartmaier wrote:

Hello Alexander,

>> At that time I thought there will be a problem with server failing to
>> prove to the client it knows the client's credentials. This is needed
>> with MS-CHAP-V2 and normally causes PEAP failure.

> No, I haven't invested any more time into this.
> Note that this was for the wired dot1x, now I was doing the same thing
> for wireless.
> We do PEAP-TLS for both and any Windows client we've tested (XP and 7)
> doesn't try to get an ip address by dhcp when the EAP auth fails (which
> is the case for guests that have PEAP-TLS for another CA configured or
> PEAP-MS-CHAP-V2).

I think this is a desired feature for the client, that is the client is
built like this. When the server fails to respond with a message that
also proves the server has in its posession the client password, the
client stop the process of joining to the network.

> For those cases you would have to always send an EAP success message to
> the client but a different reply to the switch on the radius level.

Do you mean EAP success to client to get it to continue and reply to
switch to direct the client to guest network?

> Can you force an EAP success?

I think with PEAP/EAP-MSCHAP-V2 it is MSCHAP-V2 that causes a problem.
The server can not say just "yes". It also has to prove it holds the
client's credentials.

With EAP-TLS the client would have to trust the server's CA and/or
servers certificate.

In summary, guest networks with EAP-PEAP or EAP-TLS seem to me very hard
to implement. The guests would need to configure certificates, unless
they are accepting any certificate, which is usually not a good idea,
and you would need to give them guest passwords.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list