On 06/03/2011 11:35 AM, Alexander Hartmaier wrote: >> What happens when you detect a non-company client? Have you configured >> Radiator to return Access-Accept with appropriate attributes for guest VLAN?
> Yes, the switch configures the guest-vlan on the port, but the client > gets an EAP auth failure through the EAP tunnel. Ok. The client would probably have to get an Access-Accept to continue. Just to check: is your plan to have the the non-company users to use a WPA-Enteriprise secured network too? > We're using PEAP/EAP-TLS with machine certs. This sounds to me like a setup that might be easier to get working with two different WLANs. One SSID (wlan name) would be for company clients and another SSID (with different parameters) would be for non-company clients. Enterprise WLAN access points and controllers support multiple SSIDs and differently configured WLANs/VLANs so that should be possible to do. And then you would not need to modify company users' authentication settings to allow redirecting visitors to their VLAN. With EAP-TLS too the client wants to see server authentication. Also, the server does want to see a certificate from the client that it trusts. If you can assign certificates to non-company clients, you could use that information to do VLAN selection. What kind of non-company clients do you plan supporting? Visitors or possibly employees' own devices which could be considered more long term than just those who occasionally come to meetings etc. >>> If someone encountered this error and knows a solution while we wait for >>> the Cisco TAC please respond! >> If this is not a MS-CHAP-V2 problem I described above, and there is a >> way to do this, it would be very interesting to hear more. > Also same PEAP/EAP-TLS here. Please also let us know if you get something from TAC too. Thanks! -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
