On 09/13/2011 03:38 PM, Alexander Hartmaier wrote: > I found out what is required to make 802.1x work with WPA2-Enterprise + AES: > the AuthBy of the outer handler needs AutoMPPEKeys configured so that > the Cisco WLC generates the PMK and starts the 4-way PTK handshake. > > This graph shows the complete flow: > http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png
Looks good. With e.g., PEAP there's also the possibility for a "fast reconnect" where the first full TLS negotiation is reused. This reduces the number of exchanged packets and processing time. I thought I'd add this so that in case you need to check logs you may notice not every authentication does the equal request exchange. > Please add this info the the reference manual AutoMPPEKeys section and > extend the the goodies/eap_peap_tls.cfg description of the config option! Hmm, true, looks like the description for AutoMPPEKeys describes the situation that was when dynamic WEP keys and such were in use. I'll make a note about upgrading the description. The option is these days required when you want to use EAP-PEAP, -TTLS, -TLS and such. Going back to original thread on June, did you get the guest access with PEAP working? At that time I thought there will be a problem with server failing to prove to the client it knows the client's credentials. This is needed with MS-CHAP-V2 and normally causes PEAP failure. Thanks! -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
