On 09/14/2011 02:37 PM, Alexander Hartmaier wrote: Hello Alexander,
>> At that time I thought there will be a problem with server failing to >> prove to the client it knows the client's credentials. This is needed >> with MS-CHAP-V2 and normally causes PEAP failure. > No, I haven't invested any more time into this. > Note that this was for the wired dot1x, now I was doing the same thing > for wireless. > We do PEAP-TLS for both and any Windows client we've tested (XP and 7) > doesn't try to get an ip address by dhcp when the EAP auth fails (which > is the case for guests that have PEAP-TLS for another CA configured or > PEAP-MS-CHAP-V2). I think this is a desired feature for the client, that is the client is built like this. When the server fails to respond with a message that also proves the server has in its posession the client password, the client stop the process of joining to the network. > For those cases you would have to always send an EAP success message to > the client but a different reply to the switch on the radius level. Do you mean EAP success to client to get it to continue and reply to switch to direct the client to guest network? > Can you force an EAP success? I think with PEAP/EAP-MSCHAP-V2 it is MSCHAP-V2 that causes a problem. The server can not say just "yes". It also has to prove it holds the client's credentials. With EAP-TLS the client would have to trust the server's CA and/or servers certificate. In summary, guest networks with EAP-PEAP or EAP-TLS seem to me very hard to implement. The guests would need to configure certificates, unless they are accepting any certificate, which is usually not a good idea, and you would need to give them guest passwords. -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
