hi
the thread name is actually wrong since this is not a problem in EAP-TLS. > I have a wireless network with cisco aironet 350 AP and a cisco card > and I use win xp as > supplicant. > If I don't use (in win XP) the "the key is provided for me > automatically" it's all ok. nice, so EAP-TLS is working just fine. what you want is dynamic wep keys. > When I enable that option I have same problems, the authentication is > ok the cisco ap write > status="EAP Authenticated, BOOTP/DHCP" but it's not possible take the > ip address with the DHCP > and the connection is not enable, the cisco aironet client utilities > indicate that the radio > connection is good. exactly, because the WEP keys are not the same at the supplicant and the client (ap). > I have read that in the authentication exchange freeradius send the > session key (with MPPE) at > the AP. > It's possible that I have not configured the cisco AP or Freeradius in > the right manner. very probably even. in the future requests, please provide the version of freeradius and the complete debug output (radiusd -s -X). however, you have a good basis for succeeding, so further requests might not be necessary :-) your EAP-TLS authentication works fine, you say. congratulation, since that's the "difficult" part of the whole story. now just grab the newest version of FR available, compile the rlm_eap_tls, verify that you have some *mppe*.c files in the concerned directory and that there are no compilation/linking errors. then, start the new server and look at the radiusd -s -X output. if the Access-Accept sent to the AP350 contains two MPPE-*-Key attributes with values, everything should be ok for freeradius so far (when updating, update the dictionaries too). then, you only need to alter the config of the AP350 appropriately (activate encryption and either provide a wep-key in the Slot1 or set the broadcast key rotation interval to >0). greetings artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html