Am 2011-06-02 09:54, schrieb Heikki Vatiainen: > On 06/01/2011 07:17 PM, Alexander Hartmaier wrote: > >> Everything is working good so far but for the case that a non-company >> client has dot1x enabled on the interface I'd like to switch the port to >> our guest lan. > What happens when you detect a non-company client? Have you configured > Radiator to return Access-Accept with appropriate attributes for guest VLAN? Yes, the switch configures the guest-vlan on the port, but the client gets an EAP auth failure through the EAP tunnel. >> This is working fine on the switch, but a Windows 7 client receives the >> EAP auth failure from Radiator and doesn't try to send a dhcp request >> although the switch port has already been set to the guest lan. > If the Windows 7 client is using PEAP/EAP-MSCHAP-V2 and Radiator returns > Access-Accept without really having access to the user's password or > NThash of the password, the client will notice that Radiator did not > return a correct MS-CHAP-V2 response. > > The response needs to prove the server (Radiator) really has access to > the user's credentials. In other words, the server must be able to > authenticate itself too. That is the V2 part in the protocol.
We're using PEAP/EAP-TLS with machine certs. >> Is there a solution for this problem? >> >> For the wireless part we're getting the following error on the WLC: >> %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state >> transition to state 0 failed; port status 0, key available 1, key tx >> enabled 1 >> >> If someone encountered this error and knows a solution while we wait for >> the Cisco TAC please respond! > If this is not a MS-CHAP-V2 problem I described above, and there is a > way to do this, it would be very interesting to hear more. Also same PEAP/EAP-TLS here. > Thanks! > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator