Am 2011-06-03 16:47, schrieb Heikki Vatiainen: > On 06/03/2011 11:35 AM, Alexander Hartmaier wrote: > >>> What happens when you detect a non-company client? Have you configured >>> Radiator to return Access-Accept with appropriate attributes for guest VLAN? >> Yes, the switch configures the guest-vlan on the port, but the client >> gets an EAP auth failure through the EAP tunnel. > Ok. The client would probably have to get an Access-Accept to continue. > Just to check: is your plan to have the the non-company users to use a > WPA-Enteriprise secured network too? The VLAN assignment is just for the wired network, for the wireless we have different SSIDs. >> We're using PEAP/EAP-TLS with machine certs. > This sounds to me like a setup that might be easier to get working with > two different WLANs. One SSID (wlan name) would be for company clients > and another SSID (with different parameters) would be for non-company > clients. > > Enterprise WLAN access points and controllers support multiple SSIDs and > differently configured WLANs/VLANs so that should be possible to do. And > then you would not need to modify company users' authentication settings > to allow redirecting visitors to their VLAN. See above. > With EAP-TLS too the client wants to see server authentication. Also, > the server does want to see a certificate from the client that it > trusts. If you can assign certificates to non-company clients, you could > use that information to do VLAN selection. We've already got all necessary certificates and the client config in place. I only want to improve the guest experience. > What kind of non-company clients do you plan supporting? Visitors or > possibly employees' own devices which could be considered more long term > than just those who occasionally come to meetings etc. Visitor devices that are not under our control. >>>> If someone encountered this error and knows a solution while we wait for >>>> the Cisco TAC please respond! >>> If this is not a MS-CHAP-V2 problem I described above, and there is a >>> way to do this, it would be very interesting to hear more. >> Also same PEAP/EAP-TLS here. > Please also let us know if you get something from TAC too. > > Thanks! >
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator