see Alan's answer for the rest. just some unanswered things here:
I don't see an EAP-Identity value in my server debugging. What does XP send for that value? The name of the cert, or the machine identification?
you do. it's in the first Access-Request message arriving at your server. it's content is translated to the User-Name attribute and copied untouched to the EAP-Message attribute along with the rest of the EAP packet. all this is done by your AP.
XP puts the CN in the EAP-Identity if not said to do something different. i.e. if your CN is "Walter Smith" the user name will be that.
I wasn't aware a patch was needed, but I've just downloaded it. The 1200 is up-to-date; it shipped with VxWorks and I updated it with the latest update image from Cisco.
ok, without XP WPA patch it can't work. so, does it work now?
That was my concern. I don't mind everyone using the same credentials to access the wireless network, but I didn't want the shared encryption environment we currently have with WEP.
ok, just pay attention to what i said in my other email. virtually, it's still all the same user. it will be a little bit more difficult to identify sessions, see the accounting unique module options for this.
True. We're currently using MAC authentication to track users back to devices, and control access. We could still do that with EAP; the certificate would be the replacement for the shared WEP key, but the per-user encryption would be better.
yes, you could still do it, also take a look at this unique accounting feature.
I still think PEAP is a better route, without having to put any certificate on the user machine, but I guess that's not an option right now.
as Alan said, TTLS is the same idea which besides a) was developped earlier than PEAP and b) apparently much more properly than the other one and c) providing more opportunities for tunneled auth
ciao artur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
