|
Hi, im still trying to get to work EAP-TLS on my LAN
with Computer AND Client Certifikates. OK the certificates work fine now. Here
a little scenario of what I did. Freeradius Version out from Debian Stable with TLS Patch
(version must be 0.7 or something like that) Kofigured EAP-TLS(working) OpenLDAP as Userbackend to set the VLAN-ID TinyCA generated CA and Certifikates My final state should be that te machine boots
up,authenticate with machine zertifikate against freeradius and openldap,
getting vlan id from ldap, getting thrown into an default vlan where a dc an
dhcp server is present, getting a ip from the subnet of this vlan. Then the User logs onto the domain Reautheticate with User Certifikate, getting new an
final VLAN-ID from LDAP for this User, getting thrown into this vlan,
requesting for an new IP from DHCP for this VLAN. OK the whole scenario is working with 2 issuses: First time the machine authenticates to freeradius
the authentication fails, then it takes nearly 30 seconds till a second
reauthentication is invoked and the the machine authentication is successful ???(How
can this be??) I read about this should be an issue from XP-Client. How can I solve
this??? The second thing is that I have to set this (HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode)
Key to the value of 3 causing XP to reauthentifikate
with the User Certifikate again after logon. Otherwise the machine does no
reauthentifikation with the usercertificate. My Problem ist that after the Usercertifikate is
accepted and the user is thrown into his final vlan no new dhcp request ist
invoked??? If I manually reauthentifikate the port over the Switch
Administration the Machine requests an new IP from DHCP and all seems to be
fine. But I have to do this manually and that issn really practical. Would be nice if anyone has got an idea for my
problem? Maybe an newer Freeradius fixes this problems??? Any experiences about
that?? Thanks Armin |
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
