Re: Multiple EAP-Types at WinXP clients

From: Thomas K (thomas_at_kuborn.be)
Date: 03/17/05

Next message: Egbert Albert: "Deciding what VLAN to use when Authenticating via 802.1X, IAS and Wireless LAN"
Previous message: Eric J.: "Multiple EAP-Types at WinXP clients"
In reply to: Eric J.: "Multiple EAP-Types at WinXP clients"
Next in thread: Eric J.: "Re: Multiple EAP-Types at WinXP clients"
Reply: Eric J.: "Re: Multiple EAP-Types at WinXP clients"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 17 Mar 2005 16:26:09 +0100

Sorry to bring bad news but I think it cannot be done transparently. If
authentication fails, IAS sends RADIUS/ACCESS/REJECT & switchport goes into
PortStatus "Unauthorized".

I thought certificates were renewed automatically with AD?

"Eric J." <bt_hirosaito@gmx.de> wrote in message
news:74f401d2.0503170339.30547ba7@posting.google.com...
> hi,
>
> we are using EAP-TLS and want to realise a fallback strategy if
> something´s wrong with the client certificate.
>
> Our idea is to set up a standard policy for the normal access with
> dynamic vlan assignment for our intranet.
> But if the PC is in the Active Directory and only has problems with
> its certificate (expired for example) there should be a fallback
> policy using PEAP which puts the PC into a special support-vlan.
>
> Now my question:
> At the IAS i can choose multiple authentication modes for the policy.
> First using EAP-TLS and if that fails using PEAP.
> How can i manage this on the client. That the client first tries to
> authenticate via EAP-TLS and if that fails it tries to authenticate
> via PEAP and gets access to the support-vlan where the certificate can
> be renewed.
> And if also PEAP authentication will fail we put the pc into a
> guest-vlan or something.
>
>
> Hope you understand what i mean. Its a bit tricky to explain it in
> english :)
>
> Greetz Eric

Next message: Egbert Albert: "Deciding what VLAN to use when Authenticating via 802.1X, IAS and Wireless LAN"
Previous message: Eric J.: "Multiple EAP-Types at WinXP clients"
In reply to: Eric J.: "Multiple EAP-Types at WinXP clients"
Next in thread: Eric J.: "Re: Multiple EAP-Types at WinXP clients"
Reply: Eric J.: "Re: Multiple EAP-Types at WinXP clients"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: PEAP-TLS vs EAP-TLS
... It covers the deployment of PEAP with digital certificates (what you are ... PEAP-TLS as MS docs pretty much all were about PEAP-MSCAHPV2 or generally ... Of course user certificate authentication used in PEAP-TLS ...
(microsoft.public.windows.server.security)
Re: PEAP-TLS vs EAP-TLS
... and PEAP is that PEAP is a two-step process where 1) the RADIUS server is ... authenticated to the client via the RADIUS server's certificate, ... encrypted TLS channel is set up for 2) client authentication (either using ... But I wonder how much more secure PEAP-TLS is than EAP-TLS, ...
(microsoft.public.windows.server.security)
RE: PEAP based 802.1x LAN authentication
... Authentication, EAP Methods. ... Do you have PEAP added here? ... edit and make sure the certificate that you want to use is selected. ... the server certificate is now stored in "Personal " ...
(Focus-Microsoft)
Re: PEAP-TLS vs EAP-TLS
... When using PEAP (either MSCHAPv2 or digital ... When using PEAP-MSCHAPv2 the only certificate required on the client is the ... authentication and tunnels another authentication protocol inside the TLS ...
(microsoft.public.windows.server.security)
Re: Cant seem to get 802.1x to work
... I managed to get PEAP working now after some painful ... EAP-TLS or PEAP authentication failed during SSL handshake ... keeps giving me an error that a certificate has not been installed even ... I install the certificate, and ...
(comp.dcom.sys.cisco)