|
Home > Archive > Radius Server > May 2004 > 802.1x-authentication as guest user
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
802.1x-authentication as guest user
|
|
| Thomas Kuborn 2004-04-29, 6:34 am |
| Dear ng,
I'm trying to authenticate as guest but it does not work. I debugged on the
802.1x authenticator (Cisco 2950 running latest image) & I've seen this :
Apr 24 12:43:13.656: dot1x-err:dot1x eap: received EMPTY Resp/Idon
FastEthernet0/10
Apr 24 12:43:13.656: dot1x-ev:dot1x_eap : Empty userId
So it looks like that when the 802.1x supplicant tries to authenticate as a
guest user :
- the Win-2000 supplicant does not send a "guest" userId but rather an empty
userId; is this the correct behavior ?
- then, the 802.1x authenticator (Cisco 2950 running
c2950-i6q4l2-mz.121-20.EA1a.bin) does NOT even query the 802.1x
authentication server (IAS/2003 radius server)
Are there MS patches that can correct this ?
Cheers,
- Thomas -
| |
| Ashwin Palekar\(MS\) 2004-04-30, 12:35 pm |
| Guest should either result in "no" or "NULL" identity. Text "Guest" cannot
be used as a userid; since that can match a real user-name and each language
has its own word for Guest.
On the client
a: Is the EAP-method set to EAP-TLS.
b: Does the XP supplicant configured w/ Guest work with the AP?
--
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Thomas Kuborn" <thomas@kuborn.be> wrote in message
news:4090d886$0$21768$a0ced6e1@news.skynet.be...
> Dear ng,
>
> I'm trying to authenticate as guest but it does not work. I debugged on
> the
> 802.1x authenticator (Cisco 2950 running latest image) & I've seen this :
> Apr 24 12:43:13.656: dot1x-err:dot1x eap: received EMPTY Resp/Idon
> FastEthernet0/10
> Apr 24 12:43:13.656: dot1x-ev:dot1x_eap : Empty userId
>
> So it looks like that when the 802.1x supplicant tries to authenticate as
> a
> guest user :
> - the Win-2000 supplicant does not send a "guest" userId but rather an
> empty
> userId; is this the correct behavior ?
> - then, the 802.1x authenticator (Cisco 2950 running
> c2950-i6q4l2-mz.121-20.EA1a.bin) does NOT even query the 802.1x
> authentication server (IAS/2003 radius server)
>
> Are there MS patches that can correct this ?
>
> Cheers,
>
> - Thomas -
>
>
>
>
>
| |
| Thomas Kuborn 2004-04-30, 12:35 pm |
| Hello Ashwin,
Thx for your answer. I've not had a chance yet to test guest-auth with an AP
but I'll try that very soon (although I doubt it will work, see next). In
the mean time, I've opened a case at cisco regarding the issue with the
switch ...& I was told by cisco that MS did not provide cisco with enough
information on "how the guest account is used by Microsoft" & therefore
Cisco decided not to implement this feature ... :-o(
1/ To your knowledge, has this feature been tested with other vendors (not
Cisco) successfully ?
2/ Could cisco & MS get together so that this feature works ?
Thx
- Thomas -
"Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in message
news:ODvy9tsLEHA.3712@TK2MSFTNGP11.phx.gbl...
> Guest should either result in "no" or "NULL" identity. Text "Guest" cannot
> be used as a userid; since that can match a real user-name and each
language
> has its own word for Guest.
>
> On the client
> a: Is the EAP-method set to EAP-TLS.
> b: Does the XP supplicant configured w/ Guest work with the AP?
>
>
> --
> --
> ========================================
===================
> This posting is provided "AS IS" with no warranties and confers no rights
> ========================================
===================
>
> "Thomas Kuborn" <thomas@kuborn.be> wrote in message
> news:4090d886$0$21768$a0ced6e1@news.skynet.be...
:[vbcol=seagreen]
as[vbcol=seagreen]
>
>
| |
| Ashwin Palekar\(MS\) 2004-05-02, 2:34 am |
| I believe we have used Guest authentication with cisco Wireless APs; and it
works with other APs as well.
However, I may have misunderstood you. Are you trying to use guest auth
with a 802.1x Wired Ethernet Switch? Why?
--
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Thomas Kuborn" <thomas@kuborn.be> wrote in message
news:4092826f$0$25090$a0ced6e1@news.skynet.be...
> Hello Ashwin,
>
> Thx for your answer. I've not had a chance yet to test guest-auth with an
> AP
> but I'll try that very soon (although I doubt it will work, see next). In
> the mean time, I've opened a case at cisco regarding the issue with the
> switch ...& I was told by cisco that MS did not provide cisco with enough
> information on "how the guest account is used by Microsoft" & therefore
> cisco decided not to implement this feature ... :-o(
>
> 1/ To your knowledge, has this feature been tested with other vendors (not
> Cisco) successfully ?
> 2/ Could cisco & MS get together so that this feature works ?
>
> Thx
>
> - Thomas -
>
>
> "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in message
> news:ODvy9tsLEHA.3712@TK2MSFTNGP11.phx.gbl...
> language
> :
> as
>
>
| |
| Thomas Kuborn 2004-05-02, 3:34 am |
| The reason I'm trying to do guest-auth with a wired ethernet switch is I
don't have any AP at home 
I'll try guest-auth with an AP next week at work !
"Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in message
news:#MpDu3AMEHA.3712@TK2MSFTNGP10.phx.gbl...
> I believe we have used Guest authentication with cisco Wireless APs; and
it
> works with other APs as well.
>
> However, I may have misunderstood you. Are you trying to use guest auth
> with a 802.1x Wired Ethernet Switch? Why?
>
> --
> --
> ========================================
===================
> This posting is provided "AS IS" with no warranties and confers no rights
> ========================================
===================
>
> "Thomas Kuborn" <thomas@kuborn.be> wrote in message
> news:4092826f$0$25090$a0ced6e1@news.skynet.be...
an[vbcol=seagreen]
In[vbcol=seagreen]
enough[vbcol=seagreen]
(not[vbcol=seagreen]
rights[vbcol=seagreen]
on[vbcol=seagreen]
this[vbcol=seagreen]
authenticate[vbcol=seagreen]
an[vbcol=seagreen]
>
>
|
|
|
|
|