EAP-TLS Computercertfikate First Request failes second successfull??? DHCP renew after User-Authorisation wount work??

Krämer Armin Kraemer.Armin at web.de
Thu Apr 27 17:58:22 CEST 2006


Hi, im still trying to get to work EAP-TLS on my LAN with Computer AND
Client Certifikates. OK the certificates work fine now. Here a little
scenario of what I did. 

 

Freeradius Version out from Debian Stable with TLS Patch (version must be
0.7 or something like that) 

Kofigured EAP-TLS(working)

OpenLDAP as Userbackend to set the VLAN-ID

TinyCA generated CA and Certifikates 

 

My final state should be that te machine boots up,authenticate with machine
zertifikate against freeradius and openldap, getting vlan id from ldap,
getting thrown into an default vlan where a dc an dhcp server is present,
getting a ip from the subnet of this vlan.

 

Then the User logs onto the domain 

 

Reautheticate with User Certifikate, getting new an final VLAN-ID from LDAP
for this User, getting thrown into this vlan, requesting for an new IP from
DHCP for this VLAN.

 

 

OK the whole scenario is working with 2 issuses: 

 

First time the machine authenticates to freeradius the authentication fails,
then it takes nearly 30 seconds till a second reauthentication is invoked
and the the machine authentication is successful ???(How can this be??) I
read about this should be an issue from XP-Client. How can I solve this???

 

The second thing is that I have to set this
(HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\Suppl
icantMode)  

 Key to the value of 3 causing XP to reauthentifikate with the User
Certifikate again after logon. Otherwise the machine does no
reauthentifikation with the usercertificate. 

My Problem ist that after the Usercertifikate is accepted and the user is
thrown into his final vlan no new dhcp request ist invoked??? If I manually
reauthentifikate the port over the Switch Administration the Machine
requests an new IP from DHCP and all seems to be fine. But I have to do this
manually and that issn really practical. 

 

Would be nice if anyone has got an idea for my problem? Maybe an newer
Freeradius fixes this problems??? Any experiences about that??

 

Thanks 

 

Armin

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060427/db790803/attachment.html>


More information about the Freeradius-Users mailing list