802.1x Wireless Authentication

Similar Messages

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• 802.1x Wireless Authentication with 10.8.4 Build 12E3067

  Hello All,
  Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
  Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
  New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
  Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
  Troubleshooting:
  -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
  -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
  -Restarted domain controllers. Issue continues.
  Any thoughts or questions would be appreciated.

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• 802.1x wireless authentication using NPS - SSO sign on to Office 365 using ADFS

  Hi Spiceys,I'm researching for a potential client and would like to know if the following is possible:They have an existing wireless network with a working 802.1x implementation using NPS as RADIUS. They are very keen to move to Office 365 and use SSO and my understanding is that they'll need to spin up a working ADFS implementation to arrange this. We want to use Microsoft tech to tie it all in, so 3rd party SSO apps I don't want to investigate.If a wireless client is authenticated with NPS, and we have a working ADFS implementation are they able to access Office 365 resources without signing in twice? I'd imagine that the NPS auth would give them the necessary DC token, but if they access O365 resources and get redirected to the ADFS website and use Windows integrated login, will it 'just work' ? They are looking at using the full...
  This topic first appeared in the Spiceworks Community

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• 802.1x wireless authentication not working via RADIUS

  I've tried to implement 802.1x authentication in a windows 2012 domain environment using protected-EAP authentication. I read through guide after guide and still i am unable to get it to work. I'm confident the server side and WLC config is all correct. I have run the command debug client d0:df:9a:f6:30:40 which is my test laptop and i can see the WLC sending EAP-Request/Identify messages but it seems it never gets a reply. I have attached a copy of the debug. 
  Please can someone help me if possible?
  Laptop > AP > WLC > RADIUS SERVER

  Hmmm, peap. So PEAP requires the server be validated via a certificate trust. Did you download the WLC certificate and install it on the client (use self-signed cert), or did you install a new certificate on the WLC? In either case your client has to "trust" the Certificate Authority who signed the certificate used by the authentication device. If you use the self signed certificate you have to download the cert from the WLC and install on the client to validate the server, then the client is validated on the WLC with windows credentials or a saved username/password.
  Are you trying to do single sign-on? Is the client a member of the domain? Does the user belong to the domain? Did you do the certificate stuff above? if you need to test this without validating the server (JUST FOR TESTING PURPOSES) you can go under the WLAN profile on the client chose security, settings and uncheck validate server certificate. Then on user credentials verify you are using the correct client credentials on the client and try again. 
  If this works the certificate is the issue, you can troubleshoot from there. You DO NOT WANT TO LEAVE validate server certificate unchecked as that can create a BIG SECURITY HOLE. Just based on your description I am leaning towards a cert issue. If you can provide more details, would be great. Screenshots of your client EAP-PEAP setup, screenshot of windows cert store showing trusted root certification authorities with trusted CA your WLC is using. 
  Do you ever see logs on the AD server, with login attempts? If not the client is not able to verify the WLC's certificate and therefore won't send credentials. 
  LDAP configuration is pretty straightforward, if you just want to test this for the first time and are having issues with just getting a PEAP client to work you can attempt with a LOCAL EAP user on the WLC to verify the client and WLC are correct then add the LDAP server as Authentication Source, just ensure your server priorities are correct if you do this.
  Hopefully this helps
  ~Please rate useful post~

• Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  You've posted in the wrong forum. This is Feedback about Discussions. Try Networking and the Web maybe.

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• 802.1x Wireless versus Wired authentication ?

  Hi,
  I'm learning Wireless NPS configuration. Tings are confusing for me and I have couple of questions. The article below seems to be a good article for understanding Wireless authentication complex features, but it is a little bit conusing for me : http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx.
  My questions :
  1) What is the difference between 802.1x Wired and Wireless domain authentication processes ?
  2) Could someone help me get a basic understanding of Wireless Single Sign On on a domain authentication ?
  3) Could someone give me get a basic understanding of bootstrap profile on a domain authentication ?
  I have read couple of books and articles. Unfortunately ; none of them gave me a clear understanding on the subject.

  No, CA wasn't changed with R2.
  Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
  In the login keychain, when looking at the Users certificate, does it show as valid?

• 802.1X wireless network problems with Intel Mac

  To login to the wireless network at my school I have to use an 802.1X connection authenticating with TTLS, TLS, EAP-FAST and PEAP protocols.
  This works intermitently. Some days my MacBook logs on quickly with no problems at all but most days it has a self assigned IP address and I can't use the internet. My friend also uses a MacBook, which acts in the same way. Some days she manages to get on, some days I can get on and some days we are both on together. The problem is really irritating!! We get no support from the techs as we are the only Mac people in the school. The rest of the staff have PCs. The techs are just trying to use this issue to justify why letting people lease Macs is a problem and stop other staff from leasing them in the future.
  I did find a solution at
  http://discussions.apple.com/thread.jspa?threadID=425113&tstart=0
  but this was written in 2006 and I wonderered if this was still valid.
  Can anyone help? please???

  I am a tech at our school and we have the same problems. still trying to find a permanent solution!
  If you turn airport off, then turn on again, (from system prefs > network) does it change from "self-assigned IP Address" to "Authenticated via PEAP)?
  the macs are more and more popular at our school, so its becoming more and more of an issue.
  cheers,
  Harry

• How to get rid of 802.1x 'Default Authentication'?

  Hi All,
  Everytime I close my MBP's lid, put it to sleep, or simply turn it on...  My wifi is no longer connected.
  this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
  Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
  And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
  There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
  After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
  Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
  Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
  It would be very very much appreciated! Thank You!
  PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
  Don't really understand it though. Please explain if you could. Cheers 

  Realized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
  What I had to do was place it in first priority again in Network settings.
  Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
  Also attached above is the picture that for some strange reason disappeared in the original post..

• Wireless authentication to a windows network

  IF this is the wrong group please let me know and I will re-post...
  I am trying to solve some problems authenticating to a windows network using a airport card....
  I keep getting a non-trusted certificate message after/during the 802.x authentication box..We are not using certificates, at least that is what the admin tells me...so I have logged in as root, opened keychain and set the certifcates in question to trust always for all settings...I log out and then relogin as a normal network account and I still get the message which I can click continue and now I have access..
  the other problem is that my home folder will not mount...I have to mount it manually through the finder..I am assuming this is because the airport network services are not running until I authenticate locally with a cached password....Is there a way to have the login window authenticate through airport so I can have my home directory mount automatically...
  thanks for your help...

  unfortunately there are severla problems with the solution and it really doesn't address the issue. I can't mount the volume on the dock as it won't mount, probably because it is the server itself that has been mounted, not the shared home folder. Also it might create a conflict by having an alias to the home folder that would conflict with the auto mounted home folder when I use the ethernet as a connection source. What I have is a multi-purpose machine.
  1) I use a hardwired connect at my desk...
  2) If I need to go somewhere that a port in the wall is not active, I can then use a wirless connection which allows me access to everything I need....
  What I need to do is get this working so that the rest of the area can use it as well....
  So the question still remains: Does the wireless authentication not mount the home directory because it is not tied into the login window. For example, in a hardwired case I login to the system and this authenticates me and mounts my home folder. When I unplug the ethernet cable and turn on ariport and log off I login to the login window but the 802.x box comes up and asks for my password....which then brings up a not trusted certificate. Which I have tried everyhting I know to make this accepted by the system, including logging as root and going into keychain and setting it to be trusted. This DOES not work. I still get the untrusted certifcate message and the home directory does not mount. So what I need is someone who is authenticating to a windows network using wireless. I have followed all the 802.x suggestions which include using only peap to authenticate through.
  I hope someone can tell me how to stop the untrusted certificate error and how to mount the home directories. It would seem that there should be some type of setting to make airport startup prior to the login window or be hooked into the login window and pas that through to the wireless authentication. This is beyond my experience as you can see...
  thanks

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• 802.1x & windows Authentication

  Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
  and what are the challenges if windows user accounts password changed frequently..
  can any body explain adv & dis adv of 802.1x before I deploy it in network..

  There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
  MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

• Help Please :) LInksys WRVS4400N 802.1X port authentication setup

  HI all,
  I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
  1x Linksys WRVS4400N
  1x Microsoft Server 2003 with IAS and Active Directory services
  1x Dell Laptop (Used for testing Radius Athentication)
  I Created 4 VLAN(s) to test with this LAB
  VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
  VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
  VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
  VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
  This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
  Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
  Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
  Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
  Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
  VLAN 1: Default
  Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
  VLAN 10: Servers
  Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
  VLAN 20: IT
  Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
  VLAN 30: Design
  Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
  This is how my Radius is setup
  Mode: Enabled
  RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
  UDP Port: 1812
  Secret: Password1
  Port(s) 1 & 2: Force Authorized
  Port(s) 3 & 4: Force UnAuthorized
  On the Server this is what I have configured
  1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
  2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
  Tunnel-Medium-Type: 802
  Tunnel-PVT-Group-ID: 20
  Tunnel-Type: Virtual LAN
  My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
  I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
  If anybody can help me out that would be great!
  Cheers
  Graham

  1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
  2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
  3. The VLAN configuration looks very odd to me. If I see it correctly you have:
  Port 1: General mode, PVID 1, 1U
  Port 2: General mode, PVID 10, 1T, 10U
  Port 3: Access mode, PVID ???, 20U, 30U
  Port 4: Access mode, PVID ???, 20U, 30U
  I wonder why you are even able to set this up...
  a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
  b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
  c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
  4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
  5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
  6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
  7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything?

• Secure wireless authentication

  I have just been reading all the posts about secure wireless access and I am
  not happy with the direction Novell has chosen to take.
  I have been extremely pleased with Netware, GroupWise & ZenWorks but Novell
  is starting to loose it's appeal.
  Let me summarize what I have learned and see if I have made any mistakes
  with my understanding.
  1. Novell has stopped development on their Radius server and have no plans
  to resume development.
  2. Novell contributed code to the open source FreeRadius project.
  http://www.novell.com/news/press/arc...2/pr05008.html
  3. There isn't any Radius server with 802.1x authentication that runs on
  Netware (Netware kernel).
  a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  802.1x authentication.
  b. I have contacted Funk and this is their reply. Steel-Belted Radius
  Server will run on Windows and Solaris (Linux is coming).
  http://www.funk.com/News&Events/sbr_linux_pn.asp
  c. MTG House hasn't gotten back to me about a solution for Netware. (I
  am doubtful, I didn't find anything on their website.)
  4. You need to run a Radius server that does 802.1x authentication and will
  work/integrate with eDir.
  a. FreeRadius (Linux) will integrate with Edir.
  http://www.novell.com/documentation/...ius/index.html
  http://www.novell.com/coolsolutions/feature/15383.html
  b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is in
  beta).
  http://www.funk.com/radius/default.asp
  c. Aegis Server
  http://www.mtghouse.com/products/aeg...er/index.shtml
  5. You need a 802.1x Client to authenticate to a Radius server for wireless
  authentication.
  a. Microsoft has 802.1x support in their client. (read this from other
  posts in this forum)
  b. Novell isn't planning on putting 802.1x support in the NW Client.
  (read this from other posts in this forum)
  c. There are 2 Radius clients that integrate with the NW Client for
  Radius Edir authentication.
  1. Funk's Odyssey Client ($45 - $50 per workstation depending on
  quantity) + added annual maintenance costs.
  $2281.25 for 50 Client licenses & annual maintenance.
  http://www.funk.com/radius/wlan/wlan_c_radius.asp
  2. Aegis' Client ($32 - $39.99 per workstation depending on
  quantity) + added annual maintenance costs.
  $2240.00 for 50 Client licenses & annual maintenance.
  http://www.mtghouse.com/products/aeg...nt/index.shtml
  http://www.mtghouse.com/novell_app_note_122204.pdf
  3. When FreeRadius is integrated with Edir is this separate client
  still needed?
  I didn't see anything about a separate client being needed while
  reading the Integrating FreeRadius with Edir documentation.
  6. FreeRadius support is going to be built-in to the next version of Edir.
  http://www.novell.com/news/press/arc...2/pr05008.html
  Why didn't Novell contribute code to port FreeRadius to Netware?
  At this point in time they are still giving us a choice between the Netware
  kernel and the Linux kernel. To me that says they are willing to make
  things work with both systems until they drop support for the Netware
  kernel. Ok, so give me support for 802.1x authentication in the Netware
  kernel. I don't have stray single purpose servers floating around my
  network and I don't want to have to begin that practice just to get Radius
  802.1x authentication working.
  I also won't put my district at a disadvantage by upgrading to the Linux
  kernel until I know Linux well enough to administer it properly. I am the
  IT department at this district so I don't have a great deal of extra time to
  run about learning the new things I would LOVE to learn. I'm sure I'm not
  the only person in this situation so Novell should take these things into
  concideration before they just drop support for a product they say they are
  still supporting. Obviously all of the real support is going toward the
  Linux side at Novell.
  Daniel Blake
  Milford Central School

  Ok, I'll give them the benefit of the doubt and say fine the Netware kernel
  might as well be considered dead. So they are giving me support via
  FreeRadius if I just migrate to OES (Linux). Ok, I might/can live with that
  as a Novell decision.
  But that still doesn't explain why they don't give us some client to log in
  via 802.1x. Giving us the server but not the client is like giving us a
  locked door without a key. That's just plain stupid. I would rather stay a
  Netware - OES shop, but if Novell can't think something this simple through
  then I'm a little nervous about staying with them. What could they think up
  next?
  I guess Novell has decided to port all it's software to Windows cause it
  sucks so bad at business decisions. GroupWise & ZenWorks run completely on
  Windows now, so why do I need OES at all? Except for complexity &
  integration issues of course. I mean why would I need to purchase Edir for
  Windows if I didn't stay with OES? Or Nsure Identity Manager for that
  matter. So if we start looking deeper into this we see Marketing all over
  this thing. Novell Marketing has always done such a good job for Novell.
  Novell has given me a real choice that will work though. If I migrate
  completely to a Windows network it just works without any added costs. Heck
  it even makes my installs easier without having to install the NW Client on
  every new workstation. I can still run ZenWorks & GroupWise too.
  Now, how is Novell Marketing going to screw up and make me hate GroupWise &
  Zenworks so I migrate completely away from Novell products? Way to go
  Novell!
  Daniel Blake
  Milford Central School
  "Jim Michael" <[email protected]> wrote in message
  news:[email protected]...
  > mcsdtech wrote:
  >
  >> 1. Novell has stopped development on their Radius server and have no
  >> plans to resume development.
  >
  > Correct, so far as we know.
  >
  >> 2. Novell contributed code to the open source FreeRadius project.
  >> http://www.novell.com/news/press/arc...2/pr05008.html
  >
  > Yes. Code to allow easier integration with eDirectory.
  >
  >> 3. There isn't any Radius server with 802.1x authentication that runs on
  >> Netware (Netware kernel).
  >
  > Correct.
  >
  >> a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  >> 802.1x authentication.
  >
  > Correct. It was developed quite a while before 802.1x even existed.
  >
  >> b. I have contacted Funk and this is their reply. Steel-Belted
  >> Radius Server will run on Windows and Solaris (Linux is coming).
  >> http://www.funk.com/News&Events/sbr_linux_pn.asp
  >
  > Correct, but Stell-Belted Radius is probably the last solution I would
  > look at. Radiator is a commercial product that runs on Linux or Windows
  > (it is Perl-based) and you will get far better support from them on
  > eDirectory issues and general Radius problems. freeRADIUS is what I would
  > run on Linux if you don't want to spend a dime on the software.
  >
  >> c. MTG House hasn't gotten back to me about a solution for Netware.
  >> (I am doubtful, I didn't find anything on their website.)
  >
  > Not familiar with them.
  >
  >> 4. You need to run a Radius server that does 802.1x authentication and
  >> will work/integrate with eDir.
  >> a. FreeRadius (Linux) will integrate with Edir.
  >> b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is
  >> in beta).
  >
  >> c. Aegis Server
  >
  > And Radiator (what I run) http://www.open.com.au This is the solution we
  > run.
  >
  >> 5. You need a 802.1x Client to authenticate to a Radius server for
  >> wireless authentication.
  >
  > Correct.
  >
  >> a. Microsoft has 802.1x support in their client. (read this from
  >> other posts in this forum)
  >
  > Correct. Technically, the "support" is in Windows, not the MS client.
  >
  >> b. Novell isn't planning on putting 802.1x support in the NW Client.
  >> (read this from other posts in this forum)
  >
  > Correct.
  >
  >> c. There are 2 Radius clients that integrate with the NW Client for
  >> Radius Edir authentication.
  >> 1. Funk's Odyssey Client 2. Aegis' Client ($32 - $39.99 per
  >> workstation depending on
  >
  > Correct.
  >
  >> 3. When FreeRadius is integrated with Edir is this separate
  >> client still needed?
  >
  > Yes. You ALWAYS need a 802.1x supplicant (client) on the workstation.
  > Windows has one built-in, which works FINE against eDirectory. HOWEVER,
  > because of the way it works you must log into eDirectory *after* fully
  > logging into windows. That is unacceptable to most organizations (you
  > would have to manually log in and map drives to NW, etc). This is why
  > there are third-party clients that integrate specifically with the NetWare
  > client.. they allow the 802.1x authentication to "insert" itself
  > in -between the Windows and eDirectory login, thus preserving all of the
  > normal features like dynamic local user, zen policies, etc.
  >
  >> I didn't see anything about a separate client being needed
  >> while reading the Integrating FreeRadius with Edir documentation.
  >
  > A client is always assumed.
  >
  >> Why didn't Novell contribute code to port FreeRadius to Netware?
  >
  > Because Novell's future direction is Linux, and there isn't much demand
  > for a NetWare Radius server.
  >
  >> At this point in time they are still giving us a choice between the
  >> Netware kernel and the Linux kernel. To me that says they are willing to
  >> make things work with both systems until they drop support for the
  >> Netware kernel. Ok, so give me support for 802.1x authentication in the
  >> Netware kernel. I don't have stray single purpose servers floating
  >> around my network and I don't want to have to begin that practice just to
  >> get Radius 802.1x authentication working.
  >
  > You can always make your wishes known at
  > http://support.novell.com/enhancement
  >
  >> I also won't put my district at a disadvantage by upgrading to the Linux
  >> kernel until I know Linux well enough to administer it properly. I am
  >> the IT department at this district so I don't have a great deal of extra
  >> time to run about learning the new things I would LOVE to learn. I'm
  >> sure I'm not the only person in this situation so Novell should take
  >> these things into concideration before they just drop support for a
  >> product they say they are still supporting. Obviously all of the real
  >> support is going toward the Linux side at Novell.
  >
  > I understand the frustration, but I doubt things will change. There is a
  > big difference between "supporting" existing products and adding major
  > enhancements to products to support new standards. I just don't think
  > Novell believes it is worth dedicating development resources to enhancing
  > Radius on NetWare, for those few that can't/won't run a Linux or Windows
  > box where the software already exists.
  >
  >
  > --
  > Jim
  > NSC SYsop