- This topic is empty.
-
AuthorPosts
-
January 7, 2010 at 7:31 pm #5584
Greetings:
We have an EAPOL implementation in our environment, backended by AD and RADIUS. I am trying to get a WTOS client setup in thie environment, as succeeding will mean the difference between a 10 second boot sequence, and a 2 minute + boot sequence.
I have issued a CA Cert, Machine cert and private key from our CA, and have installed it on the WTOS device (in this case both an S10 and a V10L). I have configured EAP-TLS, configured the Certs and private key password, and then booted the device.
The device attempts an EAP session with our Cisco 3750 swtich, but fails.
I setup an ethereal capture on the port the WTOS device is on, and the Wyse device sends an EAP Start message, the Cisco sends back a Request, Identify message, and the Wyse doesn’t respond. Eventually, after the Wyse sending EAP starts, and the Cisco sending Request, Identify mesages, the EAP session fails.
Has anyone run into this before?…
I”ve tried WTOS 6.3 and 6.5 to no avail on both devices..
Thanks,
Richard.January 7, 2010 at 9:48 pm #17388Check out this new document named “802.1x Configuration” I have just uploaded in the Download section for WTOS.
CG
January 7, 2010 at 11:55 pm #17390Hi there..
That is the document I followed in order to configure the S10 and the V10L. I have compared switch configs, and we have at bare minimum the configuration lines mentioned in the document. I have checked and rechecked the Wyse settings, to no avail. As I was mentioning, the Wyse device sends an EAP Start command, and the Cisco switch sends back a challenge, but the Wyse never responds to it. Instead it sends another EAP Start sequence, and this pattern repeats itself until eventually the session fails. I have sent EAP and dot1x debugs to an expert on Cisco devices, and he said that the breakdown appears to be on the Wyse end, and it’s not responding properly to the Switch prompts.
I will note that the document refers to an old version of WTOS, and neither 6.5.0_22, 6.5.0_24 have the configuration options to add a CA. I also notice the latest version of 6.3.0 has the same thing.
Thanks,
Richard.February 8, 2010 at 11:35 pm #17657Some preogress of sorts on this particular topic.
We found that the Cisco command “dot1x host-mode single-host” on the port level allows the Supplicant and the Authenticator to “talk” to each other, which is a huge leap forward.
Now the issue we’re running up against is I’m getting an error “No trusted CA found locally”. I have loaded the cert from our CA into the thin client, but there is no place in 6.5 to select it. Anyone else run into this, or am I the first?…
Thanks,
Richard.February 10, 2010 at 11:51 am #17670So you have loaded the root certificate of your CA to the client in *.crt format? There is no need to select it somewhere.
CG
-
AuthorPosts
- You must be logged in to reply to this topic.