EAP Anger!

  • This topic is empty.
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #5584
    rwhittaker
    Member
    • Total Post: 3
    • Newbie

    Greetings:

    We have an EAPOL implementation in our environment, backended by AD and RADIUS. I am trying to get a WTOS client setup in thie environment, as succeeding will mean the difference between a 10 second boot sequence, and a 2 minute + boot sequence.

    I have issued a CA Cert, Machine cert and private key from our CA, and have installed it on the WTOS device (in this case both an S10 and a V10L). I have configured EAP-TLS, configured the Certs and private key password, and then booted the device.

    The device attempts an EAP session with our Cisco 3750 swtich, but fails.

    I setup an ethereal capture on the port the WTOS device is on, and the Wyse device sends an EAP Start message, the Cisco sends back a Request, Identify message, and the Wyse doesn’t respond. Eventually, after the Wyse sending EAP starts, and the Cisco sending Request, Identify mesages, the EAP session fails.

    Has anyone run into this before?…

    I”ve tried WTOS 6.3 and 6.5 to no avail on both devices..

    Thanks,
    Richard.

    #17388
    ConfGen
    Keymaster
    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    Check out this new document named “802.1x Configuration” I have just uploaded in the Download section for WTOS.

    CG

    #17390
    rwhittaker
    Member
    • Total Post: 3
    • Newbie

    Hi there..

    That is the document I followed in order to configure the S10 and the V10L. I have compared switch configs, and we have at bare minimum the configuration lines mentioned in the document. I have checked and rechecked the Wyse settings, to no avail. As I was mentioning, the Wyse device sends an EAP Start command, and the Cisco switch sends back a challenge, but the Wyse never responds to it. Instead it sends another EAP Start sequence, and this pattern repeats itself until eventually the session fails. I have sent EAP and dot1x debugs to an expert on Cisco devices, and he said that the breakdown appears to be on the Wyse end, and it’s not responding properly to the Switch prompts.

    I will note that the document refers to an old version of WTOS, and neither 6.5.0_22, 6.5.0_24 have the configuration options to add a CA. I also notice the latest version of 6.3.0 has the same thing.

    Thanks,
    Richard.

    #17657
    rwhittaker
    Member
    • Total Post: 3
    • Newbie

    Some preogress of sorts on this particular topic.

    We found that the Cisco command “dot1x host-mode single-host” on the port level allows the Supplicant and the Authenticator to “talk” to each other, which is a huge leap forward.

    Now the issue we’re running up against is I’m getting an error “No trusted CA found locally”. I have loaded the cert from our CA into the thin client, but there is no place in 6.5 to select it. Anyone else run into this, or am I the first?…

    Thanks,
    Richard.

    #17670
    ConfGen
    Keymaster
    • Total Post: 10696
    • Jedi Master
    • ★★★★★★★

    So you have loaded the root certificate of your CA to the client in *.crt format? There is no need to select it somewhere.

    CG

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.