802.1x, tokens, and Windows XP, Does anything work?

[Shaad]

Hello, I am trying to get 802.1x authentication working with Windows XP clients using our token server(Safeword premier access) XP supports only PEAP-MSCHAPv2 natively, So I am enabling
802.1x on our wireless gateway (Airespace) and pointing it to our radius servers, We have tried Cisco ACS and Funk Steel belted radius as our radius server, Then we setup one of our radius
servers to authenticate against safeword. It looks as if ACS does not support PEAP-MSCHAPv2, And I think we might be in the same boat with Funk SBR, I am waiting to hear back from their
technical department.

I think we might be kidding ourselves thinking PEAP will work as I think our Radus servers are sending the auth requests to our token server encrypted with PEAP and it has no idea what is
coming to it.

The goal is to provide encryption and authentication to wireless customers on our WLAN. We want them to auth using tokens as the credentials are only good once. Does anyone have any ideas
on how we could do this? We do not want to add users into our Domain etc.. We just want to hand them a badge with a token tied to it, They enter their badge ID and their token and they
are on the wireless lan.

Any help or ideas greatly appriciated.

 

[IPKONFIG]

Cisco ACS does support PEAP-MSCHAPv2. It's under the global configuration page and it's the first option listed. Of course you'll need to have a recent version of ACS for these options. I'm using 3.2

As for the rest, I can't help you...sorry.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[Shaad]

Yeah, turns out to use tokens we must tunnel the info using EAP-TTLS, then the Radius server proxy's the token auth to the token server. sort of a pain. ACS does not seem to support EAP-TTLS, So we had to use Funk Steel belted radius.