I have a rather complex problem on my hands. Basic setup of our network will be as follows:
Switches are Linksys SRW2024P, VLANs properly configured (we know this for a fact).
Default untagged traffic is over 100 (hence PCs).
PCs on VLAN 100 192.168.1.x – untagged
Phones on VLAN 200 192.168.2.x – tagged traffic
Guest traffic is on VLAN 500 (assuming someone plugs in a computer to a wall socket we want them on this vlan).
Now, the problem is this – we need RADIUS setup to authorise the computers. So it’s not a WPA thing, though I did look in depth at that guide that Paul Taylor so kindly provided. Once we can setup the RADIUS proxy to forward all RADIUS things to Win2k3 IAS, from there we can do dynamic VLANs based on the authentication (so if someone connects a valid computer with a valid username/password then it will be put on VLAN100 – if not, it remains isolated on VLAN500).
Problem is this – no matter what we do, we get the error “RLM_EAP – [USERNAME] – Identity does not match User-Name, setting from EAP Identity. ” This error appears in the “Show logs” for the RADIUS server on the zeroshell router.
Where ‘USERNAME’ is the user that has been created as per Paul Taylor’s guide. That was happening when it was just a local proxy (ie, processing all RADIUS requests to itself) and when it was a remote proxy (forwarding all RADIUS requests to IAS on our Win2k3 box). We’re almost certain that our switch is setup right, and it is forwarding like it’s supposed to.
I’ve searched for this error on the net for a while and got nothing in terms of information that would help me – perhaps someone here can shed light on our problem?
Note: It would appear that it doesn’t even get as far as the MSCHAPv2 authentication – it has a problem with the original certificate as generated. We follow Paul Taylor’s guide to a T here, but just without the WPA stuff – is there a critical step we’re missing?