Perfigo SecureSmart and CleanMachines Discussion        List
<[log in to unmask]> writes:
>Well, for CCA, we authenticate directly to Novell LDAPS, no middleman  
>needed.  We also use FreeRADIUS for accounting.  Looking into  
>FreeRADIUS + Novell for wireless and other misc. AAA stuff.

Ok so it turns out that Macs have no problem authenticating to ACS/WiSM
because they can be set to use EAP-GTC but WinXP cannot and tries to use
MS-CHAPv2.  Your 3rd party wireless adapter software might however. 
Dell's software does at least for the laptop I tried - I forget the make
of wireless nic or maybe it works for all Dells.

Or you can use Aegis Secure Connect
(http://mtghouse.com/products/aegis_solutions.asp), which Cisco just
acquired (http://www.internetnews.com/infra/article.php/3618586). 
Hopefully Cisco will release a free version of it sometime.  So ACS works
fine with WiSM but as of ACS v4.0 it doesn't pass MS-CHAPv2 through to
LDAP and WinXP does not do EAP-GTC.  One could scrap ACS and deal with it
on the backend, or standardize on software that does EAP-GTC on the
client, or punt the problem to users to find out if their wireless nic has
software that will do EAP-GTC and/or purchase an Aegis client, or support
an unencrypted wireless vlan for limited functions for those who can't
meet your security requirements for encrypted traffic.  I don't want to
scrap ACS, especially since Cisco purchasing Aegis leads me to believe the
problem will be rectified soon.  So we'll do some combination of the other
options.

Mark