Wired Ethernet EAP-TLS

Darren Maden radius at dncomputing.co.uk
Wed Jun 27 14:07:14 CEST 2007


I'm having problems connecting a wired Ethernet machine authenticating
with EAP-TLS, I'm connecting via a Lindy switch with 802.1x port
authentication forced on the port that the machine is connecting to,
that port is also on the same VLAN as the RADIUS server.  This
FreeRADIUS setup is working for wireless clients over 802.1x using EAP-TLS.

My wpa_supplicant config is:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
        key_mgmt=IEEE8021X
        identity="hostname"
        eapol_flags=0
        eap=TLS
        ca_cert="/etc/certs/cacert.pem"
        client_cert="/etc/certs/clientcert.pem"
        private_key="/etc/certs/clientkey.pem"
        private_key_passwd="password"
}

(Identity and Password changed for privacy)

I'm initiating this with the following command:

wpa_supplicant -Dwired -ieth1 -c/etc/wpa_supplicant.conf -d

The RADIUS server is not receiving the request, here is an output from
wpa_supplicant:

State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: idleWhile --> 0
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL: startWhen --> 0
CTRL-EVENT-TERMINATING - signal 2 received
Removing interface eth1
State: ASSOCIATED -> DISCONNECTED
No keys have been configured - skip key clearing
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
No keys have been configured - skip key clearing
Cancelling scan request




Is there anything special I need to do in my FreeRADIUS config?
Supporting Windows wired clients is not necessary but when trying with a
Windows client, it didn't work either.




More information about the Freeradius-Users mailing list