Wired 802.1x certificate warning

sander timmermans st at compoint.be
Fri Apr 10 11:38:45 CEST 2015 

Hey folks,

I'm having some difficulty with setting up a test environment for wired 802.1x authentication with FreeRADIUS.
For starters, let me just throw the freeradius -X output here:


rad_recv: Access-Request packet from host 81.82.213.157 port 2000, id=11, length=104
        User-Name = "test"
        EAP-Message = 0x020100090174657374
        NAS-IP-Address = 192.168.2.199
        NAS-Port = 1
        Service-Type = Framed-User
        Framed-MTU = 1400
        Calling-Station-Id = "78-AC-C0-5C-C2-0D"
        NAS-Port-Type = Ethernet
        Message-Authenticator = 0x8869e4d26b2aad94456e66246fd97702
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 0
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'test'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'test'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'test'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 11 to 81.82.213.157 port 2000
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb43a5b16b438421b8325e3b40d9ef210
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 4 ID 11 with timestamp +1293
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xb43a5b16b438421b did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.


So after doing some research I have deduced that this error implies the supplicant (which is a Windows machine) doesn't like the certificate the FreeRADIUS server is hurling its way and stops communicating.

Now comes the odd part. I haven't even touched the certificates when installing FreeRADIUS on the server, and connecting wirelessly through a UniFi AP with the very same protocol on the very same supplicant machine works flawlessly.
I have very likely made a misconfiguration on the Windows machine, I just haven't figured out where.

I followed this guide for setting up the Ethernet connection: https://kb.meraki.com/knowledge_base/configuring-8021x-wired-authentication-on-a-windows-7-client

In the Protected EAP Properties window, I unticked "Validate server certificate", like I did with the wireless connection.

I will admit I knew little about RADIUS before starting this project, so it is very possible I've made some obvious mistakes. -- I find trial and error to be one of the best learning methods for me personally. :)

Is there at all a way to get around this issue without messing with the certs? Please also do let me know what other output or logs you might need.

Best regards,

Sander Timmermans
Compoint BVBA

More information about the Freeradius-Users mailing list