On May 12, 2023, at 11:24 AM, Семенюк Александр Петрович <SemenyukAP@nn-edinstvo.ru> wrote:
Unfortunately, I completely don’t understand how it should work. I’ve read a lot of successful stories about “how to configure” Freeradius with Samba and MS domain, Cisco Catalyst switch and Windows 10 PC in order to perform dot1x authentication for users in the LAN with their MS domain accounts. Suddenly it even worked some time ago. But now – no, it doesn’t.
There's my guide on http://deployingradius.com/ It's been there for ~20 years. It has DETAILED guides for getting PEAP working, and for getting AD / Samba authentication working. Most other guides are confused, wrong, or have only partial information.
May be my logs can help you to help me - to show me what exactly should I fix and where. Could you, please? I can show in addition, if there a reason:
- Switch port config
- Win PC network authentication config
All of the documentation say to post the server debug output. We don't need anything else. We don't need the Cisco debug output. The important part of the debug output is this: (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 154 from 172.23.70.54:1812 to 172.23.73.22:1645 length 0 (7) EAP-Message = 0x010800281900170303001d3a4b57541b3879cb77e9f3a99c91af1c6bbb2189705812f38230171fff (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xc00c5163c604483d1404d0fc5a9963db (7) Finished request Waking up in 3.3 seconds. (1) Cleaning up request packet ID 148 with timestamp +115 (2) Cleaning up request packet ID 149 with timestamp +115 (3) Cleaning up request packet ID 150 with timestamp +116 (4) Cleaning up request packet ID 151 with timestamp +116 Waking up in 0.8 seconds. (5) Cleaning up request packet ID 152 with timestamp +116 You need to configure the Windows system to know about the certificate which the server is using. Read my web site. Follow the guide step by step. Don't skip steps. It will work. Alan DeKok.