On May 24, 2021, at 6:16 AM, Vieri Di Paola <vieridipaola@gmail.com> wrote:
I have a FR setup working fine for wireless clients with either EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated by winbind/AD).
I'm trying to expand on that and have wired clients authenticate via 802.1X with EAP-TLS (computer certificate).
In my test I'm using the same Windows client that properly authenticates wirelessly with EAP-TLS. I configured its wired interface to use 802.1X with the same local certificate.
Well, maybe.
(38) Sent Access-Challenge Id 6 from 10.215.144.91:1812 to 10.215.110.190:49154 length 0 (38) EAP-Message = 0x010300060d20 (38) Message-Authenticator = 0x00000000000000000000000000000000 (38) State = 0x5bf4e1345bf7eccc1b644b2a242dee88 (38) Finished request
However, FR keeps receiving "Access-Request" messages from the same station without the "State" field.
That means the Windows system is starting the authentication process again.
So, could it be that the client is not responding properly (or ignoring/denying) FR's "Access-Challenge"?
Yes. It doesn't like the servers certificate. So it just stops talking to the server.
What should I be looking for and where (I suspect it's all on the client, but I'd like to make sure I don't need to do anything else in FR)?
It's not FreeRADIUS. It's the client.
Would it be useful if I posted the full "Access-Request" log? If so, one would be enough if subsequent request messages are the same, I guess (except for msg ID of course).
You don't need the full debug output. If you let the server sit for a while, when it gets the next packet, it will print out a huge set of debug messages which tell you what's wrong, and pointing you to the Wiki. Alan DeKok.