Hi!

 

I've a problem with 802.1x and EAP-TLS where I'm not quite sure who is responsible for this problem and how to work around it. I hope someone can help me – I couldn’t find anything with Google and I just can’t believe I’m the first guy with this problem. The setup is following.

 

- Windows 7 SP1 Client with 802.1x and EAP-TLS configurated

- Extreme Networks 450e Switches à LAN based 802.1x

- Freeradius 2.1.12-3.el5 on RHEL5  only TLS as EAP type configured/allowed

 

The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an

response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). With the next identity request the Client does an clean EAP-TLs handshake, but the switch already put the client into the reject network.

 

Here is the communication flow in these cases (Wireshark): Line 5 / Packet 54 is the problem

 

No.     Time        Source     Destination    Protocol Length Info

  9 27.371093   switch --> client         EAP      60     Request, Identity [RFC3748]

51 43.669530   switch --> client         EAP      60     Request, Identity [RFC3748]

52 43.693510   client --> switch         EAP      60     Response, Identity [RFC3748]

53 43.699498   switch --> client         EAP      60     Request, EAP-TLS [RFC5216] [Aboba]

54 43.700496   client --> switch         EAP      60     Response, Legacy Nak (Response only) [RFC3748]

84 44.639980   switch --> client         EAP      60     Request, Identity [RFC3748]

85 44.646980   client --> switch         EAP      60     Response, Identity [RFC3748]

86 44.652974   switch --> client         EAP      60     Request, EAP-TLS [RFC5216] [Aboba]

87 44.758887   client --> switch         TLSv1    123    Client Hello

88 44.765875   switch --> client         TLSv1    1042   Server Hello, Certificate, Certificate Request, Server Hello Done

89 44.766875   client --> switch         EAP      60     Response, EAP-TLS [RFC5216] [Aboba]

90 44.772880   switch --> client         TLSv1    1042   Server Hello, Certificate, Certificate Request, Server Hello Done

91 44.772892   client --> switch         EAP      60     Response, EAP-TLS [RFC5216] [Aboba]

92 44.778868   switch --> client         TLSv1    1042   Server Hello, Certificate, Certificate Request, Server Hello Done

93 44.779865   client --> switch         EAP      60     Response, EAP-TLS [RFC5216] [Aboba]

94 44.784859   switch --> client         TLSv1    177    Server Hello, Certificate, Certificate Request, Server Hello Done

95 44.787862   client --> switch         TLSv1    1510   Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

96 44.793854   switch --> client         EAP      60     Request, EAP-TLS [RFC5216] [Aboba]

97 44.793861   client --> switch         TLSv1    530    Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

98 44.807887   switch --> client         TLSv1    87     Change Cipher Spec, Encrypted Handshake Message

102 44.818881   client --> switch         EAP      60     Response, EAP-TLS [RFC5216] [Aboba]

103 44.855827   switch --> client         EAP      60     Success

 

 

It seems to be a timing issue …. anyway:

 

-          Windows 7 is configured to EAP-TLS with GPOs

-          I’ve uninstalled anti-virus, behavior detection software

 

In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it’s Windows 7 … there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. Would it help if freeradius ignores the EAP-NAK packets? Any help appreciated!

 

Mit freundlichen Grüßen

Robert Penz

 

--------------------------------------------------------------

Dipl.Inf. Robert Penz

DVT - Daten-Verarbeitung-Tirol GmbH

Adamgasse 22, 6020 Innsbruck

Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355

E-Mail: robert.penz@tirol.gv.at