FreeRADIUS 3.0.4 - Client fails to authenticate

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Sat Oct 17 20:22:34 CEST 2015


Hi,

> Hello, I am a student and currently studying the 802.1x standard. I am using FreeRADIUS 3.0.4 on Fedora for my studies.I also have a machine with Windows 10 as a supplicant and a Cisco 3550 as an authenticator. 

802.1X

subtle thing.

> So far, I managed to configure what was needed to do some basic stuff. I am able to authenticate the client with a username/password combination using PEAP/MSCHAPv2. What I want to do now, is to authenticate using the same EAP method but with certificate credentials. I created the certificates successfully and sent the client certificate to the Supplicant to install. When I try to authenticate it produces the message "Failed to authenticate" on the Windows 10 machine. 
> The Cisco 3550 debugging shows that it keeps sending an EAP-Request/Identity but with no answer as far as I understand. The radiusd -X command shows no packet received so I come to the conclusion that the Supplicant doesn't send anything for authentication. I tried using either a simple certificate selection or not in the settings with no difference. Shouldn't the Windows OS present me with a list of certificates to choose from, but I haven't done it before so I don't know what to expect.
> I don't know how to proceed now, either the certificate I made is not correct or I didn't install it successfully. But I tried to follow many guides for that with no success. Could you help me. Thank you. 		 	   		  

hmm, if you see NOTHING in the radiusd -X logs then nothing is reaching the
RADIUS server - which either means the NAS (switch) cannot talk to the RADIUS
server IP address as it needs to do , the client is not configured to do
802.1X or the client doesnt like the configuration given to it. 
so , when you say client certificate, I guess you are talking about
EAP-TLS , or are you talking about PEAP/EAP-TLS or such?   the certificate
will need to be installed in the correct location for Windows to use it,
which usually mean dont just double click to install it. 

most of these problems are client related - each client can be quite fussy.
I would say to you, dont start with Windows client for such examination...
use wpa_supplicant on a Linux box.  though I would also say dont study it like
this (whats the points) its well documented in RFCs and you can go to somewhere
nice like:

http://packetlife.net/blog/2008/nov/10/ieee-8021x-cheat-sheet/

http://packetlife.net/blog/2008/aug/06/simple-wired-8021x-lab/


alan


More information about the Freeradius-Users mailing list