wired 802.1x
Vieri Di Paola
vieridipaola at gmail.com
Mon May 24 12:16:01 CEST 2021
Hi,
I have a FR setup working fine for wireless clients with either
EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated
by winbind/AD).
I'm trying to expand on that and have wired clients authenticate via
802.1X with EAP-TLS (computer certificate).
In my test I'm using the same Windows client that properly
authenticates wirelessly with EAP-TLS. I configured its wired
interface to use 802.1X with the same local certificate.
The FR log indeed shows a "Received Access-Request" which is identical
to what I see when it connects wirelessly, except of course for the
calling station's MAC addr.
The request log also finishes in a similar way with:
(38) Found Auth-Type = eap
(38) # Executing group from file /etc/raddb/sites-enabled/default
(38) authenticate {
(38) eap: Peer sent packet with method EAP Identity (1)
(38) eap: Calling submodule eap_tls to process data
(38) eap_tls: Initiating new TLS session
(38) eap_tls: Setting verify mode to require certificate from client
(38) eap_tls: [eaptls start] = request
(38) eap: Sending EAP Request (code 1) ID 3 length 6
(38) eap: EAP session adding &reply:State = 0x5bf4e1345bf7eccc
(38) [eap] = handled
(38) } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) # Executing group from file /etc/raddb/sites-enabled/default
(38) Challenge { ... } # empty sub-section is ignored
(38) Sent Access-Challenge Id 6 from 10.215.144.91:1812 to
10.215.110.190:49154 length 0
(38) EAP-Message = 0x010300060d20
(38) Message-Authenticator = 0x00000000000000000000000000000000
(38) State = 0x5bf4e1345bf7eccc1b644b2a242dee88
(38) Finished request
However, FR keeps receiving "Access-Request" messages from the same
station without the "State" field.
So, could it be that the client is not responding properly (or
ignoring/denying) FR's "Access-Challenge"?
What should I be looking for and where (I suspect it's all on the
client, but I'd like to make sure I don't need to do anything else in
FR)?
Would it be useful if I posted the full "Access-Request" log?
If so, one would be enough if subsequent request messages are the
same, I guess (except for msg ID of course).
Regards,
Vieri
More information about the Freeradius-Users
mailing list