wired 802.1x

Vieri Di Paola vieridipaola at gmail.com
Mon May 24 12:16:01 CEST 2021


I have a FR setup working fine for wireless clients with either
EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated
by winbind/AD).

I'm trying to expand on that and have wired clients authenticate via
802.1X with EAP-TLS (computer certificate).

In my test I'm using the same Windows client that properly
authenticates wirelessly with EAP-TLS. I configured its wired
interface to use 802.1X with the same local certificate.

The FR log indeed shows a "Received Access-Request" which is identical
to what I see when it connects wirelessly, except of course for the
calling station's MAC addr.
The request log also finishes in a similar way with:

(38) Found Auth-Type = eap
(38) # Executing group from file /etc/raddb/sites-enabled/default
(38)   authenticate {
(38) eap: Peer sent packet with method EAP Identity (1)
(38) eap: Calling submodule eap_tls to process data
(38) eap_tls: Initiating new TLS session
(38) eap_tls: Setting verify mode to require certificate from client
(38) eap_tls: [eaptls start] = request
(38) eap: Sending EAP Request (code 1) ID 3 length 6
(38) eap: EAP session adding &reply:State = 0x5bf4e1345bf7eccc
(38)     [eap] = handled
(38)   } # authenticate = handled
(38) Using Post-Auth-Type Challenge
(38) # Executing group from file /etc/raddb/sites-enabled/default
(38)   Challenge { ... } # empty sub-section is ignored
(38) Sent Access-Challenge Id 6 from to length 0
(38)   EAP-Message = 0x010300060d20
(38)   Message-Authenticator = 0x00000000000000000000000000000000
(38)   State = 0x5bf4e1345bf7eccc1b644b2a242dee88
(38) Finished request

However, FR keeps receiving "Access-Request" messages from the same
station without the "State" field.

So, could it be that the client is not responding properly (or
ignoring/denying) FR's "Access-Challenge"?

What should I be looking for and where (I suspect it's all on the
client, but I'd like to make sure I don't need to do anything else in

Would it be useful if I posted the full "Access-Request" log?
If so, one would be enough if subsequent request messages are the
same, I guess (except for msg ID of course).



More information about the Freeradius-Users mailing list