wired 802.1x

Alan DeKok aland at deployingradius.com
Mon May 24 13:19:56 CEST 2021

On May 24, 2021, at 6:16 AM, Vieri Di Paola <vieridipaola at gmail.com> wrote:
> I have a FR setup working fine for wireless clients with either
> EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated
> by winbind/AD).
> I'm trying to expand on that and have wired clients authenticate via
> 802.1X with EAP-TLS (computer certificate).
> In my test I'm using the same Windows client that properly
> authenticates wirelessly with EAP-TLS. I configured its wired
> interface to use 802.1X with the same local certificate.

  Well, maybe.

> (38) Sent Access-Challenge Id 6 from to
> length 0
> (38)   EAP-Message = 0x010300060d20
> (38)   Message-Authenticator = 0x00000000000000000000000000000000
> (38)   State = 0x5bf4e1345bf7eccc1b644b2a242dee88
> (38) Finished request
> However, FR keeps receiving "Access-Request" messages from the same
> station without the "State" field.

  That means the Windows system is starting the authentication process again.

> So, could it be that the client is not responding properly (or
> ignoring/denying) FR's "Access-Challenge"?

  Yes.  It doesn't like the servers certificate.  So it just stops talking to the server.

> What should I be looking for and where (I suspect it's all on the
> client, but I'd like to make sure I don't need to do anything else in
> FR)?

  It's not FreeRADIUS.  It's the client.

> Would it be useful if I posted the full "Access-Request" log?
> If so, one would be enough if subsequent request messages are the
> same, I guess (except for msg ID of course).

  You don't need the full debug output.

  If you let the server sit for a while, when it gets the next packet, it will print out a huge set of debug messages which tell you what's wrong, and pointing you to the Wiki.

  Alan DeKok.

More information about the Freeradius-Users mailing list