aland at deployingradius.com
Mon May 24 13:19:56 CEST 2021
On May 24, 2021, at 6:16 AM, Vieri Di Paola <vieridipaola at gmail.com> wrote:
> I have a FR setup working fine for wireless clients with either
> EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated
> by winbind/AD).
> I'm trying to expand on that and have wired clients authenticate via
> 802.1X with EAP-TLS (computer certificate).
> In my test I'm using the same Windows client that properly
> authenticates wirelessly with EAP-TLS. I configured its wired
> interface to use 802.1X with the same local certificate.
> (38) Sent Access-Challenge Id 6 from 10.215.144.91:1812 to
> 10.215.110.190:49154 length 0
> (38) EAP-Message = 0x010300060d20
> (38) Message-Authenticator = 0x00000000000000000000000000000000
> (38) State = 0x5bf4e1345bf7eccc1b644b2a242dee88
> (38) Finished request
> However, FR keeps receiving "Access-Request" messages from the same
> station without the "State" field.
That means the Windows system is starting the authentication process again.
> So, could it be that the client is not responding properly (or
> ignoring/denying) FR's "Access-Challenge"?
Yes. It doesn't like the servers certificate. So it just stops talking to the server.
> What should I be looking for and where (I suspect it's all on the
> client, but I'd like to make sure I don't need to do anything else in
It's not FreeRADIUS. It's the client.
> Would it be useful if I posted the full "Access-Request" log?
> If so, one would be enough if subsequent request messages are the
> same, I guess (except for msg ID of course).
You don't need the full debug output.
If you let the server sit for a while, when it gets the next packet, it will print out a huge set of debug messages which tell you what's wrong, and pointing you to the Wiki.
More information about the Freeradius-Users