wired 802.1x

Vieri Di Paola vieridipaola at gmail.com
Tue May 25 14:01:20 CEST 2021


On Mon, May 24, 2021 at 1:20 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On May 24, 2021, at 6:16 AM, Vieri Di Paola <vieridipaola at gmail.com> wrote:
> > I have a FR setup working fine for wireless clients with either
> > EAP-TLS (computer certificate) or EAP-PEAP (user credentials validated
> > by winbind/AD).
> >
> > I'm trying to expand on that and have wired clients authenticate via
> > 802.1X with EAP-TLS (computer certificate).
> >
> > In my test I'm using the same Windows client that properly
> > authenticates wirelessly with EAP-TLS. I configured its wired
> > interface to use 802.1X with the same local certificate.
>
>   Well, maybe.

It's the only client certificate available in the Windows mmc console
so I'm supposing it is.

> > (38) Sent Access-Challenge Id 6 from 10.215.144.91:1812 to
> > 10.215.110.190:49154 length 0
> > (38)   EAP-Message = 0x010300060d20
> > (38)   Message-Authenticator = 0x00000000000000000000000000000000
> > (38)   State = 0x5bf4e1345bf7eccc1b644b2a242dee88
> > (38) Finished request
> >
> > However, FR keeps receiving "Access-Request" messages from the same
> > station without the "State" field.
>
>   That means the Windows system is starting the authentication process again.

OK.

> > So, could it be that the client is not responding properly (or
> > ignoring/denying) FR's "Access-Challenge"?
>
>   Yes.  It doesn't like the servers certificate.  So it just stops talking to the server.

ie. it does not like the following?
/etc/raddb/mods-enabled/eap:            certificate_file = ${certdir}/server.pem
or the signing authority:
/etc/raddb/mods-enabled/eap:            ca_file = ${cadir}/ca.pem

It puzzles me as to why it does not when connecting with a wire and
does when connecting wirelessly.

> > What should I be looking for and where (I suspect it's all on the
> > client, but I'd like to make sure I don't need to do anything else in
> > FR)?
>
>   It's not FreeRADIUS.  It's the client.

I'm having a hard time finding a reason for the rejection in the
client's event logger. I've searched for EAPhost and the likes, but I
didn't find anything that clearly states why there's an authentication
problem.

> > Would it be useful if I posted the full "Access-Request" log?
> > If so, one would be enough if subsequent request messages are the
> > same, I guess (except for msg ID of course).
>
>   You don't need the full debug output.
>
>   If you let the server sit for a while, when it gets the next packet, it will print out a huge set of debug messages which tell you what's wrong, and pointing you to the Wiki.

With just radiusd -X and FR v.3.0.20 ?

The only thing I see even if I wait for a long while is something like this:

(625) Sent Access-Challenge Id 21 from 10.215.144.91:1812 to
10.215.110.190:49154 length 0
(625)   EAP-Message = 0x010300060d20
(625)   Message-Authenticator = 0x00000000000000000000000000000000
(625)   State = 0x6680142d668319b34dda38122881c11c
(625) Finished request
Waking up in 4.9 seconds.
((625) Cleaning up request packet ID 21 with timestamp +8779

I may need to run radiusd with another set of parameters?

Regards,

Vieri


More information about the Freeradius-Users mailing list