Some clients not using EAP-TLS anymore

Alan DeKok aland at
Tue Aug 9 14:09:50 UTC 2022

On Aug 9, 2022, at 9:53 AM, David le Roux <david.leroux at> wrote:
> I have a fairly new problem where some clients (Desktops/Laptops) have stopped using their certificates and using EAP and instead present their mac addresses.

  Those machines don't do "mac auth" checks.  That's configured on the switch.  The machines just (a) send 802.1X, or (b) normal traffic (i.e. DHCP, ARP, etc.

> However this is a minority of clients and has only started to occur recently. The Radius server is configured to do both eap-tls and mac-based auth for clients that aren't compatible. Naturally we don't have mac addresses stored in authorized_macs for our EAP clients.
> Furthermore the error is not consistent. Some clients throw errors in the logs but can continue to log in (they usually have a mix of successful EAP authentications and unsuccessful mac based auth). Some can log in after an ipconfig /release /renew. This occurs on a variety of access points (that is, different manufacturers) and nothing has changed on them or the radius server as far as I can tell.

  The choice to do MAC auth vs 802.1X is 99.99% the AP / switch.

  The end-user machine needs to be configured to do 802.1X of course.  But it only does 802.1X if the switch sends an EAPoL frame saying "do 802.1X".

  FreeRADIUS just gets packets from the AP / switch.  No amount of poking FreeRADIUS will make the AP / switch change it's behavior.

  This is 100% a switch problem.

  Alan DeKok.

More information about the Freeradius-Users mailing list