Some clients not using EAP-TLS anymore
David le Roux
david.leroux at miller.co.uk
Tue Aug 9 14:19:00 UTC 2022
I thought so as well until we had dissimilar switches show the same errors which led me to believe it could be something else.
Thanks for your time.
David le Roux
From: Freeradius-Users <freeradius-users-bounces+david.leroux=miller.co.uk at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: 09 August 2022 15:10
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Some clients not using EAP-TLS anymore
On Aug 9, 2022, at 9:53 AM, David le Roux <david.leroux at miller.co.uk> wrote:
> I have a fairly new problem where some clients (Desktops/Laptops) have stopped using their certificates and using EAP and instead present their mac addresses.
Those machines don't do "mac auth" checks. That's configured on the switch. The machines just (a) send 802.1X, or (b) normal traffic (i.e. DHCP, ARP, etc.
> However this is a minority of clients and has only started to occur recently. The Radius server is configured to do both eap-tls and mac-based auth for clients that aren't compatible. Naturally we don't have mac addresses stored in authorized_macs for our EAP clients.
> Furthermore the error is not consistent. Some clients throw errors in the logs but can continue to log in (they usually have a mix of successful EAP authentications and unsuccessful mac based auth). Some can log in after an ipconfig /release /renew. This occurs on a variety of access points (that is, different manufacturers) and nothing has changed on them or the radius server as far as I can tell.
The choice to do MAC auth vs 802.1X is 99.99% the AP / switch.
The end-user machine needs to be configured to do 802.1X of course. But it only does 802.1X if the switch sends an EAPoL frame saying "do 802.1X".
FreeRADIUS just gets packets from the AP / switch. No amount of poking FreeRADIUS will make the AP / switch change it's behavior.
This is 100% a switch problem.
List info/subscribe/unsubscribe? See https://gbr01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C01%7Cdavid.leroux%40miller.co.uk%7Cd9b834bdf4fd44c0718a08da7a10e3e3%7Ca5609eb2409545a8bb4668573bbb0f92%7C1%7C0%7C637956510202991064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9iJKJSyXa9UY4j7%2FUdqlTPvbQaZNris%2FP7JVzuLGNSY%3D&reserved=0
Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH
Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.
Miller Homes Limited <https://www.millerhomes.co.uk>
More information about the Freeradius-Users