Some clients not using EAP-TLS anymore

Steinhagen, Tom tsteinhagen at landstar.com
Tue Aug 9 15:09:45 UTC 2022


You don't indicate what OS these machines are running, but in the past I have observed Windows-based machines lose their preferred authentication configuration (certificate vs other EAP methods) when network drivers were updated. Since our configuration only permits certificate authentication for Windows-based PCs, other EAP methods fail and the switches will failover to MAB per their configuration. The cycle repeats ad nauseum until the client is reconfigured for proper authentication.

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+tsteinhagen=landstar.com at lists.freeradius.org> On Behalf Of David le Roux
Sent: Tuesday, August 09, 2022 9:19 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: RE: Some clients not using EAP-TLS anymore

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


I thought so as well until we had dissimilar switches show the same errors which led me to believe it could be something else.

Thanks for your time.

David le Roux




-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+david.leroux=miller.co.uk at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: 09 August 2022 15:10
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Some clients not using EAP-TLS anymore

On Aug 9, 2022, at 9:53 AM, David le Roux <david.leroux at miller.co.uk> wrote:
> I have a fairly new problem where some clients (Desktops/Laptops) have stopped using their certificates and using EAP and instead present their mac addresses.

  Those machines don't do "mac auth" checks.  That's configured on the switch.  The machines just (a) send 802.1X, or (b) normal traffic (i.e. DHCP, ARP, etc.

> However this is a minority of clients and has only started to occur recently. The Radius server is configured to do both eap-tls and mac-based auth for clients that aren't compatible. Naturally we don't have mac addresses stored in authorized_macs for our EAP clients.
>
> Furthermore the error is not consistent. Some clients throw errors in the logs but can continue to log in (they usually have a mix of successful EAP authentications and unsuccessful mac based auth). Some can log in after an ipconfig /release /renew. This occurs on a variety of access points (that is, different manufacturers) and nothing has changed on them or the radius server as far as I can tell.

  The choice to do MAC auth vs 802.1X is 99.99% the AP / switch.

  The end-user machine needs to be configured to do 802.1X of course.  But it only does 802.1X if the switch sends an EAPoL frame saying "do 802.1X".

  FreeRADIUS just gets packets from the AP / switch.  No amount of poking FreeRADIUS will make the AP / switch change it's behavior.

  This is 100% a switch problem.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://urldefense.com/v3/__https://gbr01.safelinks.protection.outlook.com/?url=http*3A*2F*2Fwww.freeradius.org*2Flist*2Fusers.html&data=05*7C01*7Cdavid.leroux*40miller.co.uk*7Cd9b834bdf4fd44c0718a08da7a10e3e3*7Ca5609eb2409545a8bb4668573bbb0f92*7C1*7C0*7C637956510202991064*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&sdata=9iJKJSyXa9UY4j7*2FUdqlTPvbQaZNris*2FP7JVzuLGNSY*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!KOeSaYKwmg!QTwMt4BOvIf7ftlgpUOLqQAo3x9dnTjOdm6WmdpCxG8r_PRKVtXZVkQZjNvmWYgmnrYfiPxDAetQxNoxDp3DFACM710$
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <https://urldefense.com/v3/__https://www.millerhomes.co.uk__;!!KOeSaYKwmg!QTwMt4BOvIf7ftlgpUOLqQAo3x9dnTjOdm6WmdpCxG8r_PRKVtXZVkQZjNvmWYgmnrYfiPxDAetQxNoxDp3DewKmFZo$  >

-
List info/subscribe/unsubscribe? See https://urldefense.com/v3/__http://www.freeradius.org/list/users.html__;!!KOeSaYKwmg!QTwMt4BOvIf7ftlgpUOLqQAo3x9dnTjOdm6WmdpCxG8r_PRKVtXZVkQZjNvmWYgmnrYfiPxDAetQxNoxDp3DGYn8F-M$


More information about the Freeradius-Users mailing list