dot1x authentication doesn't work

Alan DeKok aland at deployingradius.com
Sun May 14 12:00:31 UTC 2023 

On May 12, 2023, at 11:24 AM, Семенюк Александр Петрович <SemenyukAP at nn-edinstvo.ru> wrote:
> Unfortunately, I completely don’t understand how it should work. I’ve read a lot of successful stories about “how to configure” Freeradius with Samba and MS domain, Cisco Catalyst switch and Windows 10 PC in order to perform dot1x authentication for users in the LAN with their MS domain accounts.
> Suddenly it even worked some time ago. But now – no, it doesn’t.

  There's my guide on http://deployingradius.com/  It's been there for ~20 years.

  It has DETAILED guides for getting PEAP working, and for getting AD / Samba authentication working.

  Most other guides are confused, wrong, or have only partial information.

> May be my logs can help you to help me - to show me what exactly should I fix and where.
> Could you, please?
> I can show in addition, if there a reason:
> 
> -          Switch port config
> 
> -          Win PC network authentication config

  All of the documentation say to post the server debug output.  We don't need anything else.  We don't need the Cisco debug output.

  The important part of the debug output is this:

(7) Using Post-Auth-Type Challenge
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7)   Challenge { ... } # empty sub-section is ignored
(7) session-state: Saving cached attributes
(7)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(7)   TLS-Session-Version = "TLS 1.2"
(7) Sent Access-Challenge Id 154 from 172.23.70.54:1812 to 172.23.73.22:1645 length 0
(7)   EAP-Message = 0x010800281900170303001d3a4b57541b3879cb77e9f3a99c91af1c6bbb2189705812f38230171fff
(7)   Message-Authenticator = 0x00000000000000000000000000000000
(7)   State = 0xc00c5163c604483d1404d0fc5a9963db
(7) Finished request
Waking up in 3.3 seconds.
(1) Cleaning up request packet ID 148 with timestamp +115
(2) Cleaning up request packet ID 149 with timestamp +115
(3) Cleaning up request packet ID 150 with timestamp +116
(4) Cleaning up request packet ID 151 with timestamp +116
Waking up in 0.8 seconds.
(5) Cleaning up request packet ID 152 with timestamp +116

  You need to configure the Windows system to know about the certificate which the server is using.

  Read my web site.  Follow the guide step by step.  Don't skip steps.

  It will work.

  Alan DeKok.

More information about the Freeradius-Users mailing list