dot1x/radius not working for a Windows PC
Elizabeth.Merritt at L3Harris.com
Elizabeth.Merritt at L3Harris.com
Thu Aug 8 17:46:09 UTC 2024
We edited the hints file to remove the host/ from the prefix. Added:
DEFAULT Prefix == "host/", Strip-User-Name = Yes
Service-Type = Framed-User
This works fine with 2 Windows workstation, but we cannot get it to work on this one workstation. We don't have access to fiddle with it in a lab to change a bunch of settings. I had the end user tech add the certs, turn on 802.1x and change some settings that I know work on the other 2 workstations.
This is the debug output from the non-working workstation, included 3 packets with somewhat different information, they are not exactly the same. The main thing I noticed is this message:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session with state 0xdce90442ddea0923ee04c7b3a63d3e39 did not finish! !!
!! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I read some info in there but didn't really know what I could change on the Windows 10 side. They have TLS1.2 enabled only, that part I did check. But not sure what else to look for.
Received Access-Request Id 142 from 10.2.212.121:1645 to 10.2.212.41:1645 length 307
(28) Received Access-Request Id 141 from 10.2.212.121:1645 to 10.2.212.41:1645 length 289
(28) User-Name = "host/wsk-emewks451a-swfo-san.ssd.goes"
(28) Service-Type = Framed-User
(28) Cisco-AVPair = "service-type=Framed"
(28) Framed-MTU = 1500
(28) Called-Station-Id = "50-57-A8-37-CF-08"
(28) Calling-Station-Id = "08-92-04-DA-BB-CE"
(28) EAP-Message = 0x02020006030d
(28) Message-Authenticator = 0xbfc6b4ff2d8b0c824ebbe97f4c29ee0d
(28) Cisco-AVPair = "audit-session-id=0000000000000393B2CBD69D"
(28) Cisco-AVPair = "method=dot1x"
(28) NAS-IP-Address = 10.2.183.68
(28) NAS-Port-Id = "GigabitEthernet0/8"
(28) NAS-Port-Type = Ethernet
(28) NAS-Port = 50108
(28) State = 0xdce90442dceb0023ee04c7b3a63d3e39
(28) session-state: No cached attributes
(28) # Executing section authorize from file /etc/raddb/sites-enabled/default.noldap
(28) authorize {
(28) preprocess: hints: Matched DEFAULT at 87
(28) [preprocess] = ok
(28) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(28) auth_log: --> /var/log/radius/radacct/10.2.212.121/auth-detail-20240725
(28) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.2.212.121/auth-detail-20240725
(28) auth_log: EXPAND %t
(28) auth_log: --> Thu Jul 25 20:03:51 2024
(28) [auth_log] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "wsk-emewks451a-swfo-san.ssd.goes", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) if (!EAP-Message) {
(28) if (!EAP-Message) -> FALSE
(28) else {
(28) eap: Peer sent EAP Response (code 2) ID 2 length 6
(28) eap: No EAP Start, assuming it's an on-going EAP conversation
(28) [eap] = updated
(28) } # else = updated
(28) files: users: Matched entry wsk-emewks451a-swfo-san.ssd.goes at line 83414
(28) [files] = ok
(28) [expiration] = noop
(28) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(28) [pap] = noop
(28) } # authorize = updated
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/raddb/sites-enabled/default.noldap
(28) authenticate {
(28) eap: Expiring EAP session with state 0xdce90442dceb0023
(28) eap: Finished EAP session with state 0xdce90442dceb0023
(28) eap: Previous EAP request found for state 0xdce90442dceb0023, released from the list
(28) eap: Peer sent packet with method EAP NAK (3)
(28) eap: Found mutually acceptable type TLS (13)
(28) eap: Calling submodule eap_tls to process data
(28) eap_tls: Initiating new TLS session
(28) eap_tls: Setting verify mode to require certificate from client
(28) eap_tls: [eaptls start] = request
(28) eap: Sending EAP Request (code 1) ID 3 length 6
(28) eap: EAP session adding &reply:State = 0xdce90442ddea0923
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/raddb/sites-enabled/default.noldap
(28) Challenge { ... } # empty sub-section is ignored
(28) Sent Access-Challenge Id 141 from 10.2.212.41:1645 to 10.2.212.121:1645 length 0
(28) Service-Type = Framed-User
(28) Tunnel-Type = VLAN
(28) Tunnel-Medium-Type = IEEE-802
(28) Tunnel-Private-Group-Id = "1620"
(28) EAP-Message = 0x010300060d20
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0xdce90442ddea0923ee04c7b3a63d3e39
(28) Finished request
(59) User-Name = "host/wsk-emewks451a-swfo-san.ssd.goes"
(59) Service-Type = Framed-User
(59) Cisco-AVPair = "service-type=Framed"
(59) Framed-MTU = 1500
(59) Called-Station-Id = "50-57-A8-37-CF-08"
(59) Calling-Station-Id = "08-92-04-DA-BB-CE"
(59) EAP-Message = 0x0201002a01686f73742f77736b2d656d65776b73343531612d7377666f2d73616e2e7373642e676f6573
(59) Message-Authenticator = 0x201663034ec8fb6c3cee27240d412aa3
(59) Cisco-AVPair = "audit-session-id=0000000000000393B2CBD69D"
(59) Cisco-AVPair = "method=dot1x"
(59) NAS-IP-Address = 10.2.183.68
(59) NAS-Port-Id = "GigabitEthernet0/8"
(59) NAS-Port-Type = Ethernet
(59) NAS-Port = 50108
(59) # Executing section authorize from file /etc/raddb/sites-enabled/default.noldap
(59) authorize {
(59) preprocess: hints: Matched DEFAULT at 87
(59) [preprocess] = ok
(59) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(59) auth_log: --> /var/log/radius/radacct/10.2.212.121/auth-detail-20240725
(59) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.2.212.121/auth-detail-20240725
(59) auth_log: EXPAND %t
(59) auth_log: --> Thu Jul 25 20:05:30 2024
(59) [auth_log] = ok
(59) [chap] = noop
(59) [mschap] = noop
(59) suffix: Checking for suffix after "@"
(59) suffix: No '@' in User-Name = "wsk-emewks451a-swfo-san.ssd.goes", looking up realm NULL
(59) suffix: No such realm "NULL"
(59) [suffix] = noop
(59) if (!EAP-Message) {
(59) if (!EAP-Message) -> FALSE
(59) else {
(59) eap: Peer sent EAP Response (code 2) ID 1 length 42
(59) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(59) [eap] = ok
(59) } # else = ok
(59) files: users: Matched entry wsk-emewks451a-swfo-san.ssd.goes at line 83414
(59) [files] = ok
(59) [expiration] = noop
(59) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(59) [pap] = noop
(59) } # authorize = ok
(59) Found Auth-Type = eap
(59) # Executing group from file /etc/raddb/sites-enabled/default.noldap
(59) authenticate {
(59) eap: Peer sent packet with method EAP Identity (1)
(59) eap: Calling submodule eap_md5 to process data
(59) eap_md5: Issuing MD5 Challenge
(59) eap: Sending EAP Request (code 1) ID 2 length 22
(59) eap: EAP session adding &reply:State = 0x4df4b28d4df6b6ab
(59) [eap] = handled
(59) } # authenticate = handled
(59) Using Post-Auth-Type Challenge
(59) # Executing group from file /etc/raddb/sites-enabled/default.noldap
(59) Challenge { ... } # empty sub-section is ignored
(59) Sent Access-Challenge Id 142 from 10.2.212.41:1645 to 10.2.212.121:1645 length 0
(59) Service-Type = Framed-User
(59) Tunnel-Type = VLAN
(59) Tunnel-Medium-Type = IEEE-802
(59) Tunnel-Private-Group-Id = "1620"
(59) EAP-Message = 0x0102001604105a03bf3188ae1cb382b11678274d4e0d
(59) Message-Authenticator = 0x00000000000000000000000000000000
(59) State = 0x4df4b28d4df6b6ab7f4b542af5a75661
(59) Finished request
(60) Received Access-Request Id 143 from 10.2.212.121:1645 to 10.2.212.41:1645 length 289
(60) User-Name = "host/wsk-emewks451a-swfo-san.ssd.goes"
(60) Service-Type = Framed-User
(60) Cisco-AVPair = "service-type=Framed"
(60) Framed-MTU = 1500
(60) Called-Station-Id = "50-57-A8-37-CF-08"
(60) Calling-Station-Id = "08-92-04-DA-BB-CE"
(60) EAP-Message = 0x02020006030d
(60) Message-Authenticator = 0x06853883925b90c1f0fe77538b0b5a14
(60) Cisco-AVPair = "audit-session-id=0000000000000393B2CBD69D"
(60) Cisco-AVPair = "method=dot1x"
(60) NAS-IP-Address = 10.2.183.68
(60) NAS-Port-Id = "GigabitEthernet0/8"
(60) NAS-Port-Type = Ethernet
(60) NAS-Port = 50108
(60) State = 0x4df4b28d4df6b6ab7f4b542af5a75661
(60) session-state: No cached attributes
(60) # Executing section authorize from file /etc/raddb/sites-enabled/default.noldap
(60) authorize {
(60) preprocess: hints: Matched DEFAULT at 87
(60) [preprocess] = ok
(60) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(60) auth_log: --> /var/log/radius/radacct/10.2.212.121/auth-detail-20240725
(60) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.2.212.121/auth-detail-20240725
(60) auth_log: EXPAND %t
(60) auth_log: --> Thu Jul 25 20:05:30 2024
(60) [auth_log] = ok
(60) [chap] = noop
(60) [mschap] = noop
(60) suffix: Checking for suffix after "@"
(60) suffix: No '@' in User-Name = "wsk-emewks451a-swfo-san.ssd.goes", looking up realm NULL
(60) suffix: No such realm "NULL"
(60) [suffix] = noop
(60) if (!EAP-Message) {
(60) if (!EAP-Message) -> FALSE
(60) else {
(60) eap: Peer sent EAP Response (code 2) ID 2 length 6
(60) eap: No EAP Start, assuming it's an on-going EAP conversation
(60) [eap] = updated
(60) } # else = updated
(60) files: users: Matched entry wsk-emewks451a-swfo-san.ssd.goes at line 83414
(60) [files] = ok
(60) [expiration] = noop
(60) [logintime] = noop
Not doing PAP as Auth-Type is already set.
(60) [pap] = noop
(60) } # authorize = updated
(60) Found Auth-Type = eap
(60) # Executing group from file /etc/raddb/sites-enabled/default.noldap
(60) authenticate {
(60) eap: Expiring EAP session with state 0xdce90442ddea0923
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! EAP session with state 0xdce90442ddea0923ee04c7b3a63d3e39 did not finish! !!
!! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(60) eap: Expiring EAP session with state 0x4df4b28d4df6b6ab
(60) eap: Finished EAP session with state 0x4df4b28d4df6b6ab
(60) eap: Previous EAP request found for state 0x4df4b28d4df6b6ab, released from the list
(60) eap: Peer sent packet with method EAP NAK (3)
(60) eap: Found mutually acceptable type TLS (13)
(60) eap: Calling submodule eap_tls to process data
(60) eap_tls: Initiating new TLS session
(60) eap_tls: Setting verify mode to require certificate from client
(60) eap_tls: [eaptls start] = request
(60) eap: Sending EAP Request (code 1) ID 3 length 6
(60) eap: EAP session adding &reply:State = 0x4df4b28d4cf7bfab
(60) [eap] = handled
(60) } # authenticate = handled
(60) Using Post-Auth-Type Challenge
(60) # Executing group from file /etc/raddb/sites-enabled/default.noldap
(60) Challenge { ... } # empty sub-section is ignored
(60) Sent Access-Challenge Id 143 from 10.2.212.41:1645 to 10.2.212.121:1645 length 0
(60) Service-Type = Framed-User
(60) Tunnel-Type = VLAN
(60) Tunnel-Medium-Type = IEEE-802
(60) Tunnel-Private-Group-Id = "1620"
(60) EAP-Message = 0x010300060d20
(60) Message-Authenticator = 0x00000000000000000000000000000000
(60) State = 0x4df4b28d4cf7bfab7f4b542af5a75661
(60) Finished request
=================
Now in this debug below is from a working Win10 workstation with 802.1x/Radius:
(60) Received Accounting-Request Id 124 from 10.3.212.121:1646 to 10.3.212.41:1813 length 276
(60) User-Name = "host/rsk-emewks453a-swfo-san.ssd.goes"
(60) Cisco-AVPair = "audit-session-id=0000000000000518207A94C4"
(60) Cisco-AVPair = "vlan-id=1620"
(60) Cisco-AVPair = "method=dot1x"
(60) Called-Station-Id = "50-57-A8-88-C1-87"
(60) Calling-Station-Id = "08-92-04-DA-BB-BD"
(60) NAS-IP-Address = 10.3.183.229
(60) NAS-Port-Id = "GigabitEthernet0/7"
(60) NAS-Port-Type = Ethernet
(60) NAS-Port = 50107
(60) Acct-Session-Id = "000004CA"
(60) Acct-Status-Type = Interim-Update
(60) Event-Timestamp = "Jul 30 2024 19:17:40 GMT"
(60) Acct-Input-Octets = 1009574
(60) Acct-Output-Octets = 3036209
(60) Acct-Input-Packets = 7042
(60) Acct-Output-Packets = 14554
(60) Acct-Delay-Time = 0
(60) # Executing section preacct from file /etc/raddb/sites-enabled/default
(60) preacct {
(60) preprocess: hints: Matched DEFAULT at 87
(60) [preprocess] = ok
(60) policy acct_unique {
(60) update request {
(60) &Tmp-String-9 := "ai:"
(60) } # update request = noop
(60) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(60) EXPAND %{hex:&Class}
(60) -->
(60) EXPAND ^%{hex:&Tmp-String-9}
(60) --> ^61693a
(60) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(60) else {
(60) update request {
(60) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(60) --> 9472f67aac4cf716dab6f08893e32145
(60) &Acct-Unique-Session-Id := 9472f67aac4cf716dab6f08893e32145
(60) } # update request = noop
(60) } # else = noop
(60) } # policy acct_unique = noop
(60) suffix: Checking for suffix after "@"
(60) suffix: No '@' in User-Name = "rsk-emewks453a-swfo-san.ssd.goes", looking up realm NULL
(60) suffix: No such realm "NULL"
(60) [suffix] = noop
(60) [files] = noop
(60) } # preacct = ok
(60) # Executing section accounting from file /etc/raddb/sites-enabled/default
(60) accounting {
(60) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(60) detail: --> /var/log/radius/radacct/10.3.212.121/detail-20240730
(60) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.3.212.121/detail-20240730
(60) detail: EXPAND %t
(60) detail: --> Tue Jul 30 19:17:39 2024
(60) [detail] = ok
(60) [unix] = noop
(60) [exec] = noop
(60) attr_filter.accounting_response: EXPAND %{User-Name}
(60) attr_filter.accounting_response: --> host/rsk-emewks453a-swfo-san.ssd.goes
(60) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(60) [attr_filter.accounting_response] = updated
(60) } # accounting = updated
(60) Sent Accounting-Response Id 124 from 10.3.212.41:1813 to 10.3.212.121:1646 length 0
(60) Finished request
(60) Cleaning up request packet ID 124 with timestamp +93
(61) Received Accounting-Request Id 125 from 10.3.212.121:1646 to 10.3.212.41:1813 length 282
(61) User-Name = "host/rsk-emewks453a-swfo-san.ssd.goes"
(61) Cisco-AVPair = "audit-session-id=0000000000000518207A94C4"
(61) Cisco-AVPair = "vlan-id=1620"
(61) Cisco-AVPair = "method=dot1x"
(61) Called-Station-Id = "50-57-A8-88-C1-87"
(61) Calling-Station-Id = "08-92-04-DA-BB-BD"
(61) NAS-IP-Address = 10.3.183.229
(61) NAS-Port-Id = "GigabitEthernet0/7"
(61) NAS-Port-Type = Ethernet
(61) NAS-Port = 50107
(61) Acct-Session-Id = "000004CA"
(61) Framed-IP-Address = 10.13.143.197
(61) Acct-Status-Type = Interim-Update
(61) Event-Timestamp = "Jul 30 2024 19:17:40 GMT"
(61) Acct-Input-Octets = 1009574
(61) Acct-Output-Octets = 3036209
(61) Acct-Input-Packets = 7042
(61) Acct-Output-Packets = 14554
(61) Acct-Delay-Time = 0
(61) # Executing section preacct from file /etc/raddb/sites-enabled/default
(61) preacct {
(61) preprocess: hints: Matched DEFAULT at 87
(61) [preprocess] = ok
(61) policy acct_unique {
(61) update request {
(61) &Tmp-String-9 := "ai:"
(61) } # update request = noop
(61) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(61) EXPAND %{hex:&Class}
(61) -->
(61) EXPAND ^%{hex:&Tmp-String-9}
(61) --> ^61693a
(61) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(61) else {
(61) update request {
(61) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(61) --> 9472f67aac4cf716dab6f08893e32145
(61) &Acct-Unique-Session-Id := 9472f67aac4cf716dab6f08893e32145
(61) } # update request = noop
(61) } # else = noop
(61) } # policy acct_unique = noop
(61) suffix: Checking for suffix after "@"
(61) suffix: No '@' in User-Name = "rsk-emewks453a-swfo-san.ssd.goes", looking up realm NULL
(61) suffix: No such realm "NULL"
(61) [suffix] = noop
(61) [files] = noop
(61) } # preacct = ok
(61) # Executing section accounting from file /etc/raddb/sites-enabled/default
(61) accounting {
(61) detail: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(61) detail: --> /var/log/radius/radacct/10.3.212.121/detail-20240730
(61) detail: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.3.212.121/detail-20240730
(61) detail: EXPAND %t
(61) detail: --> Tue Jul 30 19:17:39 2024
(61) [detail] = ok
(61) [unix] = noop
(61) [exec] = noop
(61) attr_filter.accounting_response: EXPAND %{User-Name}
(61) attr_filter.accounting_response: --> host/rsk-emewks453a-swfo-san.ssd.goes
(61) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(61) [attr_filter.accounting_response] = updated
(61) } # accounting = updated
(61) Sent Accounting-Response Id 125 from 10.3.212.41:1813 to 10.3.212.121:1646 length 0
(61) Finished request
(61) Cleaning up request packet ID 125 with timestamp +93
Cordially,
Elizabeth Merritt
Network Planning Engineer V | GGSS/GOES-R EI Network Sustainment
Space & airborne systems | L3HARRIS TECHNOLOGIES
Primary: m +1.321.408.0911
L3Harris.com<mailto:L3Harris.com> | Elizabeth.Merritt at L3Harris.com<mailto:Elizabeth.Merritt at L3Harris.com>
407 N John Rodes Blvd, Office # G136 | Melbourne, FL 32934 | USA
[L3Harris_Lockup_TM]<http://www.l3harris.com/>
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5065 bytes
Desc: image001.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240808/87b9046e/attachment-0001.png>
More information about the Freeradius-Users
mailing list