dot1x/radius not working for a Windows PC

[Alan DeKok]

On Aug 8, 2024, at 1:46 PM, EMY via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> We edited the hints file to remove the host/ from the prefix. Added:
> DEFAULT Prefix == "host/", Strip-User-Name = Yes
>        Service-Type = Framed-User
> 
> This works fine with 2 Windows workstation, but we cannot get it to work on this one workstation.  We don't have access to fiddle with it in a lab to change a bunch of settings.  I had the end user tech add the certs, turn on 802.1x and change some settings that I know work on the other 2 workstations.
> 
> This is the debug output from the non-working workstation, included 3 packets with somewhat different information, they are not exactly the same.  The main thing I noticed is this message:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !! EAP session with state 0xdce90442ddea0923ee04c7b3a63d3e39 did not finish!                  !!
> !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility     !!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> I read some info in there but didn't really know what I could change on the Windows 10 side.  They have TLS1.2 enabled only, that part I did check.  But not sure what else to look for.

  The root cause of the issue is that the Window system is refusing to do EAP with FreeRADIUS.  It doesn't like the certificate, or the TLS parameters, or something else.

  There is no way to debug this from the FreeRADIUS side, because the Windows system doesn't tell FreeRADIUS *why* it stopped talking EAP.  It just stops talking EAP.

  You'll have to look at the Windows system logs and configuration to see what's going on.  For some reason, this system is configured differently than the rest, and that difference is what's causing the problem.

  Alan DeKok.