Windows - dot1x - not working

Alan DeKok aland at deployingradius.com
Wed Jun 12 18:05:36 UTC 2024 

On Jun 12, 2024, at 1:34 PM, Elizabeth via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> We have tons of Red Hat 8 workstations that authenticate using a certificate / dot1x / freeradius and work perfectly.  I cannot get the Windows 10 workstation to work, authenticate with dot1x, or receive its proper VLAN.  I've searched around for answers and changed a few things noted below.

  OK...

> Added this line in the raddb/mods-config/preprocess/hints file:
> DEFAULT Prefix == "host/", Strip-User-Name = Yes
>        Service-Type = Framed-User
> 
> Added this line in raddb/sites-enabled/default.noldap file:
> authorize
>        if ("%{User-Name}" =~ /^host\/(.*)/) {
>        update request {
>        Stripped-User-Name = "%{1}"
>        }
>        }

  Why were these changes made?

> This is the workstation in the raddb/users file:
> wuk-emewks265a-swfo-san.ssd.goes
>        Service-Type = Framed-User,
>        Tunnel-Type = VLAN,
>        Tunnel-Medium-Type = IEEE-802,
>        Tunnel-Private-Group-ID = "602"

  There's no password, which might be an issue.

> (45) Received Access-Request Id 145 from 10.2.212.121:50797 to 10.2.212.41:1645 length 292
> (45)   User-Name = "wsk-emewks218a-oe.ssd.goes"
> (45)   Service-Type = Framed-User
> (45)   Cisco-AVPair = "service-type=Framed"
> (45)   Framed-MTU = 1500
> (45)   Called-Station-Id = "50-57-A8-37-CF-0C"
> (45)   Calling-Station-Id = "E4-54-E8-50-D1-27"
> (45)   EAP-Message = 0x0201001f0177736b2d656d65776b73323138612d6f652e7373642e676f6573
> (45)   Message-Authenticator = 0x098b246847a14bf7921f8990a9bd9455
> (45)   Cisco-AVPair = "audit-session-id=000000000000023E1EC0D866"
> (45)   Cisco-AVPair = "method=dot1x"
> (45)   Framed-IP-Address = 10.2.222.218
> (45)   NAS-IP-Address = 10.2.183.68
> (45)   NAS-Port-Id = "GigabitEthernet0/12"
> (45)   NAS-Port-Type = Ethernet
> (45)   NAS-Port = 50112

  Ok, so EAP starts.

> ,,,
> (45) # Executing group from file /etc/raddb/sites-enabled/default.noldap
> (45)   authenticate {
> (45) eap: Peer sent packet with method EAP Identity (1)
> (45) eap: Calling submodule eap_md5 to process data
> (45) eap_md5: Issuing MD5 Challenge
> (45) eap: Sending EAP Request (code 1) ID 2 length 22
> (45) eap: EAP session adding &reply:State = 0x2752195227501dda

  The server is doing EAP-MD5.  While this is the default, you might change that in mods-enabled/eap.  Perhaps setting the default to TTLS or PEAP might help.

> (45)     [eap] = handled
> (45)   } # authenticate = handled
> (45) Using Post-Auth-Type Challenge
> (45) # Executing group from file /etc/raddb/sites-enabled/default.noldap
> (45)   Challenge { ... } # empty sub-section is ignored
> (45) Sent Access-Challenge Id 145 from 10.2.212.41:1645 to 10.2.212.121:50797 length 0
> (45)   Service-Type = Framed-User
> (45)   Tunnel-Type = VLAN
> (45)   Tunnel-Medium-Type = IEEE-802
> (45)   Tunnel-Private-Group-Id = "601"
> (45)   EAP-Message = 0x0102001604103bb9d2560819735654919640451304d8
> (45)   Message-Authenticator = 0x00000000000000000000000000000000
> (45)   State = 0x2752195227501ddab6bc75517460942a
> (45) Finished request

  The server replies, and the Windows machine never continues the EAP conversation.  You'll have to look at the logs on the Windows machine to see why this happens.

  But changing the default EAP type to PEAP might help, too.

  In short, you can't debug Windows issues by looking at the FreeRADIUS logs.

  Alan DeKok.

More information about the Freeradius-Users mailing list