'RE: Some clients not using EAP-TLS anymore'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: Some clients not using EAP-TLS anymore
From:       "Steinhagen, Tom via Freeradius-Users" <freeradius-users () lists ! freeradius ! org>
Date:       2022-08-09 15:09:45
Message-ID: DS0PR14MB5735524CB512FD2EC7D6B891D2629 () DS0PR14MB5735 ! namprd14 ! prod ! outlook ! com
[Download RAW message or body]

You don't indicate what OS these machines are running, but in the past I have \
observed Windows-based machines lose their preferred authentication configuration \
(certificate vs other EAP methods) when network drivers were updated. Since our \
configuration only permits certificate authentication for Windows-based PCs, other \
EAP methods fail and the switches will failover to MAB per their configuration. The \
cycle repeats ad nauseum until the client is reconfigured for proper authentication.

-----Original Message-----
From: Freeradius-Users \
<freeradius-users-bounces+tsteinhagen=landstar.com@lists.freeradius.org> On Behalf Of \
                David le Roux
Sent: Tuesday, August 09, 2022 9:19 AM
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: RE: Some clients not using EAP-TLS anymore

CAUTION: This email originated from outside of the organization. Do not click links \
or open attachments unless you recognize the sender and know the content is safe.


I thought so as well until we had dissimilar switches show the same errors which led \
me to believe it could be something else.

Thanks for your time.

David le Roux




-----Original Message-----
From: Freeradius-Users \
<freeradius-users-bounces+david.leroux=miller.co.uk@lists.freeradius.org> On Behalf \
                Of Alan DeKok
Sent: 09 August 2022 15:10
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: Some clients not using EAP-TLS anymore

On Aug 9, 2022, at 9:53 AM, David le Roux <david.leroux@miller.co.uk> wrote:
> I have a fairly new problem where some clients (Desktops/Laptops) have stopped \
> using their certificates and using EAP and instead present their mac addresses.

  Those machines don't do "mac auth" checks.  That's configured on the switch.  The \
machines just (a) send 802.1X, or (b) normal traffic (i.e. DHCP, ARP, etc.

> However this is a minority of clients and has only started to occur recently. The \
> Radius server is configured to do both eap-tls and mac-based auth for clients that \
> aren't compatible. Naturally we don't have mac addresses stored in authorized_macs \
> for our EAP clients. 
> Furthermore the error is not consistent. Some clients throw errors in the logs but \
> can continue to log in (they usually have a mix of successful EAP authentications \
> and unsuccessful mac based auth). Some can log in after an ipconfig /release \
> /renew. This occurs on a variety of access points (that is, different \
> manufacturers) and nothing has changed on them or the radius server as far as I can \
> tell.

  The choice to do MAC auth vs 802.1X is 99.99% the AP / switch.

  The end-user machine needs to be configured to do 802.1X of course.  But it only \
does 802.1X if the switch sends an EAPoL frame saying "do 802.1X".

  FreeRADIUS just gets packets from the AP / switch.  No amount of poking FreeRADIUS \
will make the AP / switch change it's behavior.

  This is 100% a switch problem.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See \
https://urldefense.com/v3/__https://gbr01.safelinks.protection.outlook.com/?url=http*3 \
A*2F*2Fwww.freeradius.org*2Flist*2Fusers.html&amp;data=05*7C01*7Cdavid.leroux*40miller \
.co.uk*7Cd9b834bdf4fd44c0718a08da7a10e3e3*7Ca5609eb2409545a8bb4668573bbb0f92*7C1*7C0*7 \
C637956510202991064*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi \
I6Ik1haWwiLCJXVCI6Mn0*3D*7C3000*7C*7C*7C&amp;sdata=9iJKJSyXa9UY4j7*2FUdqlTPvbQaZNris*2 \
FP7JVzuLGNSY*3D&amp;reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!KOeSaYKwmg!QTwMt4BOv \
If7ftlgpUOLqQAo3x9dnTjOdm6WmdpCxG8r_PRKVtXZVkQZjNvmWYgmnrYfiPxDAetQxNoxDp3DFACM710$ \
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the \
addressee(s) only. It may also be privileged. If you are not the intended recipient \
please notify us immediately on +44 (0) 870 336 5000 and delete the message from your \
computer: you may not copy or forward it, or use or disclose its contents to any \
other person. We do not accept any liability or responsibility for: (1) changes made \
to this email after it was sent, or (2) viruses transmitted through this email or any \
attachment.

Miller Homes Limited \
<https://urldefense.com/v3/__https://www.millerhomes.co.uk__;!!KOeSaYKwmg!QTwMt4BOvIf7ftlgpUOLqQAo3x9dnTjOdm6WmdpCxG8r_PRKVtXZVkQZjNvmWYgmnrYfiPxDAetQxNoxDp3DewKmFZo$ \
>

-
List info/subscribe/unsubscribe? See \
https://urldefense.com/v3/__http://www.freeradius.org/list/users.html__;!!KOeSaYKwmg!Q \
TwMt4BOvIf7ftlgpUOLqQAo3x9dnTjOdm6WmdpCxG8r_PRKVtXZVkQZjNvmWYgmnrYfiPxDAetQxNoxDp3DGYn8F-M$
                
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic