I am presently dealing with some troubles whereas attempting to arrange a Lab between Home windows 11 PC (with Credential Guard & TLS 1.3 enabled by default) and a FreeRADIUS server utilizing EAP-TLS.
- Principally, it appears like
-
The place Win 11 PC is configured to make use of EAP-TLS with its machine certificates to authenticate to my Lab SSID. Machine certificates is delivered by GPO (machine cert auto-enroll) with an on prem Home windows 3-tiers PKI.
-
The place FreeRADIUS server (v3.2.7-1) primarily based on Debian 12 is configured to permit 10.0.0.0/8 NACs with a passphrase.
consumer check {
ipaddr = 10.0.0.0/8
secret = testing123
}
Additionally, I enabled the present configuration for EAP inside mods-available/eap
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
}
tls-config tls-common {
#private_key_password = no matter
private_key_file = ${certdir}/myfreeradius_server.key
certificate_file = ${certdir}/myfreeradius_server.pem
ca_file = ${cadir}/my_corp_root_ca.pem
ca_path = ${cadir}
tls_min_version = "1.2"
tls_max_version = "1.3"
}
- In the intervening time, if I do this configuration from one other Debian server with eapol cli
eapol_test -c wpa_supplicant-tls.conf -a 10.230.102.108 -s testing123
the place wpa_supplicant-tls.conf comprises :
ap_scan=0
community={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
id="[email protected]"
client_cert="my_user_cert.pem"
private_key="my_user_privkey.key"
# CA certificates to validate the RADIUS server's id
ca_cert="my_corp_root_ca.pem"
phase1="tls_disable_tlsv1_3=0"
}
=> It really works nicely, consumer present SUCCESS standing and RADIUS server proceed to the request.
The ache is :
When I attempt to entry the check SSID, wifi connection from Win 11 PC hundreds,hundreds, and by no means ends.
Meraki AP say :
Shopper made an 802.1X authentication request to the RADIUS server, nevertheless it didn't reply. auth_mode="wpa2-802.1x" vlan_id='32' radius_proto='ipv4' radius_ip='10.230.102.108' motive='radius_timeout' reassoc="1" radio='0' vap='10' channel="1" rssi='40'
FreeRadius receives that sort of logs :
Waking up in 4.7 seconds.
(5) Obtained Entry-Request Id 5 from 10.6.4.165:50147 to 10.230.102.108:1812 size 413
(5) Consumer-Identify = "host/my_PC.my-domain.internet"
(5) NAS-IP-Tackle = 10.6.4.165
(5) NAS-Identifier = "E0-CB-BC-8B-65-ED:vap10"
(5) NAS-Port-Kind = Wi-fi-802.11
(5) Service-Kind = Framed-Consumer
(5) NAS-Port = 1
(5) Calling-Station-Id = "F4-D1-08-87-72-56"
(5) Join-Data = "CONNECT 54.00 Mbps / 802.11n / RSSI: 38 / Channel: 1"
(5) Acct-Session-Id = "479273B6606E05AE"
(5) Acct-Multi-Session-Id = "BA3341F3610DFCF9"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Meraki-Community-Identify = "APW-Wifi- - wi-fi"
(5) Meraki-Ap-Identify = "MyWifiAP"
(5) Meraki-Ap-Tags = " recently-added "
(5) Known as-Station-Id = "E0-CB-BC-8B-65-ED:00-Check-W11"
(5) Meraki-System-Identify = "MyWifiAP"
(5) Framed-MTU = 1400
(5) EAP-Message = 0x021b00060d00
(5) State = 0x943a85b2902188fe8217870d8617c1ba
(5) Message-Authenticator = 0x63c15f58f21aa1566869606e3b3b7609
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Data = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, ServerHello"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 ChangeCipherSpec"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, EncryptedExtensions"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, Certificates"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, CertificateVerify"
(5) &session-state:TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, Completed"
(5) # Executing part authorize from file /and so forth/freeradius/sites-enabled/default
(5) authorize {
(5) coverage filter_username {
(5) if (&Consumer-Identify) {
(5) if (&Consumer-Identify) -> TRUE
(5) if (&Consumer-Identify) {
(5) if (&Consumer-Identify =~ / /) {
(5) if (&Consumer-Identify =~ / /) -> FALSE
(5) if (&Consumer-Identify =~ /@[^@]*@/ ) {
(5) if (&Consumer-Identify =~ /@[^@]*@/ ) -> FALSE
(5) if (&Consumer-Identify =~ /../ ) {
(5) if (&Consumer-Identify =~ /../ ) -> FALSE
(5) if ((&Consumer-Identify =~ /@/) && (&Consumer-Identify !~ /@(.+).(.+)$/)) {
(5) if ((&Consumer-Identify =~ /@/) && (&Consumer-Identify !~ /@(.+).(.+)$/)) -> FALSE
(5) if (&Consumer-Identify =~ /.$/) {
(5) if (&Consumer-Identify =~ /.$/) -> FALSE
(5) if (&Consumer-Identify =~ /@./) {
(5) if (&Consumer-Identify =~ /@./) -> FALSE
(5) } # if (&Consumer-Identify) = notfound
(5) } # coverage filter_username = notfound
(5) [preprocess] = okay
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in Consumer-Identify = "host/my_PC.my-domain.internet", trying up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer despatched EAP Response (code 2) ID 27 size 6
(5) eap: No EAP Begin, assuming it is an on-going EAP dialog
(5) [eap] = up to date
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = up to date
(5) Discovered Auth-Kind = eap
(5) # Executing group from file /and so forth/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Eradicating EAP session with state 0x943a85b2902188fe
(5) eap: Earlier EAP request discovered for state 0x943a85b2902188fe, launched from the listing
(5) eap: Peer despatched packet with technique EAP TLS (13)
(5) eap: Calling submodule eap_tls to course of knowledge
(5) eap_tls: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 28 size 857
(5) eap: EAP session including &reply:State = 0x943a85b2912688fe
(5) [eap] = dealt with
(5) } # authenticate = dealt with
(5) Utilizing Put up-Auth-Kind Problem
(5) # Executing group from file /and so forth/freeradius/sites-enabled/default
(5) Problem { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Data = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, ServerHello"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 ChangeCipherSpec"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, EncryptedExtensions"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, CertificateRequest"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, Certificates"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, CertificateVerify"
(5) TLS-Session-Data = "(TLS) TLS - ship TLS 1.3 Handshake, Completed"
(5) Despatched Entry-Problem Id 5 from 10.230.102.108:1812 to 10.6.4.165:50147 size 921
(5) EAP-Message = 0x011c03590d80000012c7f6cbc153327171b2bc76c1934410b97b378c7eae3013184e9818477a0023577d5b678d502568f0b09628dbd76f62fecf4371422aaa1538c9da69ac89b654746eac2c9f6ed32ad40d84ee1574974b0ef24eb77fb357fc4033f32c14c4a0ba5ff1703b1bb950bcfb58cb5999a9b58ad84acea5472e349b4d7da305c7f1340da2c48c075b78837cd46a00e0c775fd4367b4c5074bed51e00ad9de13b607b679da5c5319129ce28ef91a2ac3c2ffaca88ddea2b8c6e969d1e804db5257c7a801ac6402f6480f4e554e4dc00cd52b08341bd3e9bfa69d0c74fc24e20daeb8a8fed4f2084fe4786915c317030302196928863add7ee4ea6274589fd4f86b88e9a0a3c6361300c86330893c81ac7176a8c00d601e988ff7782ef6a94021e7da2105a2168eb1939064bbe10bbf90c5dfe7e8ca4e99905b38ea8befb911fc3ea7f86b3dfb12ad311e11334edfa51564d697962deb990430f8b9c16580074080727774b679663bb376b839bd8b99ab529406
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x943a85b2912688fe8217870d8617c1ba
(5) Completed request
Waking up in 4.7 seconds.
(0) Cleansing up request packet ID 0 with timestamp +69 as a consequence of cleanup_delay was reached
(1) Cleansing up request packet ID 1 with timestamp +69 as a consequence of cleanup_delay was reached
(2) Cleansing up request packet ID 2 with timestamp +69 as a consequence of cleanup_delay was reached
(3) Cleansing up request packet ID 3 with timestamp +69 as a consequence of cleanup_delay was reached
(4) Cleansing up request packet ID 4 with timestamp +69 as a consequence of cleanup_delay was reached
(5) Cleansing up request packet ID 5 with timestamp +69 as a consequence of cleanup_delay was reached
Able to course of requests
From a Wireshark flows perspective, it appears Meraki AP sends Entry-Request to FreeRadius, which by no means solutions.
My questions are :
-
Will we agree that such a configuration on FreeRADIUS ought to confirm machine (or finally consumer) certificates due to the configured root CA ? and so, each machine or consumer that has a certificates offered by the PKI ought to be licensed to entry community ?
-
How can I examine extra to know if it is a freeRADIUS misconfiguration ?
I am sort of caught in the mean time..