topic Re: EAP-TEAP Authentication w/ 440-G2 in ExtremeControl

EAP-TEAP Authentication w/ 440-G2

MikeTraylor — Fri, 31 Oct 2025 15:26:15 GMT

X440-G2-48p-10G4 Firmware: 32.7.3.15-patch1-19

Site Engine Version: 25.08.13.02

Control Version: 25.08.13.02

I have a Windows laptop configured to use EAP-TEAP authentication on wired and wireless and having problems with wired authentication.

On wired, connecting to the X440-G2 switch I am able to authenticate successfully using EAP-TLS authentication w/ both user and machine certificates. This indicates to me that there are no certificate authentication issues.

Yet, when I configure the NIC to present TEAP authentication with TLS method 1 and 2 it fails. Control logs only tell me the client didn't respond to the challenge.

I can confirm the TEAP authentication method on the laptop works just fine with another NAC solution I have in my lab.

I do not believe control to be the issue in this scenario as I am able to do TEAP authentication with an AP controlled by CloudIQ with the same laptop configured the same.

Anyone have any insight to this?

Thanks

Re: EAP-TEAP Authentication w/ 440-G2

Ryan_Yacobucci — Sat, 01 Nov 2025 16:27:15 GMT

Hello,

If you go into the AAA configuration within Control did you set the TEAP Chaining method to use MSCHAP2 or TLS?

When you are doing your testing, are you testing with the device when there is a logged in user, or without a logged in user?

In it's current state, TEAP authentication will never succeed if the end system is in a "Machine Auth" state. If there is no user logged in the user credentials are not presented during authentication and it will fail. For testing, make sure a user is logged in, and make sure you have set the TEAP chaining mode correctly.

Thanks
-Ryan

Re: EAP-TEAP Authentication w/ 440-G2

MikeTraylor — Mon, 03 Nov 2025 13:59:38 GMT

Yes, TEAP is set to chain TLS and yes I am logged into the laptop when connecting. I'm at a bit of a loss with this as it works with another NAC solution with the exact same auth settings on the NIC. The only thing I can think of is the switch itself isn't recognizing/passing on the authentication. If I have MAC auth enabled that's all I see. Even with dot1x set to be first priority.

If I flip the laptop NIC over to TLS that works fine. So I know it would be able to authenticate the certs.

Re: EAP-TEAP Authentication w/ 440-G2

Ryan_Yacobucci — Tue, 04 Nov 2025 13:26:21 GMT

We would need to do the following:

Right click the NAC that is doing the authentication --> WebView --> Diagnostics --> Appliance/Server Diagnostics
Set "Authentication Request Processing - RADIUS" to "Verbose"
Click OK

Attempt to authenticate the test device.
Set diagnostics back to defaults

Check the /var/log/radius/radius.log to see where in the conversation things are breaking down.
You can create a ticket with GTAC to help assess the log to determine where the authentication is stopping.

Thanks
-Ryan

Re: EAP-TEAP Authentication w/ 440-G2

MikeTraylor — Tue, 04 Nov 2025 18:29:22 GMT

Thanks for that! What I am seeing is that the TEAP authentication is getting hung up on the Machine certificate portion and never progressing to user cert auth. It only presents the anonymous user which is the default with TEAP.

I ran a wired and wireless auth and captured the logs for comparison.

Here is the config in the switch (Switch is managed by Site Engine)

# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based cep
enable netlogin ports 1-4 dot1x
enable netlogin ports 1-4 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

Re: EAP-TEAP Authentication w/ 440-G2

MikeTraylor — Wed, 05 Nov 2025 18:42:46 GMT

This morning I converted a 5520 over to switch engine and got it connected up to control. Plugged my laptop into a port with the same config and encountering the same issue. So that rules out it being just a 440-G2 issue. Has to be something with my switch config at this point but I'm not sure where to look. I'm new to Control (not 802.1x) so I definitely could be missing something.

My challenge here is why does TLS auth work but not EAP-TEAP on wired. EAP-TEAP does work on wireless.

Re: EAP-TEAP Authentication w/ 440-G2

Ryan_Yacobucci — Sun, 09 Nov 2025 18:11:19 GMT

Hello,

Looking at the debug log the wired authentication is going stale what looks like after the initial certificate exchange between RADIUS server and client.

Successfully negotiation for EAP-TEAP occurs, and when the RADIUS server sends it's certificate the end system does not reply.

This is usually a case of certificate validation issues on the supplicant itself.

Can you compare the supplicant configuration between the wireless and the wired NIC? Are there any differences in certificate trust configurations?

If you cannot find a difference we can take the next step:

What does the EAP traffic look like on the client side? Do we see a difference in behavior with the wired EAP traffic versus the wireless EAP traffic?

What do the CAPI2 logs show? If there is a certificate validation issues the Microsoft CAPI2 logs should show a problem.

https://www.thebestcsharpprogrammerintheworld.com/2013/09/09/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues/

This looks like a generic certificate validation problem on the client side.

Thanks
-Ryan

Re: EAP-TEAP Authentication w/ 440-G2

MikeTraylor — Thu, 13 Nov 2025 16:19:07 GMT

Ryan,

I think this just comes down to the fact that TEAP machine authentication is currently not implemented or is just broken at this time. I don't understand why wireless is able to move past the machine certificate failure where wired isn't but I guess that's besides the point.

I am able to fully authenticate both my user and machine certificates on the wired connection when set to TLS rather than TEAP. So to me that fully rules out any certificate validation issues.

I guess it's probably fair to just chalk this up to needing to wait for full TEAP support w/ NAC. If you could push the lack of that support up the chain that would be great. There are other posts about that as well.

One thing I will say about this is that TEAP is going to be the best auth method going further as it fixes all the problems w/ wireless 802.1x authentication where clients do not present their machine cert when a user logs in like we have in TLS only authentication.

When windows fully deprecates PEAP/MSCHAPv2, certificate auth will become our ONLY option. So Extreme really needs to get on the ball with this. Windows NPS has zero support for TEAP so we won't be able to fall back on that either.

Thank you for your time looking into this with me though!