Extreme Networks

Hello,

I suggest opening a ticket with GTAC. This will require additional investigation.

From what I can tell the client is rejecting the EAP-Success provided by the NAC.

Debug of the reject:

Wed Jan 24 15:21:23 2018 : Debug: (194) eap_peap: Client rejected our response. The password is probably incorrect
Wed Jan 24 15:21:23 2018 : ERROR: (194) eap_peap: We sent a success, but the client did not agree
Wed Jan 24 15:21:23 2018 : ERROR: (194) eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed
Wed Jan 24 15:21:23 2018 : Debug: (194) eap: Sending EAP Failure (code 4) ID 153 length 4
Wed Jan 24 15:21:23 2018 : Debug: (194) eap: Failed in EAP select
Wed Jan 24 15:21:23 2018 : Debug: (194) modsingle[authenticate]: returned from eap (rlm_eap) for request 194
Wed Jan 24 15:21:23 2018 : Debug: (194) [eap] = invalid
Wed Jan 24 15:21:23 2018 : Debug: (194) } # authenticate = invalid
Wed Jan 24 15:21:23 2018 : Debug: (194) Failed to authenticate the user
Wed Jan 24 15:21:23 2018 : Debug: (194) Using Post-Auth-Type Reject

Trace indicates successful transmission and acceptance of the RADIUS server certificate.

Debug indicates successful NTLM authentication and NT-HASH returned from Active Directory.

Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: --> --nt-response=a1341a1585a1a260b28880e33dd1b4513253f1fb40150b66
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: Program returned code (0) and output 'NT_KEY: F7D858C45869D7002C9E2F00968C25C3'
Wed Jan 24 15:21:23 2018 : Debug: (192) mschap: Adding MS-CHAPv2 MPPE keys
Wed Jan 24 15:21:23 2018 : Debug: (192) modsingle[authenticate]: returned from mschap (rlm_mschap) for request 192
Wed Jan 24 15:21:23 2018 : Debug: (192) [mschap] = ok
Wed Jan 24 15:21:23 2018 : Debug: (192) if (reject) {
Wed Jan 24 15:21:23 2018 : Debug: (192) if (reject) -> FALSE
Wed Jan 24 15:21:23 2018 : Debug: (192) } # Auth-Type MS-CHAP = ok
Wed Jan 24 15:21:23 2018 : Debug: (192) MSCHAP Success

It appears that NAC sent the final "EAP-Success" and the client returned a failure instead of the final EAP success message that would result in a RADIUS accept.

Potentially a trace on the client side would shed more light, but I would highly suggest going through GTAC at this point.

I found a few freeRADIUS threads, but the referenced "files" keyword I haven't found in the NAC's freeRADIUS files.

1. http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084441.html

This is referencing a "users" file that may have been misconfigured, have you modified any of the freeRADIUS configurations in your deployment directly?

2. https://superuser.com/questions/940829/radius-wifi-not-working-on-windows-8-1-and-windows-10-with-do...

This article suspects possible driver issues causing the problem. Have you updated drivers?

3. http://lists.freeradius.org/pipermail/freeradius-users/2010-August/048137.html

A samba bug was identified. 8.0 NAC is using Samba 4.3.11 so if you're on 8.0 it's not applicable.

Thanks
-Ryan

Ryan,

I just uploaded the files with the note being this topic. The files have your name infront aswell.
What part of the supplicant would u like to see?

This is a wireless client btw (windows 10 ofcourse)

If you can open a GTAC case we will take a look at the debug. We will need the exported events, tag.log, radius.log, and the MAC address of the End System. Thanks.