This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeControl
- Re: EAP-TEAP Authentication w/ 440-G2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
EAP-TEAP Authentication w/ 440-G2
EAP-TEAP Authentication w/ 440-G2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
X440-G2-48p-10G4 Firmware: 32.7.3.15-patch1-19
Site Engine Version: 25.08.13.02
Control Version: 25.08.13.02
I have a Windows laptop configured to use EAP-TEAP authentication on wired and wireless and having problems with wired authentication.
On wired, connecting to the X440-G2 switch I am able to authenticate successfully using EAP-TLS authentication w/ both user and machine certificates. This indicates to me that there are no certificate authentication issues.
Yet, when I configure the NIC to present TEAP authentication with TLS method 1 and 2 it fails. Control logs only tell me the client didn't respond to the challenge.
I can confirm the TEAP authentication method on the laptop works just fine with another NAC solution I have in my lab.
I do not believe control to be the issue in this scenario as I am able to do TEAP authentication with an AP controlled by CloudIQ with the same laptop configured the same.
Anyone have any insight to this?
Thanks
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
2 weeks ago
Thanks for that! What I am seeing is that the TEAP authentication is getting hung up on the Machine certificate portion and never progressing to user cert auth. It only presents the anonymous user which is the default with TEAP.
I ran a wired and wireless auth and captured the logs for comparison.
Here is the config in the switch (Switch is managed by Site Engine)
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based cep
enable netlogin ports 1-4 dot1x
enable netlogin ports 1-4 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
Hello,
If you go into the AAA configuration within Control did you set the TEAP Chaining method to use MSCHAP2 or TLS?
When you are doing your testing, are you testing with the device when there is a logged in user, or without a logged in user?
In it's current state, TEAP authentication will never succeed if the end system is in a "Machine Auth" state. If there is no user logged in the user credentials are not presented during authentication and it will fail. For testing, make sure a user is logged in, and make sure you have set the TEAP chaining mode correctly.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
Yes, TEAP is set to chain TLS and yes I am logged into the laptop when connecting. I'm at a bit of a loss with this as it works with another NAC solution with the exact same auth settings on the NIC. The only thing I can think of is the switch itself isn't recognizing/passing on the authentication. If I have MAC auth enabled that's all I see. Even with dot1x set to be first priority.
If I flip the laptop NIC over to TLS that works fine. So I know it would be able to authenticate the certs.
