This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EAP-TEAP Authentication w/ 440-G2

EAP-TEAP Authentication w/ 440-G2

MikeTraylor
New Contributor

a week ago

X440-G2-48p-10G4 Firmware: 32.7.3.15-patch1-19

Site Engine Version: 25.08.13.02

Control Version: 25.08.13.02

I have a Windows laptop configured to use EAP-TEAP authentication on wired and wireless and having problems with wired authentication.  

On wired, connecting to the X440-G2 switch I am able to authenticate successfully using EAP-TLS authentication w/ both user and machine certificates.  This indicates to me that there are no certificate authentication issues.

Yet, when I configure the NIC to present TEAP authentication with TLS method 1 and 2 it fails.  Control logs only tell me the client didn't respond to the challenge.

I can confirm the TEAP authentication method on the laptop works just fine with another NAC solution I have in my lab.

I do not believe control to be the issue in this scenario as I am able to do TEAP authentication with an AP controlled by CloudIQ with the same laptop configured the same.

Anyone have any insight to this?

Thanks

0 Kudos
5 REPLIES 5

Ryan_Yacobucci
Extreme Employee

Tuesday

We would need to do the following: 

Right click the NAC that is doing the authentication --> WebView --> Diagnostics --> Appliance/Server Diagnostics
Set "Authentication Request Processing - RADIUS" to "Verbose"
Click OK

Attempt to authenticate the test device.
Set diagnostics back to defaults

Check the /var/log/radius/radius.log to see where in the conversation things are breaking down. 
You can create a ticket with GTAC to help assess the log to determine where the authentication is stopping.

Thanks
-Ryan


0 Kudos

MikeTraylor
New Contributor
In response to Ryan_Yacobucci

Wednesday

This morning I converted a 5520 over to switch engine and got it connected up to control.  Plugged my laptop into a port with the same config and encountering the same issue.  So that rules out it being just a 440-G2 issue.  Has to be something with my switch config at this point but I'm not sure where to look.  I'm new to Control (not 802.1x) so I definitely could be missing something.

My challenge here is why does TLS auth work but not EAP-TEAP on wired.  EAP-TEAP does work on wireless.

0 Kudos

MikeTraylor
New Contributor
In response to Ryan_Yacobucci

Tuesday

Thanks for that!  What I am seeing is that the TEAP authentication is getting hung up on the Machine certificate portion and never progressing to user cert auth.  It only presents the anonymous user which is the default with TEAP.

I ran a wired and wireless auth and captured the logs for comparison.


Here is the config in the switch (Switch is managed by Site Engine)

# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based cep
enable netlogin ports 1-4 dot1x
enable netlogin ports 1-4 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

Preview file
380 KB
Preview file
1411 KB
0 Kudos

Ryan_Yacobucci
Extreme Employee

Saturday

Hello,

If you go into the AAA configuration within Control did you set the TEAP Chaining method to use MSCHAP2 or TLS?

When you are doing your testing, are you testing with the device when there is a logged in user, or without a logged in user?

In it's current state, TEAP authentication will never succeed if the end system is in a "Machine Auth" state. If there is no user logged in the user credentials are not presented during authentication and it will fail.  For testing, make sure a user is logged in, and make sure you have set the TEAP chaining mode correctly.

Thanks
-Ryan

0 Kudos
GTM-P2G8KFN