This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeControl
- EAP-TEAP Authentication w/ 440-G2
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
EAP-TEAP Authentication w/ 440-G2
EAP-TEAP Authentication w/ 440-G2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago
X440-G2-48p-10G4 Firmware: 32.7.3.15-patch1-19
Site Engine Version: 25.08.13.02
Control Version: 25.08.13.02
I have a Windows laptop configured to use EAP-TEAP authentication on wired and wireless and having problems with wired authentication.
On wired, connecting to the X440-G2 switch I am able to authenticate successfully using EAP-TLS authentication w/ both user and machine certificates. This indicates to me that there are no certificate authentication issues.
Yet, when I configure the NIC to present TEAP authentication with TLS method 1 and 2 it fails. Control logs only tell me the client didn't respond to the challenge.
I can confirm the TEAP authentication method on the laptop works just fine with another NAC solution I have in my lab.
I do not believe control to be the issue in this scenario as I am able to do TEAP authentication with an AP controlled by CloudIQ with the same laptop configured the same.
Anyone have any insight to this?
Thanks
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
2 weeks ago
Hello,
Looking at the debug log the wired authentication is going stale what looks like after the initial certificate exchange between RADIUS server and client.
Successfully negotiation for EAP-TEAP occurs, and when the RADIUS server sends it's certificate the end system does not reply.
This is usually a case of certificate validation issues on the supplicant itself.
Can you compare the supplicant configuration between the wireless and the wired NIC? Are there any differences in certificate trust configurations?
If you cannot find a difference we can take the next step:
What does the EAP traffic look like on the client side? Do we see a difference in behavior with the wired EAP traffic versus the wireless EAP traffic?
What do the CAPI2 logs show? If there is a certificate validation issues the Microsoft CAPI2 logs should show a problem.
https://www.thebestcsharpprogrammerintheworld.com/2013/09/09/enable-capi2-event-logging-to-troublesh...
This looks like a generic certificate validation problem on the client side.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
a week ago
Ryan,
I think this just comes down to the fact that TEAP machine authentication is currently not implemented or is just broken at this time. I don't understand why wireless is able to move past the machine certificate failure where wired isn't but I guess that's besides the point.
I am able to fully authenticate both my user and machine certificates on the wired connection when set to TLS rather than TEAP. So to me that fully rules out any certificate validation issues.
I guess it's probably fair to just chalk this up to needing to wait for full TEAP support w/ NAC. If you could push the lack of that support up the chain that would be great. There are other posts about that as well.
One thing I will say about this is that TEAP is going to be the best auth method going further as it fixes all the problems w/ wireless 802.1x authentication where clients do not present their machine cert when a user logs in like we have in TLS only authentication.
When windows fully deprecates PEAP/MSCHAPv2, certificate auth will become our ONLY option. So Extreme really needs to get on the ball with this. Windows NPS has zero support for TEAP so we won't be able to fall back on that either.
Thank you for your time looking into this with me though!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
2 weeks ago
We would need to do the following:
Right click the NAC that is doing the authentication --> WebView --> Diagnostics --> Appliance/Server Diagnostics
Set "Authentication Request Processing - RADIUS" to "Verbose"
Click OK
Attempt to authenticate the test device.
Set diagnostics back to defaults
Check the /var/log/radius/radius.log to see where in the conversation things are breaking down.
You can create a ticket with GTAC to help assess the log to determine where the authentication is stopping.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
2 weeks ago
This morning I converted a 5520 over to switch engine and got it connected up to control. Plugged my laptop into a port with the same config and encountering the same issue. So that rules out it being just a 440-G2 issue. Has to be something with my switch config at this point but I'm not sure where to look. I'm new to Control (not 802.1x) so I definitely could be missing something.
My challenge here is why does TLS auth work but not EAP-TEAP on wired. EAP-TEAP does work on wireless.
