Hi!
I've a problem with 802.1x and EAP-TLS where I'm not quite sure who is responsible for this problem and how to work around it. I hope someone can help me - I couldn't find anything with Google and I just can't believe I'm the first guy with this problem. The setup is following. - Windows 7 SP1 Client with 802.1x and EAP-TLS configurated - Extreme Networks 450e Switches --> LAN based 802.1x - Freeradius 2.1.12-3.el5 on RHEL5 only TLS as EAP type configured/allowed The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). With the next identity request the Client does an clean EAP-TLs handshake, but the switch already put the client into the reject network. Here is the communication flow in these cases (Wireshark): Line 5 / Packet 54 is the problem No. Time Source Destination Protocol Length Info 9 27.371093 switch --> client EAP 60 Request, Identity [RFC3748] 51 43.669530 switch --> client EAP 60 Request, Identity [RFC3748] 52 43.693510 client --> switch EAP 60 Response, Identity [RFC3748] 53 43.699498 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 54 43.700496 client --> switch EAP 60 Response, Legacy Nak (Response only) [RFC3748] 84 44.639980 switch --> client EAP 60 Request, Identity [RFC3748] 85 44.646980 client --> switch EAP 60 Response, Identity [RFC3748] 86 44.652974 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 87 44.758887 client --> switch TLSv1 123 Client Hello 88 44.765875 switch --> client TLSv1 1042 Server Hello, Certificate, Certificate Request, Server Hello Done 89 44.766875 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 90 44.772880 switch --> client TLSv1 1042 Server Hello, Certificate, Certificate Request, Server Hello Done 91 44.772892 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 92 44.778868 switch --> client TLSv1 1042 Server Hello, Certificate, Certificate Request, Server Hello Done 93 44.779865 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 94 44.784859 switch --> client TLSv1 177 Server Hello, Certificate, Certificate Request, Server Hello Done 95 44.787862 client --> switch TLSv1 1510 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 96 44.793854 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba] 97 44.793861 client --> switch TLSv1 530 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message 98 44.807887 switch --> client TLSv1 87 Change Cipher Spec, Encrypted Handshake Message 102 44.818881 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba] 103 44.855827 switch --> client EAP 60 Success It seems to be a timing issue .... anyway: - Windows 7 is configured to EAP-TLS with GPOs - I've uninstalled anti-virus, behavior detection software In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it's Windows 7 ... there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. Would it help if freeradius ignores the EAP-NAK packets? Any help appreciated! Mit freundlichen Grüßen Robert Penz -------------------------------------------------------------- Dipl.Inf. Robert Penz DVT - Daten-Verarbeitung-Tirol GmbH Adamgasse 22, 6020 Innsbruck Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355 E-Mail: robert.p...@tirol.gv.at
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
