@josepc 

What 802.1x client did you use? If you were using windows PC, you can try to download TP-Link 802.1x client software. https://static.tp-link.com/res/down/soft/TP-LINK_802.1X_Client_Software_V3.zip

If you were using linux or MacOS, you need to disable handshake in 802.1x setting of TP-Link switch.

If you check the packets, clients should send EAPol packet, then switch will response. And maybe need to increase Supplicant Timeout value to extend certificattion time.

@Andone thanks for your help. We tried the tplink client without success. 

Please, let me show your our configuration and results for giving a better understanding of the problem (sorry for the captures in spanish!) 

This is our RADIUS config at tplink switch: 

We use Windows 10 client for 802.1x authentication, configured to authenticate workstation with certificates, as follows: 

Wireshark traffic capture in client workstation with this configuration, showing the content of Response Identity message: 

As you can see, second phase (negotiation) is never initiated. 

Wireshark capture of traffic in the NPS server (no message is sent TPLINK <-> SERVER): 

HOWEVER, if we use user authentication in the client and NPS server (mschapv2 with username + password) everything works fine: 

And the traffic capture in the Windows Server: 

MY GUESS: the switch rejects or discard the Identity Response message when it contains "host/hostname" instead of "domain\username", I don't know why or how. 

Certificates don't even come into play here, because we never get past Response Identity. The switch never communicates with the NPS server in this configuration. 

I also tried workstation authentication with password instead of certificate. Same result. 

Thank you in advance!

@josepc 

I am not familiar with the way which using hostname as identity. But switch should transfer the information whatever identity is used.

If you don't mind, could you tell me how PC authorize through hostname? Generally we add username and password on radius server. For hostname, does it need password? Or does it need authorize by certificate? 

@Andone  thanks again for your reply.

In theory, the authentication would be similar to the one that uses username and password.

The EAP response Identity is forwarded by the switch to the NPS server. It looks for the username internally (eg active directory) and then continues the authentication flow.

In case of hostname, response Identity containing the qualified  hostname should be forwarded to the NPS as well. NPS should look for computer name (in the active directory) and then continue the flow, but the authentication from that point would be done using a workstation certificate. 

The problem is that the switch never forwards that message.

I also tried using machine authentication with password (not sure how, I guess the machine account in the AD has an internal password) to see if the switch continues communication with the NPS. There was no success.

At this point I am not sure if the switch doesn't support the hostname in the response Identity or if there is some bad configuration in our setup.

Thanks!

@josepc great post. Any news about this?

@morikd 

Hi there!

We tried to make all the settings but were not successful. We had to buy another switch from another manufacturer to get it. We are still interested in being able to apply these configurations with a tplink switch. 
Greetings!