802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
We have a tplink tg2600 t56s managed switch. It was configured as 802.1x authenticator for wired connection. There is a Windows server 2016 DC with NPS service installed acting as radius server.
We configured PEAP policies with user authentication by MSCHAP-v2 (username + password) in the NPS and it works fine.
However, we tried PEAP with workstation only authentication using certificates and it didn't work. We followed official Microsoft guides and the configuration seems right but we observed the following.
The windows server didn't show any sign of receiving the RADIUS messages from the switch. Not a single log entry was generated (with user authentication this log does exist)
So, with wireshark in the client workstation and in the Windows server, we captured the EAP and radius traffic:
In client workstation:
- client receives EAP identity requests from the switch and it sends EAP identity response to the switch.
- after 3 seconds, the switch sends an EAP failure to the client
- the client EAP identity response MSG contains in the identity field the value: "host/hostname.domain" (with user authentication and password it contains "domain/user")
In windows server capture:
- not a single RADIUS message is received from the switch!!
This doesn't happen with username and password authentication: the server receives the full RADIUS sequence from the switch
It seems that the switch is rejecting or discarding the EAP identity response message when it contains a hostname instead a domain\username.
I am pretty sure about this, because in one case the switch triggers the RADIUS communication with the server and in other case it simply doesn't do anything.
Also, not a single related log entry is generated in the switch.
Is it possible that this switch only supports 802.1x PEAP when the authentication is done by means of username and password, discarding other type of identities?
Is there any way to further debug this?
This is Very important for us, thanks in advance.