802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-02-26 21:20:05
Hardware Version: V3
Firmware Version:

We have a tplink tg2600 t56s managed switch. It was configured as 802.1x authenticator for wired connection. There is a Windows server 2016 DC with NPS service installed acting as radius server.

We configured PEAP policies with user authentication by MSCHAP-v2 (username + password) in the NPS and it works fine.

However, we tried PEAP with workstation only authentication using certificates and it didn't work. We followed official Microsoft guides and the configuration seems right but we observed the following.
The windows server didn't show any sign of receiving the RADIUS messages from the switch. Not a single log entry was generated (with user authentication this log does exist)

So, with wireshark in the client workstation and in the Windows server, we captured the EAP and radius traffic:

In client workstation:
- client receives EAP identity requests from the switch and it sends EAP identity response to the switch.
- after 3 seconds, the switch sends an EAP failure to the client
- the client EAP identity response MSG contains in the identity field the value: "host/hostname.domain" (with user authentication and password it contains "domain/user")

In windows server capture:
- not a single RADIUS message is received from the switch!!

This doesn't happen with username and password authentication: the server receives the full RADIUS sequence from the switch

It seems that the switch is rejecting or discarding the EAP identity response message when it contains a hostname instead a domain\username.
I am pretty sure about this, because in one case the switch triggers the RADIUS communication with the server and in other case it simply doesn't do anything.

Also, not a single related log entry is generated in the switch.

Is it possible that this switch only supports 802.1x PEAP when the authentication is done by means of username and password, discarding other type of identities?

Is there any way to further debug this?

This is Very important for us, thanks in advance.

  0      
  0      
#1
Options
6 Reply
Re:802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-02-27 03:11:17

@josepc 

 

What 802.1x client did you use? If you were using windows PC, you can try to download TP-Link 802.1x client software. https://static.tp-link.com/res/down/soft/TP-LINK_802.1X_Client_Software_V3.zip

 

If you were using linux or MacOS, you need to disable handshake in 802.1x setting of TP-Link switch.

 

If you check the packets, clients should send EAPol packet, then switch will response. And maybe need to increase Supplicant Timeout value to extend certificattion time.

  0  
  0  
#2
Options
Re:802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-02-27 10:38:03

@Andone thanks for your help. We tried the tplink client without success. 

 

Please, let me show your our configuration and results for giving a better understanding of the problem (sorry for the captures in spanish!) 

 

This is our RADIUS config at tplink switch: 

 

We use Windows 10 client for 802.1x authentication, configured to authenticate workstation with certificates, as follows: 

 

 

Wireshark traffic capture in client workstation with this configuration, showing the content of Response Identity message: 

 

 

 

As you can see, second phase (negotiation) is never initiated. 

Wireshark capture of traffic in the NPS server (no message is sent TPLINK <-> SERVER): 

 

 

HOWEVER, if we use user authentication in the client and NPS server (mschapv2 with username + password) everything works fine: 

 

 

And the traffic capture in the Windows Server: 

 

 

MY GUESS: the switch rejects or discard the Identity Response message when it contains "host/hostname" instead of "domain\username", I don't know why or how. 

Certificates don't even come into play here, because we never get past Response Identity. The switch never communicates with the NPS server in this configuration. 

 

I also tried workstation authentication with password instead of certificate. Same result. 

 

Thank you in advance!

  0  
  0  
#3
Options
Re:802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-02-28 02:23:50

@josepc 

 

I am not familiar with the way which using hostname as identity. But switch should transfer the information whatever identity is used.

 

If you don't mind, could you tell me how PC authorize through hostname? Generally we add username and password on radius server. For hostname, does it need password? Or does it need authorize by certificate? 

 

 

  0  
  0  
#4
Options
Re:802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-02-29 16:42:22

@Andone  thanks again for your reply.

 

In theory, the authentication would be similar to the one that uses username and password.

 

The EAP response Identity is forwarded by the switch to the NPS server. It looks for the username internally (eg active directory) and then continues the authentication flow.

 

In case of hostname, response Identity containing the qualified  hostname should be forwarded to the NPS as well. NPS should look for computer name (in the active directory) and then continue the flow, but the authentication from that point would be done using a workstation certificate. 

 

The problem is that the switch never forwards that message.

 

I also tried using machine authentication with password (not sure how, I guess the machine account in the AD has an internal password) to see if the switch continues communication with the NPS. There was no success.

 

At this point I am not sure if the switch doesn't support the hostname in the response Identity or if there is some bad configuration in our setup.

 

Thanks!

  0  
  0  
#5
Options
Re:802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-10-03 17:11:38

@josepc great post. Any news about this?

  0  
  0  
#6
Options
Re:802.1x with machine authentication: switch doesn't initiate RADIUS comm with NPS server
2020-10-05 14:38:12

@morikd 

Hi there!

We tried to make all the settings but were not successfulsad. We had to buy another switch from another manufacturer to get it. We are still interested in being able to apply these configurations with a tplink switch.yes 
Greetings!

  0  
  0  
#7
Options