In order to troubleshoot miscommunication between Windows PCs and FreeRadius 3.2.7.1, here for full story , i'm using eapol_test cli to validate EAP-TLS against FreeRadius. Used certificates in my context are delivered by on-prem Windows PKI.
Command used is
eapol_test -c supplicant.conf -a free-radius-IP -s mysecret
supplicant.conf content is :
ap_scan=0
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="myidentity@mydomain.com"
client_cert="mypersonnalcert.pem"
private_key="mypersonnalkey.pem"
ca_cert="myrootCA.pem"
phase1="tls_disable_tlsv1_3=0"
}
From Linux client perspective everything is fine, challenge is accepted by FreeRadius which end to a SUCCESS communication. Here's last logs lines :
RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): 5c 8e 07 02 b6 94 80 2d 61 00 14 3d 97 10 54 e9 c6 a5 ff 60 f4 5c 9f d3 ef 7d 1b a5 0e 5b 97 44
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 15 ca 41 c6 3a 06 f5 ad 44 a7 e8 9e 10 75 08 20 41 1e 58 33 6b 96 94 37 a6 10 c2 1e 57 38 f6 c1
decapsulated EAP packet (code=3 id=167 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): 15 ca 41 c6 3a 06 f5 ad 44 a7 e8 9e 10 75 08 20 41 1e 58 33 6b 96 94 37 a6 10 c2 1e 57 38 f6 c1
No EAP-Key-Name received from server
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
From Windows client perspective, using the same command with the same file, there's an Accept-Request / Accept-Challenge loop which unfortunately ends by a FAILURE from eapol_test client.
According to the last logs lines below, it says it could not find PEM certificate end tag (even if the file have this tag).
...........
TLSv1: Added certificate: C=FR, ST=XXX, L=XXXX, O=XXXX, OU=XX, CN=XXX
TLSv1: Could not find PEM certificate end tag (-----END CERTIFICATE-----)
TLS: Failed to configure client certificate
TLS: Failed to set TLS connection parameters
TLSv1: Selected cipher suite: 0x0000
TLSv1: Record Layer - New write cipher suite 0x0000
TLSv1: Record Layer - New read cipher suite 0x0000
EAP-TLS: Failed to initialize SSL.
EAP-TLS: Requesting private key passphrase
EAPOL: EAP parameter needed
CTRL-REQ-PASSPHRASE-0:Private key passphrase needed for SSID
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
EAP: Pending PIN/passphrase request - skip Nak
EAP: EAP entering state SEND_RESPONSE
EAP: No eapRespData available
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL test timed out
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
MPPE keys OK: 0 mismatch: 1
FAILURE
I'm having a doubt if eapol_test works the same between Linux and Windows ?
Also, it seems that Windows behaviour with EAP-TLS is quite weird. From my original post, I describe there's an Access-Request/Access-Challenge loop that almost never ends.
No matter if I configure a 802.1X wireless OR wired policy, the behaviour is the same.
Any idea or advice on how to make EAP-TLS working with Windows and FreeRADIUS ?
