Meraki

motorbass

Hi,

I'm currently facing some troubles while trying to set up a Lab between Windows 11 PC (with Credential Guard & TLS 1.3 enabled by default) and a FreeRADIUS server using EAP-TLS.

1) Where Win 11 PC is configured to use EAP-TLS with its machine certificate to authenticate to my Lab SSID. Machine certificate is delivered by GPO (machine cert auto-enroll) with an on prem Windows 3-tiers PKI.

2) Where FreeRADIUS server (v3.2.7-1) based on Debian 12 is configured to allow 10.0.0.0/8 NACs with a passphrase.
```
client test {
ipaddr = 10.0.0.0/8
secret = testing123
}
```

Also, I enabled the current configuration for EAP within mods-available/eap
```
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
}
tls-config tls-common {
#private_key_password = whatever
private_key_file = ${certdir}/myfreeradius_server.key
certificate_file = ${certdir}/myfreeradius_server.pem
ca_file = ${cadir}/my_corp_root_ca.pem
ca_path = ${cadir}
tls_min_version = "1.2"
tls_max_version = "1.3"
}
```

3) At the moment, if I try this configuration from another Debian server with eapol cli
```eapol_test -c wpa_supplicant-tls.conf -a 10.230.102.108 -s testing123 ```
where wpa_supplicant-tls.conf contains :
```
ap_scan=0

network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="my_ad_account@domain.net"
client_cert="my_user_cert.pem"
private_key="my_user_privkey.key"
# CA certificate to validate the RADIUS server's identity
ca_cert="my_corp_root_ca.pem"
phase1="tls_disable_tlsv1_3=0"
}
```
**=> It works well**, client show SUCCESS status and RADIUS server proceed to the request.

**The pain is :**
When I try to access the test SSID, wifi connection from Win 11 PC loads,loads, and never ends.
Meraki AP say :
`Client made an 802.1X authentication request to the RADIUS server, but it did not respond. auth_mode='wpa2-802.1x' vlan_id='32' radius_proto='ipv4' radius_ip='10.230.102.108' reason='radius_timeout' reassoc='1' radio='0' vap='10' channel='1' rssi='40'`

FreeRadius receives that kind of logs :
```
Waking up in 4.7 seconds.
(5) Received Access-Request Id 5 from 10.6.4.165:50147 to 10.230.102.108:1812 length 413
(5) User-Name = "host/my_PC.my-domain.net"
(5) NAS-IP-Address = 10.6.4.165
(5) NAS-Identifier = "E0-CB-BC-8B-65-ED:vap10"
(5) NAS-Port-Type = Wireless-802.11
(5) Service-Type = Framed-User
(5) NAS-Port = 1
(5) Calling-Station-Id = "F4-D1-08-87-72-56"
(5) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 38 / Channel: 1"
(5) Acct-Session-Id = "479273B6606E05AE"
(5) Acct-Multi-Session-Id = "BA3341F3610DFCF9"
(5) WLAN-Pairwise-Cipher = 1027076
(5) WLAN-Group-Cipher = 1027076
(5) WLAN-AKM-Suite = 1027073
(5) Meraki-Network-Name = "APW-Wifi- - wireless"
(5) Meraki-Ap-Name = "MyWifiAP"
(5) Meraki-Ap-Tags = " recently-added "
(5) Called-Station-Id = "E0-CB-BC-8B-65-ED:00-Test-W11"
(5) Meraki-Device-Name = "MyWifiAP"
(5) Framed-MTU = 1400
(5) EAP-Message = 0x021b00060d00
(5) State = 0x943a85b2902188fe8217870d8617c1ba
(5) Message-Authenticator = 0x63c15f58f21aa1566869606e3b3b7609
(5) Restoring &session-state
(5) &session-state:Framed-MTU = 994
(5) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify"
(5) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished"
(5) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "host/my_PC.my-domain.net", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 27 length 6
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) authenticate {
(5) eap: Removing EAP session with state 0x943a85b2902188fe
(5) eap: Previous EAP request found for state 0x943a85b2902188fe, released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: (TLS) Peer ACKed our handshake fragment
(5) eap: Sending EAP Request (code 1) ID 28 length 857
(5) eap: EAP session adding &reply:State = 0x943a85b2912688fe
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) session-state: Saving cached attributes
(5) Framed-MTU = 994
(5) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify"
(5) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished"
(5) Sent Access-Challenge Id 5 from 10.230.102.108:1812 to 10.6.4.165:50147 length 921
(5) EAP-Message = 0x011c03590d80000012c7f6cbc153327171b2bc76c1934410b97b378c7eae3013184e9818477a0023577d5b678d502568f0b09628dbd76f62fecf4371422aaa1538c9da69ac89b654746eac2c9f6ed32ad40d84ee1574974b0ef24eb77fb357fc4033f32c14c4a0ba5ff1703b1bb950bcfb58cb5999a9b58ad84acea5472e349b4d7da305c7f1340da2c48c075b78837cd46a00e0c775fd4367b4c5074bed51e00ad9de13b607b679da5c5319129ce28ef91a2ac3c2ffaca88ddea2b8c6e969d1e804db5257c7a801ac6402f6480f4e554e4dc00cd52b08341bd3e9bfa69d0c74fc24e20daeb8a8fed4f2084fe4786915c317030302196928863add7ee4ea6274589fd4f86b88e9a0a3c6361300c86330893c81ac7176a8c00d601e988ff7782ef6a94021e7da2105a2168eb1939064bbe10bbf90c5dfe7e8ca4e99905b38ea8befb911fc3ea7f86b3dfb12ad311e11334edfa51564d697962deb990430f8b9c16580074080727774b679663bb376b839bd8b99ab529406
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x943a85b2912688fe8217870d8617c1ba
(5) Finished request
Waking up in 4.7 seconds.
(0) Cleaning up request packet ID 0 with timestamp +69 due to cleanup_delay was reached
(1) Cleaning up request packet ID 1 with timestamp +69 due to cleanup_delay was reached
(2) Cleaning up request packet ID 2 with timestamp +69 due to cleanup_delay was reached
(3) Cleaning up request packet ID 3 with timestamp +69 due to cleanup_delay was reached
(4) Cleaning up request packet ID 4 with timestamp +69 due to cleanup_delay was reached
(5) Cleaning up request packet ID 5 with timestamp +69 due to cleanup_delay was reached
Ready to process requests

```

From a Wireshark flows perspective, it seems Meraki AP sends Access-Request to FreeRadius, which never answers.

My questions are :
1) Do we agree that such a configuration on FreeRADIUS should verify machine (or eventually user) certificate thanks to the configured root CA ? and so, every machine or user that has a certificate provided by the PKI should be authorized to access network ?

2) How can I investigate more to know if it's a freeRADIUS misconfiguration ?

I'm kind of stuck at the moment..

(Here's my original post with pictures and better log format => https://serverfault.com/questions/1174336/meraki-ap-to-freeradius-stuck-on-access-request )

RWelch

Sharing this in case it might help.

Freeradius: Configure freeradius to work with EAP-TLS authentication
Freeradius: Adding a gateway AP as a RADIUS client

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

motorbass

Hi

I forgot to mention that I used this KB to configure FreeRADIUS to be compliant with Meraki AP 🙂

RWelch

Another option might be to glance at the RADIUS Issue Resolution Guide, if this isn't helpful you might consider submitting a support ticket with Meraki Support.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

motorbass

Thanks, at the moment I already open a case this morning in parallel of this thread as sometimes we may have some good advices from community 🙂

Meraki

Community

Meraki AP to FreeRADIUS stuck on Access-Request

Meraki AP to FreeRADIUS stuck on Access-Request