Hi, I've spent too much time trying to fix this issue and going nowhere... I am trying to make MACHINE auth working on Windows/CiscoWLC and Freeradius. I have no problem with USER auth.
The certificate is fine, I've created it using xpextension. I've also tried a Windows-CA certificate. I've also tried MACHINE auth with IAS and it's working. I've upgraded the WLC to 7.0.0.116, I was at 6.0.199-4 before. Why is it working with USER auth but not MACHINE auth ? Could someone give me some direction ? Thanks! Here's some logs: rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=58, length=280 User-Name = "host/MININT-EC23NBT.domain.local" Calling-Station-Id = "b4-74-9f-9d-55-fb" Called-Station-Id = "00-25-84-23-52-60:SSID--Secure" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0132800a0000005618faa74e" NAS-IP-Address = 10.10.1.1 NAS-Identifier = "Controller-WLC2125" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202002801686f73742f4d494e494e542d454332334e42542e6373646573696c65732e71632e6361 Message-Authenticator = 0x5b1e2e25b76f1f348cb1bb62b94b2d43 server peap { # Executing section authorize from file /etc/raddb/sites-enabled/peap +- entering group authorize {...} [suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 2 length 40 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/peap +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled } # server peap Sending Access-Challenge of id 58 to 10.10.1.1 port 32770 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4ade9e4d4aef086c00dbb7516145db0 Finished request 232. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=59, length=395 User-Name = "host/MININT-EC23NBT.domain.local" Calling-Station-Id = "b4-74-9f-9d-55-fb" Called-Station-Id = "00-25-84-23-52-60:SSID--Secure" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0132800a0000005618faa74e" NAS-IP-Address = 10.10.1.1 NAS-Identifier = "Controller-WLC2125" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203008919800000007f160301007a0100007603014ea7fa1c69583120e18e33c7779ea4d03e42e8b960079d8f36ab746be5bb345a20512d0000ccfbf8a28c0c5d27fb46eac23b913c638cc133e76aa06671c2dca9bd0018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 State = 0xd4ade9e4d4aef086c00dbb7516145db0 Message-Authenticator = 0xde1ff14a20623ba0cc79cb552d264947 server peap { # Executing section authorize from file /etc/raddb/sites-enabled/peap +- entering group authorize {...} [suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 3 length 137 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/peap +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 127 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 007a], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 037c], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server peap Sending Access-Challenge of id 59 to 10.10.1.1 port 32770 EAP-Message = 0x010403c6190016030100310200002d03014ea7fa24d1353592fe67e3ae98e501bbfbe366dc12f730a1d2ab15d1efcc9f3200002f000005ff01000100160301037c0b0003780003750003723082036e30820256a003020102020106300d06092a864886f70d01010505003075310b3009060355040613024341310b3009060355040813025143310c300a0603550407130345444e310c300a060355040a13034353493123302106092a864886f70d010901161474656368406373646573696c65732e71632e6361311830160603550403130f435349205061636b657466656e6365301e170d3131313032353233333930315a170d313131323234323333 EAP-Message = 0x3930315a3067310b3009060355040613024341310b3009060355040813025143310c300a060355040a1303435349311830160603550403130f435349205061636b657466656e63653123302106092a864886f70d010901161474656368406373646573696c65732e71632e636130820122300d06092a864886f70d01010105000382010f003082010a0282010100e8cae5b4a5b06ec6aea8b6e32c4490762772310d87985ea3d1bbf2632aafebd9b0ae70a615a77b3b8ef2dd985df3e54149b1d1bb0842e410c68dfa55ce176371db376a3bb1918d966ad140310224c4b510015ce15973537048a8e997bb2c7d21c2f57e99f90c1dbc3c584822f0d8bb EAP-Message = 0x1178343ddbcf2842aa1b17642bd60d545f3b505d1b1594e2981d472186df3b9132536b8a558f1836dd11039a3337886ab301b49de79ae5597f9958f030671aa3e47cae50f69e8008687492b3a97adc24111269da2585fc488943555520870007669e31550ea255fb9af4394cdae03ceadbffb29f2fafb0d16c47f57174fbaa4986e9749cdecb2fc33fd6886099f1538e670203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010053b69c137577d12947a7f63b7617b0ace3133df2048831b206c42751a63d48c1ca0802fa0b3aee3df03a6030848f9ed9d8370a3901bf4498e829 EAP-Message = 0xba37da6f48fb4f6aec7fee62fe06d36a11c2a13f94f188c1165c2ea8d0865cd5283462ec76c3de3df37967d94d9224425b8ea7921f8033711b4430ef1943ff29db366b7a0e6bdab6ddcdede222e7f3642fb886a3eea1316ed7ede26b8aa1dcdc7b4bcb6fefae97ba9c0eec9750bd45cf29e93be3b58b2534ba203f11b9e9a4b05980c844cebf79044f17f3f08797d9b912de8fc1cec712e42c2c87189817d456bcb3469c0043306504f2d58e779fc810a75d8d5784b54ce4c351188d50cd052b618d28d0461516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4ade9e4d5a9f086c00dbb7516145db0 Finished request 233. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=60, length=264 User-Name = "host/MININT-EC23NBT.domain.local" Calling-Station-Id = "b4-74-9f-9d-55-fb" Called-Station-Id = "00-25-84-23-52-60:SSID--Secure" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0132800a0000005618faa74e" NAS-IP-Address = 10.10.1.1 NAS-Identifier = "Controller-WLC2125" Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 State = 0xd4ade9e4d5a9f086c00dbb7516145db0 Message-Authenticator = 0x3f92eaba33074a895121d2885b384802 server peap { # Executing section authorize from file /etc/raddb/sites-enabled/peap +- entering group authorize {...} [suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/peap +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled } # server peap Sending Access-Challenge of id 60 to 10.10.1.1 port 32770 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd4ade9e4d6a8f086c00dbb7516145db0 Finished request 234. Going to the next request Waking up in 4.9 seconds. Cleaning up request 232 ID 58 with timestamp +4714 Cleaning up request 233 ID 59 with timestamp +4714 Cleaning up request 234 ID 60 with timestamp +4714 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html