Issue metadata
Sign in to add a comment
|
Cannot authenticate using 802.1x EAP-TLS on Wired Ethernet |
||||||||||||||||||||||||
Issue descriptionChrome Version: 53.0.2785.154 Chrome OS Platform: 8530.96.0 stable-channel-samus Network info: EAP-TLS Supplicant= Chromebook Authenticator = Cisco 3560 Switch Authentication Server = Windows 2012 Server/NPS Description: The Chrome device is configured in kiosk mode. It uses a system-wide user certificate that can connect to 802.1X Wireless while in kiosk mode ok. It cannot connect via wired ethernet via 802.1X. Steps To Reproduce: (1) Admin Console - Configure Device policy for Ethernet - Authentication Type (802.1X) - Extensible Authentication Protocol = EAPTLS - Server Certificate Authority = Do not check - Apply to Devices - Configure Chrome Sign Builder as a kiosk app, and to NOT auto launch. (2) Chromebook - Launch kiosk app and interrupt using CTRL+ALT+N to verify 802.1x on Wireless first - Manually configure EAP-TLS on Wireless and connect. - Disable WiFI now that we can verify that the certificate is usable in kiosk and can connect to WiFi 802.1x - Plug in Ethernet - Restart - Launch kiosk app and interrupt using CTRL+ALT+N and see that the Chromebook cannot authenticate via 802.1x on the WIRED ETHERNET in kiosk mode. Note: In Kiosk mode, 802.1X cannot be configured manually like we can with Wireless. It is expected that 802.1x Ethernet configuration is applied via Device policy configured in 1 above. Expected Result: Chromebook starts EAP TLS session and authenticates via certificate on the wired eth0 port. Actual Result: Chromebook does start session initiation for 802.1x See this as reference http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386828
,
Oct 19 2016
,
Oct 19 2016
Drive share with logs https://drive.google.com/drive/folders/0B-094aXvU4bsRi1RMEZyQ1pDeW8?usp=sharing It looks like the 802.1X Device policy is not applying. See the log entries in net.log 2016-10-19T14:00:37.668681-07:00 INFO shill[2968]: [INFO:ethernet.cc(415)] EAP Service lacks 802.1X credentials; not doing EAP authentication. 2016-10-19T14:00:41.463305-07:00 INFO dhcpcd[23184]: eth0: sending REQUEST (xid 0x45e3fec4), next in 8.7 seconds 2016-10-19T14:00:42.268433-07:00 ERR dhcpcd[23184]: eth0: DHCP lease expired 2016-10-19T14:00:42.272645-07:00 INFO dhcpcd[23184]: status changed to Release 2016-10-19T14:00:42.273217-07:00 INFO dhcpcd[23184]: status changed to Discover 2016-10-19T14:00:42.273248-07:00 INFO dhcpcd[23184]: eth0: soliciting a DHCP lease 2016-10-19T14:00:42.273264-07:00 INFO dhcpcd[23184]: eth0: sending DISCOVER (xid 0x3c8e641c), next in 3.2 seconds How can we troubleshoot this for kiosk mode? Is there a way to manually configure/troubleshoot the supplicant in the DEV console in kiosk with ctrl-alt-F2 Note: We have a customer who is trying to deploy many Chromebases Kiosk and provide connectivity via Ethernet 802.1x. Customer confirms they can apply device network policy for Ethenet/802.1x and can connect when they sign-in a user. It does not work in Public Session or Kiosk mode.
,
Oct 19 2016
,
Oct 20 2016
I tested this again and it appears that only the USER Network policy works. TEST1: DEVICE Policy for Network->Ethernet Result= FAIL Chrome://policy shows Warning on the device ONC "some settings are not compliant with ONC and will not be applied" Admin Console 1) Configure only a Network->Ethernet 802.1x/EAP-TLS policy applied to DEVICS. 2) Disable all other Network-> Ethernet policies. 3) Delete previous profile for user1@ Chromebook 4) Sign-in, verify in chrome://policy only the DEVICE ONC has Network->Ethernet 802.1x/EAP-TLS configuration 5) Connect to Wifi or non secure ethernet to install a System/device wide certificate. 6) Disable WiFi, Logout 7) Connect ethernet to port that requires 802.1X, see that it cannot authenticate, and connect at the sign-in screen 8) Log-in 9) Ethernet authentication FAILS 10)Error log on switch/authenticator %AUTHMGR-7-RESULT:Exhausted all authentication methods for client ... Authorization failed for client (9410.3eb8.53b4), TEST2: User Policy for Network->Ethernet Result= Success Admin Console 1) Configure only a Network->Ethernet 802.1x/EAP-TLS policy applied to users. ... same steps 2-8 above ... 9) Ethernet authentication successful 10) Error log on switch/authenticator shows shows %AUTHMGR-7-RESULT: Authentication successful for client (9410.3eb8.53b4)
,
Oct 20 2016
Please don't use Infra > Labs for these requests.
,
Nov 1 2016
Raising the priority to 2 as there is a commitment to test and push EAP-TLS wired security configuration by Dec/Jan.
,
Nov 7 2016
Can you please provide an update on progress to this bug so I can relay it to my leaders?
,
Nov 21 2016
Can you please provide an update on progress to this bug so I can relay it to my leaders?
,
Dec 19 2016
Please provide an update to this so that I can update my teams on when this should be working and be able to test this out.
,
Dec 19 2016
aluong@ - who is the right owner for this?
,
Jan 5 2017
Can we please get an update on when this will be worked on?
,
Jan 5 2017
dskaram@ as FYI
,
Jan 18 2017
Hello, Please provide an update to this
,
Jan 23 2017
,
Jan 23 2017
,
Jan 23 2017
,
Jan 24 2017
Hello, Please provide an update with timeline so I can give that information to my leadership.
,
Mar 7 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by pauljensen@chromium.org
, Oct 19 2016