wired 802.1x with wpa_supplicant fails to authenticate

Question

I am trying to set up wired 802.1x using 2 ubuntu docker containers. First tested running freeradius on both client and server and when running radtest from client it can connect to server.

So next step was trying to use wpa_supplicant on the client, so it could auto connects at boot.

set up the wpa_supplicant.conf as follows:

ap_scan=0
network={
              key_mgmt=IEEE8021X
              identity="testing"
              password="password"
              eap=MD5
              } 

Then ran wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -dd -D wired -i eth0 And it failed to authenticate.

Any ideas what i am missing? Full logoutput from wpa_supplicant:

root@dbc91b2fe9a2:/# wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -D wired -i eth0 -dd
wpa_supplicant v2.10
random: getrandom() support available
Successfully initialized wpa_supplicant
Initializing interface 'eth0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='DIR=/var/run/wpa_supplicant'
ctrl_interface_group='0'
eapol_version=2
ap_scan=0
Line: 5 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=7):
     74 65 73 74 69 6e 67                              testing
password - hexdump_ascii(len=8): [REMOVED]
phase1 - hexdump_ascii(len=11):
     70 65 61 70 6c 61 62 65 6c 3d 30                  peaplabel=0
phase2 - hexdump_ascii(len=13):
     61 75 74 68 3d 4d 53 43 48 41 50 56 32            auth=MSCHAPV2
Priority group 0
   id=0 ssid=''
driver_wired_init_common: Added multicast membership with packet socket
Add interface eth0 to a new radio N/A
eth0: Own MAC address: 02:42:ac:11:00:03
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0.100000 sec
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
eth0: WPS: UUID based on MAC address: 1fc2d2de-9aaf-5abb-9c4f-ed1cd0c3e2f4
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
MBO: Update non-preferred channels, non_pref_chan=N/A
eth0: Added interface eth0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
eth0: Already associated with a configured network - generating associated event
eth0: Event ASSOC (0) received
eth0: Association info event
eth0: State: DISCONNECTED -> ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing AP RSNXE
eth0: WPA: clearing own WPA/RSN IE
eth0: RSN: clearing own RSNXE
eth0: Failed to get scan results
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
TDLS: Remove peers on association
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
eth0: Cancelling scan request
eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
EAPOL: idleWhile --> 0
EAP: EAP entering state FAILURE
eth0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: Supplicant port status: Unauthorized
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed - result=FAILURE
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: disable timer tick
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: enable timer tick
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 02 01 00 00
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed - result=FAILURE
^Ceth0: Removing interface eth0
eth0: Request to deauthenticate - bssid=01:80:c2:00:00:03 pending_bssid=00:00:00:00:00:00 reason=3 (DEAUTH_LEAVING) state=ASSOCIATED
TDLS: Tear down peers
eth0: Event DEAUTH (11) received
eth0: Deauthentication notification
eth0:  * reason 3 (DEAUTH_LEAVING) locally_generated=1
Deauthentication frame IE(s) - hexdump(len=0): [NULL]
eth0: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
eth0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10 reason=AUTH_FAILED
eth0: Auto connect disabled: do not try to re-connect
eth0: Ignore connection failure indication since interface has been put into disconnected state
TDLS: Remove peers on disassociation
eth0: WPA: Clear old PMK and PTK
eth0: Disconnect event - remove keys
eth0: State: ASSOCIATED -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
QM: Clear all active DSCP policies
eth0: CTRL-EVENT-DSCP-POLICY clear_all
eth0: WPA: Clear old PMK and PTK
eth0: Cancelling scan request
eth0: Cancelling authentication timeout
Off-channel: Clear pending Action frame TX (pending_action_tx=(nil)
HS20: Delete all stored icons
Off-channel: Action frame sequence done notification: pending_action_tx=(nil) drv_offchan_tx=0 action_tx_wait_time=0 off_channel_freq=0 roc_waiting_drv_freq=0
QM: Clear all active DSCP policies
eth0: CTRL-EVENT-DSCP-POLICY clear_all
Remove interface eth0 from radio
Remove radio
eth0: CTRL-EVENT-TERMINATING

Answer 1

It looks like you are missing a component. FreeRADIUS does RADIUS, not EAPoL. To do EAPoL you need hostapd, which is the other part of the wpa_supplicant package.

In you original test you seemingly had

[client running radtest] (RADIUS) -> (RADIUS) [server running FreeRADIUS]

radtest just sends RADIUS requests, which FreeRADIUS will respond to.

You then replaced radtest with wpa_supplicant. This sends EAPoL packets, which FreeRADIUS cannot understand. So you have the following, which does not work:

[client running wpa_supplicant] (EAPoL) -> (RADIUS) [server running FreeRADIUS]

What you need is hostapd to take the EAPoL request and turn it into a RADIUS request. (The RADIUS server can be the same or a different server to hostapd.)

This would look more like

[client wpa_supplicant] (EAPoL) -> (EAPoL) [server running hostapd] (RADIUS) -> (RADIUS) (server running FreeRADIUS)

but both hostapd and FreeRADIUS can happily co-exist on the same server.

Once hostapd is configured to point to FreeRADIUS you should start to see debug output in FreeRADIUS (e.g. radiusd -X) and then you can diagnose any further issues from there on.

Note that the EAP request is sent over the LAN (EAPoL), and is then packaged up by hostapd into RADIUS attributes (EAP-Message) and sent through to the RADIUS server. So while EAPoL is used in the first half and RADIUS is used in the second, the actual EAP data makes its way through from the client to the RADIUS server, over the two different transports.