This document describes the process to debug 802.1X on Windows 10 and 11.
It targets the users of RADIUS servers so that they may capture information useful to their RADIUS vendor (ie. NetworkRADIUS) in resolving interoperability issues with the Microsoft EAP supplicant.
-
- this does not produce usable information for anyone outside of Microsoft
To capture completely everything you will also need to install tcpdump on your RADIUS server.
The process is:
-
Start FreeRADIUS on your RADIUS server by running the following as
root:rm /tmp/sslkey.log; env SSLKEYLOGFILE=/tmp/sslkey.log radiusd -X | tee /tmp/debug -
From another terminal on the system running FreeRADIUS, run the following as
root:tcpdump -n -p port 1812 -i any -U -w - | tee /tmp/dump.pcap | tcpdump -n -v -r - -
On your Microsoft Windows client, open a Command Prompt as 'Administrator' and run:
netsh trace start wireless_dbg capture=yes globallevel=0xff maxSize=1000 -
Now attempt to authenticate to your switch or wireless network using Windows
-
On your client, in the Command Prompt window, run:
netsh trace stopN.B. this stopping step can take a long time complete
-
Now
Ctrl-C(to quit) both the running FreeRADIUS instance andtcpdumpfrom their respective terminals -
Send the following files to your RADIUS vendor (ie. NetworkRADIUS)
-
From the client:
C:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.etlC:\Users\Administrator\AppData\Local\Temp\NetTraces\NetTrace.cab
-
From the server:
/tmp/debug/tmp/dump.pcap/tmp/sslkey.log
N.B. please note these files contain credentials so only use test and/or temporary accounts
-
This section can be skipped by the end user but is included for completeness.
You will need access to a Windows 10 (or 11) system and installed on it the Windows Performance Analyzer; the easiest way to do this is to go to the Microsoft App Store and install it from there.
- Copy the ETL file to your Windows system
- Open it by double clicking on it
- Go to the 'Trace' menu and make sure 'Load Symbols' is checked in the menu
- Double click on the 'System Activity' section in the left panel which should then populate the panel on the right with an 'Analysis' tab
- Expand the new panel on the right by clicking on the 'maximise' icon in the top right
- Depending on the EAP method you are debugging (we will use TEAP as an example), look for
Microsoft.Windows.EapTeapin the 'Provider Name' listing - Uncollapse it by clicking on the small arrow to the left of the title
- Look through the 'Task Name' column under this section for 'DumpBytes' and uncollapse it too (arrow is in the 'Process' column) 1 You can now see the contents of various buffers at points throughout the authentication
There are many other processes and tasks that can be examined in there, it really is best just to dig through to familiarise yourself with this, there is no documentation outside of Microsoft covering this.
You can use any Operating System for this, but you need to Wireshark installed (at least version 4.0.0 or later where the EAP decoding has been significantly improved).
Enrich the network capture (dump.pcap) with the TLS keying material (sslkey.log) by running (part of Wireshark):
editcap --inject-secrets tls,sslkey.log dump.pcap dump.pcapng
Now open the resulting packet capture (dump.pcapng) as you normally would, you will now find all the TLS sections decrypted allowing you to see the inner EAP methods in the clear.
