topic RE: client roaming to prefered radio caused radius authentication event which failed in ExtremeWireless (General)

client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 01:14:00 GMT

Currently i have a very strange problem.
We use EAP-TLS 802.1x Authentication for a internal SSID for notebooks. EWC is installed at the headquarter. 2x AP 3705 installed on the affected branch - we use V9.21.07. NAC Gateway 6.2.0.x installed also in the headquarter and is the RADIUS proxy to the NPS on the Windows AD 2008 Server. This working well over the last years.
Now we change the WAN connection of this branch from MPLS to VPN with IPSec. After this change a lot of internal WLAN clients which connected before without problems are rejected from the NAC Gateway. All other branches working well. At wired switches we use only MAC Auth which is also not affected.

Error:
802.1x (identify) - Authentication became stale

After some troubleshooting i realized that if the client roam within the AP to its prefered radio for that roaming event a radius request is triggered. The the first request (to the first radio) is always possitive (accepted) and then the AP internal switch to the prefered radio triggers a RADIUS request which is always rejected - with the above error message.

For a temporary solution i disable radio 1! And then all client can login without problems!

This is very strange.

First question:
Why do an switch from radio 2 to radio 1 trigger a radius event. Can i disable this new login request in the AP / EWC config?
Second Question:
If this request is needed why does it become stale and will be rejected?

Thanks for any advices.
Regards

RE: client roaming to prefered radio caused radius authentication event which failed

Zdeněk_Pala — Thu, 28 Jul 2016 01:22:00 GMT

Hi I would guess the issue is with MTU = check the config for your APs and your VPN If I remember well the MACauthentication on the EWC does have option to configure if you want the reauth to happen or not. Go to the Wlan service => authentication. Regards

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 01:28:00 GMT

Hi Zdenek,

i check the MTU from headquarter to the AP with a "ping -f -l 1400 IP-of-the-AP" which is working fine with MTU of 1400. Also test with lower MTU which have no possitive effects.

Within the internal SSID is use 802.1x Privacy - no MAC Auth.

i can not understand why an inter AP roaming will trigger a complete new authentication request ? And why is the request will on the second run ? The first run to the first radio is always accepted ?

Regards

RE: client roaming to prefered radio caused radius authentication event which failed

Ronald_Dvorak — Thu, 28 Jul 2016 01:39:00 GMT

I assume radio preference is enabled and that is the reason the client is switching between radio 1&2 - correct ?

I also vote for a MTU problem.

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 01:53:00 GMT

Yes radio preference on the client is enabled.

But the fact that after disabling radio 1 - to avoid the inter AP roaming the problem is solved speaks against the MTU problem!
I also check the possible MTU size with different "ping -f -l max-packet-size"

Are there any suggestions how to find the root cause ?

RE: client roaming to prefered radio caused radius authentication event which failed

Zdeněk_Pala — Thu, 28 Jul 2016 02:26:00 GMT

I would try to capture (packet capture) the authentication packets to see why the authentication became stale => I expect that some packets are being lost. The question is where = client to ap, or AP to controller, or controller to radius server. (Can be configured as SITE = AP to radius server directly).

RE: client roaming to prefered radio caused radius authentication event which failed

Zdeněk_Pala — Thu, 28 Jul 2016 02:30:00 GMT

If your MTU is 1400, what value you have at your AP?

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 02:30:00 GMT

Hi Zdenek,

i testet with "ping -f -l 1400". So an MTU of 1400 Bytes are going through the network - so i configured the AP also with MTU = 1400.

Do i something wrong ?

RE: client roaming to prefered radio caused radius authentication event which failed

Zdeněk_Pala — Thu, 28 Jul 2016 02:34:00 GMT

Reagrding the reauthentication, I believe it is part of standard that authentication-association to new BSSID means new encryption keys generation. If your client does support OKC then you can enable it.

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 02:34:00 GMT

Oppertunistic Keying is enabled already on this WLAN Service.

RE: client roaming to prefered radio caused radius authentication event which failed

Ronald_Dvorak — Thu, 28 Jul 2016 02:35:00 GMT

In my opinon it make sense to see a 2nd 802.1X authentication if radio preference is enabled as the client doesn't roam between the radios - it's a new connection.

I think as a workaround you'd also disable radio preference and enable radio#1 again - I'm pretty sure that will work.
Then enable it only on one AP so you'd troubleshoot the issue with the GTAC.

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 02:35:00 GMT

Hi Ronald,

we configure prefered radio on the client devices - windows driver settings.

I see this is possible via AP "Load groups", but this is not configured.

Regards

RE: client roaming to prefered radio caused radius authentication event which failed

Frank_Veen — Thu, 28 Jul 2016 11:18:00 GMT

Did you try enabling fast roaming?

Regards

RE: client roaming to prefered radio caused radius authentication event which failed

Gareth_Mitchell — Thu, 28 Jul 2016 13:22:00 GMT

Matthias

Do you have AP secure tunnel and is NAT involved?

-Gareth

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 13:22:00 GMT

Hi Gareth,

Secure Tunnel is disabled completely. NAT is not involved!
Customers network is divided in Subnets in 10.x.x.x IP Range. HQ and Branch are connected via IP-Sec Tunnel without any kind of NAT.

Regards

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Thu, 28 Jul 2016 15:11:00 GMT

Because we have a downtime based on this issue i open a GTAC Case to solve that - 01232203.

RE: client roaming to prefered radio caused radius authentication event which failed

JK — Thu, 28 Jul 2016 20:01:00 GMT

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Fri, 05 Aug 2016 12:57:00 GMT

Hi Folks,

this problem is still unresolved!!

GTAC tell me this solution:
https://gtacknowledge.extremenetworks.com/articles/Solution/Apple-clients-take-very-long-time-to-get...

i get a wireshark trace of a rejected end-system which emphases this guess:
NPS is not possible to bring the Server certificate to the client! (and then the request is rejected)

The problem of the above solution is that it only works if NPS will accept the RADIUS Request. So clients are still rejected (because of too big MTU). The reduced Framed-MTU will never reaches the problematic clients!

If i debug the RADIUS request on NAC Gateway i see the Framed-MTU value is set to 1400 (Request from EWC).

Can i change this value on the EWC?

My first guess is this is calculated based on the used AP-MTU Size. But after i changed AP MTU to 1300 is see that the Framed-MTU does not changed (1400). So this seems to be fix in the EWC Config. But from my point of view this should be calculated in conjuntion of the set AP MTU!

Regards

RE: client roaming to prefered radio caused radius authentication event which failed

Erik_Auerswald — Fri, 05 Aug 2016 14:48:00 GMT

Hi Matthias,

I do not quite understand the MTU problem. You wrote that you can ping the AP with a 1428B IP packet (1400B ICMP Echo Request data + ICMP header + IP header), and that a Framed-MTU of 1400 is used. That seems to fit.

Additionally you write that authentication works fine with one radio disabled. That suggests that the network is able to transport the certificate.

But then you write that the server certificate cannot be transported to the client.

I would guess that one packet containing part of the certificate is lost on its way from the server (NAC) to the client (AP), ultimately resulting in a reject.

It is interesting that there seems to be reliable packet loss with two back-to-back authentication attempts. As if that crossed some rate limiting threshold.

HTH,
Erik

RE: client roaming to prefered radio caused radius authentication event which failed

M_Nees — Fri, 05 Aug 2016 14:48:00 GMT

Additionally you write that authentication works fine with one radio disabled.
--> i believe that because there was an accept in NAC Manager GUI.
This was a mistake by me.