topic Re: Client failed 802.1x/EAP authentication on wlan in ExtremeWireless (WiNG)

Client failed 802.1x/EAP authentication on wlan

Alexandr_P — Thu, 06 Feb 2020 18:58:56 GMT

Hello!

WiNG 5.9

VX9000 + AP7632.

RADIUS in AP’s (Internal Self) with test user.

Smartphone normally connecting.

Lap-top with Win7 - no.

Could you please help - where to look at? How to debug this issue?

[ap7632-6F2CC7] 10:09:38.724: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 10:09:38.724: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 10:09:38.724: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 10:09:38.724: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 10:09:38.730: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 10:09:38.731: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 10:09:38.736: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 10:09:38.736: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)
[ap7632-6F2CC7] 10:09:38.736: eap:sending eap-failure to 00-13-E8-93-D4-19 (eap.c:1009)
[ap7632-6F2CC7] %%%%>10:09:38.736: radius:alarm num_eap_f ++ 1 (radius.c:3859)
[ap7632-6F2CC7] 10:09:38.736: client:clearing cached credentials for 00-13-E8-93-D4-19 (credcache.c:241)
[ap7632-6F2CC7] 10:09:38.739: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)] to 00-13-E8-93-D4-19 (mgmt
[ap7632-6F2CC7] 10:09:38.739: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)

AP config

!
aaa-policy "Onboard RADIUS"
authentication server 1 onboard self
!
!
wlan Extreme802-1xTest
ssid Extreme802-1xTest
vlan 241
bridging-mode local
encryption-type ccmp
authentication-type eap
use aaa-policy "Onboard RADIUS"
!
!
radius-group 802-1xTestGroup
policy vlan 241
!

!
radius-user-pool-policy Extreme802-1x
user Extreme password 0 Extreme group 802-1xTestGroup
!
radius-user-pool-policy Guest
user Test password 0 Test group Guests
!
radius-server-policy "Onboard RADIUS"
use radius-user-pool-policy Extreme802-1x
use radius-user-pool-policy Guest
authentication eap-auth-type peap-mschapv2 #(also tryed with “All”)
chase-referral
!

Thank you!

Re: Client failed 802.1x/EAP authentication on wlan

Christopher_Fra — Fri, 07 Feb 2020 00:50:45 GMT

I would ensure that the radius policy is ,mapped to the AP (no AP Profile and/or Self config provided). I am assuming that no certificates have been generated.

For Win7 supplicant, you will need to manually configure the profile and ensure under Security/Choose a network authentication method is configure for Microsoft: Protocol EAP (PEAP) and and un-check Validate server certificate. Under Select Authentication Method, ensure Secured password (EAP-MSCHAP-v2) is selected and click on Configure and un-check box (Auto use my Windows logon name and password).

Re: Client failed 802.1x/EAP authentication on wlan

Alexandr_P — Mon, 10 Feb 2020 17:07:42 GMT

Hi!

Christopher, all configuration steps we have made within Win7?

[ap7632-6F2CC7] 09:00:57.12: mgmt:rx auth-req from 00-13-E8-93-D4-19 on radio 1 (mgmt.c:4032)
[ap7632-6F2CC7] 09:00:57.12: mgmt:tx auth-rsp to 00-13-E8-93-D4-19 on radio 1. status: success (mgmt.c:1348)
[ap7632-6F2CC7] 09:00:57.16: mgmt:rx association-req from 00-13-E8-93-D4-19 on radio ap7632-6F2CC7:R2 signal-strength is -52dBm (mgmt.c:4006)
[ap7632-6F2CC7] 09:00:57.16: client:MU 00-13-E8-93-D4-19 panBU enab_cap=00 00 00 00, supp_cap=00 00 00 00 (mgmt.c:3195)
[ap7632-6F2CC7] 09:00:57.16: client:using cached vlan 241 for wireless client 00-13-E8-93-D4-19 (mgmt.c:3442)
[ap7632-6F2CC7] 09:00:57.16: mgmt:Client 00-13-E8-93-D4-19 negotiated WPA2-EAP on wlan (Extreme802-1xTest) (mgmt.c:3534)
[ap7632-6F2CC7] 09:00:57.16: mgmt:tx association-rsp success to 00-13-E8-93-D4-19 on wlan (Extreme802-1xTest) (ssid:Extreme802-1xTest) with ft
[ap7632-6F2CC7] 09:00:57.17: client:no pmkid from client 00-13-E8-93-D4-19 (mgmt.c:1243)
[ap7632-6F2CC7] 09:00:57.17: client:state MU_STATE_DOT1X for client 00-13-E8-93-D4-19 (mgmt.c:1252)
[ap7632-6F2CC7] 09:00:57.17: client:wireless client 00-13-E8-93-D4-19 changing state from [Roaming] to [802.1x/EAP Auth] (mgmt.c:635)
[ap7632-6F2CC7] 09:00:57.17: eap:sending eap-code-request code 1, type 1 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:00:57.17: eap:sending eap-id-req to 00-13-E8-93-D4-19 (eap.c:993)
[ap7632-6F2CC7] 09:00:57.17: client:transmitting roam notification for 00-13-E8-93-D4-19 (mgmt.c:349)
[ap7632-6F2CC7] 09:00:57.17: client:os-info in credcache for 00-13-E8-93-D4-19 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:1221)
[ap7632-6F2CC7] 09:00:57.17: client:user-info in credcache for 00-13-E8-93-D4-19 (loyalty_app:0) (credcache.c:1306)
[ap7632-6F2CC7] 09:00:57.54: eap:rx eap-start from 00-13-E8-93-D4-19 (eap.c:655)
[ap7632-6F2CC7] 09:00:57.54: eap:sending eap-code-request code 1, type 1 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:00:57.54: eap:sending eap-id-req to 00-13-E8-93-D4-19 (eap.c:993)
[ap7632-6F2CC7] 09:00:57.64: client:rx deauthentication from 00-13-E8-93-D4-19 on radio 1 (mgmt.c:4043)
[ap7632-6F2CC7] 09:00:57.64: mgmt:rx deauthentication (unspecified error (code:1)) from wireless client 00-13-E8-93-D4-19 on bss DC-B8-08-46-E
[ap7632-6F2CC7] 09:00:57.64: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)
[ap7632-6F2CC7] 09:00:57.64: client:starting hold timer for 00-13-E8-93-D4-19 (mgmt.c:703)
[ap7632-6F2CC7] 09:00:57.64: client:update_app_policy_name_to_credcache (credcache.c:1408)
[ap7632-6F2CC7] 09:00:57.64: client:Adding app_policy_name to credcache and sync00-13-E8-93-D4-19 (credcache.c:1409)
[ap7632-6F2CC7] 09:00:57.65: client:Credcache updated with app_policy None, for MU 00-13-E8-93-D4-19 (credcache.c:1423)
[ap7632-6F2CC7] 09:00:57.65: client:cleared packet counters on client 00-13-E8-93-D4-19 (mgmt.c:764)
[ap7632-6F2CC7] 09:00:57.65: client:CHD: chd_stop_mu (chd.c:635)

Any ideas?

Thank you!

Re: Client failed 802.1x/EAP authentication on wlan

Tomasz — Fri, 14 Feb 2020 20:21:41 GMT

Hi Alexandr,

Quick guess - 802.11r enabled and Intel AC-xxxx card within the laptop?

Apparently, it might be helpful sometimes if you click on troubleshooting option in Windows when it pops up ‘unable to connect’. Then it will most probably fail but you can see detailed results and it shows at which point (from supplicant/STA point of view) it failed. It was really helpful to me when troubleshooting IdentiFi network once (and it was 11r case actually, so WPA2 4-way handshake couldn’t finish, I’m not sure if the logs here are relevant but just a guess).

Hope that helps,

Tomasz

Re: Client failed 802.1x/EAP authentication on wlan

Alexandr_P — Fri, 14 Feb 2020 20:58:38 GMT

Hi, Tomasz!

From Client side no specific info “missing keywords
use the search to find solutions to fix”.

It’s enabled “Fast BSS Transition over DS” and disabled “Fast BSS Transition”.
But if I’ll disable 802.11r - it will decrease time of client’s roaming.

Thank you!

Re: Client failed 802.1x/EAP authentication on wlan

Tomasz — Wed, 19 Feb 2020 02:10:19 GMT

Hi Aleksandr,

I see… I’ll be blind guessing right now. The best would be to somehow extract wireless module logs from the client device…

We see that it started authentication on 9:00:57. Within the same second (in about 500ms) it decided to deauth with reason code that tells nothing to the AP (https://www.aboutcher.co.uk/2012/07/linux-wifi-deauthenticated-reason-codes/ ). At the same moment it changes its state from dot1x/EAP to roaming state. Is it possible that the wireless environment provides good and/or changing signal from multiple APs and client’s ‘roaming aggressiveness’ is set to high? I didn’t experience this kind of issue so far but seems to me like the device decided to roam before responding to eap-id-req (thus, before fulfilling the authentication). Same situation gives you “802.1X (Identity)” in Extreme Access Control if I remember well.

Hope that helps,

Tomasz

Re: Client failed 802.1x/EAP authentication on wlan

Alexandr_P — Wed, 19 Feb 2020 15:51:39 GMT

Hi, Tomasz!

About ‘roaming aggressiveness’:

where I can see/configure it?
Interesting that I’m testing this with only 1 AP (second APP was off) and disabled forced 5GHz using. And still appear log messages about roaming. Why so?

[ap7632-6F2CC7] 09:17:46.907: client:wireless client 00-13-E8-93-D4-19 changing state from [Init] to [802.1x/EAP Auth] (mgmt.c:635)
[ap7632-6F2CC7] 09:17:46.907: eap:sending eap-code-request code 1, type 1 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:17:46.907: eap:sending eap-id-req to 00-13-E8-93-D4-19 (eap.c:993)
[ap7632-6F2CC7] 09:17:46.907: client:transmitting roam notification for 00-13-E8-93-D4-19 (mgmt.c:349)
[ap7632-6F2CC7] 09:17:46.907: client:os-info in credcache for 00-13-E8-93-D4-19 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:1221)
[ap7632-6F2CC7] 09:17:46.907: client:user-info in credcache for 00-13-E8-93-D4-19 (loyalty_app:0) (credcache.c:1306)
[ap7632-6F2CC7] 09:17:47.21: eap:rx eap-start from 00-13-E8-93-D4-19 (eap.c:655)

…

[ap7632-6F2CC7] 09:18:02.155: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)] to 00-13-E8-93-D4-19 (mgmt
[ap7632-6F2CC7] 09:18:02.156: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)
[ap7632-6F2CC7] 09:18:02.156: client:starting hold timer for 00-13-E8-93-D4-19 (mgmt.c:703)

Also within this client issued messages:

[ap7632-6F2CC7] 09:18:02.135: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 09:18:02.136: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:18:02.136: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 09:18:02.140: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 09:18:02.141: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 09:18:02.142: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 09:18:02.143: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 09:18:02.143: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:18:02.143: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 09:18:02.148: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 09:18:02.149: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 09:18:02.153: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 09:18:02.153: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)
[ap7632-6F2CC7] 09:18:02.153: eap:sending eap-failure to 00-13-E8-93-D4-19 (eap.c:1009)
[ap7632-6F2CC7] %%%%>09:18:02.153: radius:alarm num_eap_f ++ 1 (radius.c:3859)
[ap7632-6F2CC7] 09:18:02.153: client:clearing cached credentials for 00-13-E8-93-D4-19 (credcache.c:241)

Thank you!

Re: Client failed 802.1x/EAP authentication on wlan

Tomasz — Wed, 19 Feb 2020 16:27:36 GMT

Hi Alexandr,

Roaming aggressiveness can be found in advanced settings of a WLAN adapter (at least if it’s Intel). Not sure of the second behavior…

In the logs you pasted now we see RADIUS rejects this time:

[ap7632-6F2CC7] 09:18:02.155: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)]

and in the second block of logs:

[ap7632-6F2CC7] 09:18:02.153: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)

What is the authentication method? Credential-based? Are the credentials provided correctly, are they derived automatically from Windows user login, is the supplicant set for user authentication only?

You can also go to the RADIUS server to check for the reasons of these rejects.

Hope that helps,

Tomasz

Re: Client failed 802.1x/EAP authentication on wlan

Alexandr_P — Wed, 19 Feb 2020 16:33:57 GMT

Internal RADIUS with internal base.

Win10 and Android clients normally connecting.

!
radius-group 802-1xTestGroup
policy vlan 241
!

!
radius-user-pool-policy Extreme802-1x
user Extreme password 0 Extreme group 802-1xTestGroup
!

!
radius-server-policy "Onboard RADIUS"
use radius-user-pool-policy "AAA MAC auth"
use radius-user-pool-policy Extreme802-1x
use radius-user-pool-policy Guest
no ldap-group-verification
!