Extreme Networks

Alexandr_P · ‎02-06-2020

Hello!

WiNG 5.9

VX9000 + AP7632.

RADIUS in AP’s (Internal Self) with test user.

Smartphone normally connecting.

Lap-top with Win7 - no.

Could you please help - where to look at? How to debug this issue?

[ap7632-6F2CC7] 10:09:38.724: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 10:09:38.724: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 10:09:38.724: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 10:09:38.724: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 10:09:38.730: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 10:09:38.731: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 10:09:38.736: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 10:09:38.736: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)
[ap7632-6F2CC7] 10:09:38.736: eap:sending eap-failure to 00-13-E8-93-D4-19 (eap.c:1009)
[ap7632-6F2CC7] %%%%>10:09:38.736: radius:alarm num_eap_f ++ 1 (radius.c:3859)
[ap7632-6F2CC7] 10:09:38.736: client:clearing cached credentials for 00-13-E8-93-D4-19 (credcache.c:241)
[ap7632-6F2CC7] 10:09:38.739: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)] to 00-13-E8-93-D4-19 (mgmt
[ap7632-6F2CC7] 10:09:38.739: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)

AP config

!
aaa-policy "Onboard RADIUS"
authentication server 1 onboard self
!
!
wlan Extreme802-1xTest
ssid Extreme802-1xTest
vlan 241
bridging-mode local
encryption-type ccmp
authentication-type eap
use aaa-policy "Onboard RADIUS"
!
!
radius-group 802-1xTestGroup
policy vlan 241
!

!
radius-user-pool-policy Extreme802-1x
user Extreme password 0 Extreme group 802-1xTestGroup
!
radius-user-pool-policy Guest
user Test password 0 Test group Guests
!
radius-server-policy "Onboard RADIUS"
use radius-user-pool-policy Extreme802-1x
use radius-user-pool-policy Guest
authentication eap-auth-type peap-mschapv2 #(also tryed with “All”)
chase-referral
!

Thank you!

Alexandr_P · ‎02-19-2020

Internal RADIUS with internal base.

Win10 and Android clients normally connecting.

!
aaa-policy "Onboard RADIUS"
authentication server 1 onboard self
!
!
wlan Extreme802-1xTest
ssid Extreme802-1xTest
vlan 241
bridging-mode local
encryption-type ccmp
authentication-type eap
use aaa-policy "Onboard RADIUS"
ip arp trust
ip dhcp trust
!

!
radius-group 802-1xTestGroup
policy vlan 241
!

!
radius-user-pool-policy Extreme802-1x
user Extreme password 0 Extreme group 802-1xTestGroup
!

!
radius-server-policy "Onboard RADIUS"
use radius-user-pool-policy "AAA MAC auth"
use radius-user-pool-policy Extreme802-1x
use radius-user-pool-policy Guest
no ldap-group-verification
!

Tomasz · ‎02-19-2020

Hi Alexandr,

Roaming aggressiveness can be found in advanced settings of a WLAN adapter (at least if it’s Intel). Not sure of the second behavior…

In the logs you pasted now we see RADIUS rejects this time:

[ap7632-6F2CC7] 09:18:02.155: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)]

and in the second block of logs:

[ap7632-6F2CC7] 09:18:02.153: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)

What is the authentication method? Credential-based? Are the credentials provided correctly, are they derived automatically from Windows user login, is the supplicant set for user authentication only?

You can also go to the RADIUS server to check for the reasons of these rejects.

Hope that helps,

Tomasz

Alexandr_P · ‎02-19-2020

Hi, Tomasz!

About ‘roaming aggressiveness’:

where I can see/configure it?
Interesting that I’m testing this with only 1 AP (second APP was off) and disabled forced 5GHz using. And still appear log messages about roaming. Why so?

[ap7632-6F2CC7] 09:17:46.907: client:wireless client 00-13-E8-93-D4-19 changing state from [Init] to [802.1x/EAP Auth] (mgmt.c:635)
[ap7632-6F2CC7] 09:17:46.907: eap:sending eap-code-request code 1, type 1 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:17:46.907: eap:sending eap-id-req to 00-13-E8-93-D4-19 (eap.c:993)
[ap7632-6F2CC7] 09:17:46.907: client:transmitting roam notification for 00-13-E8-93-D4-19 (mgmt.c:349)
[ap7632-6F2CC7] 09:17:46.907: client:os-info in credcache for 00-13-E8-93-D4-19 (OS:Unknown/Browser:Unknown/Type:Unknown) (credcache.c:1221)
[ap7632-6F2CC7] 09:17:46.907: client:user-info in credcache for 00-13-E8-93-D4-19 (loyalty_app:0) (credcache.c:1306)
[ap7632-6F2CC7] 09:17:47.21: eap:rx eap-start from 00-13-E8-93-D4-19 (eap.c:655)

…

[ap7632-6F2CC7] 09:18:02.155: mgmt:tx deauthentication [reason: authentication rejected by radius server (code:23)] to 00-13-E8-93-D4-19 (mgmt
[ap7632-6F2CC7] 09:18:02.156: client:wireless client 00-13-E8-93-D4-19 changing state from [802.1x/EAP Auth] to [Roaming] (mgmt.c:635)
[ap7632-6F2CC7] 09:18:02.156: client:starting hold timer for 00-13-E8-93-D4-19 (mgmt.c:703)

Also within this client issued messages:

[ap7632-6F2CC7] 09:18:02.135: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 09:18:02.136: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:18:02.136: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 09:18:02.140: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 09:18:02.141: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 09:18:02.142: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 09:18:02.143: radius:rx access-challenge from radius server for 00-13-E8-93-D4-19 (radius.c:3888)
[ap7632-6F2CC7] 09:18:02.143: eap:sending eap-code-request code 1, type 25 to 00-13-E8-93-D4-19 (eap.c:964)
[ap7632-6F2CC7] 09:18:02.143: eap:sending eap-req [eap_type:25(peap)] to 00-13-E8-93-D4-19 (eap.c:1001)
[ap7632-6F2CC7] 09:18:02.148: eap:rx eap pkt from 00-13-E8-93-D4-19 (eap.c:720)
[ap7632-6F2CC7] 09:18:02.149: radius:access-req sent to 127.0.0.1:1812 (attempt 1) for 00-13-E8-93-D4-19 (user:Extreme) (radius.c:3054)
[ap7632-6F2CC7] 09:18:02.153: radius:RAD_MSG_AUTHENTICATOR (radius.c:1182)
[ap7632-6F2CC7] 09:18:02.153: radius:rx access-reject for 00-13-E8-93-D4-19 (radius.c:3781)
[ap7632-6F2CC7] 09:18:02.153: eap:sending eap-failure to 00-13-E8-93-D4-19 (eap.c:1009)
[ap7632-6F2CC7] %%%%>09:18:02.153: radius:alarm num_eap_f ++ 1 (radius.c:3859)
[ap7632-6F2CC7] 09:18:02.153: client:clearing cached credentials for 00-13-E8-93-D4-19 (credcache.c:241)

Thank you!

Tomasz · ‎02-18-2020

Hi Aleksandr,

I see… I’ll be blind guessing right now. The best would be to somehow extract wireless module logs from the client device…

We see that it started authentication on 9:00:57. Within the same second (in about 500ms) it decided to deauth with reason code that tells nothing to the AP (https://www.aboutcher.co.uk/2012/07/linux-wifi-deauthenticated-reason-codes/ ). At the same moment it changes its state from dot1x/EAP to roaming state. Is it possible that the wireless environment provides good and/or changing signal from multiple APs and client’s ‘roaming aggressiveness’ is set to high? I didn’t experience this kind of issue so far but seems to me like the device decided to roam before responding to eap-id-req (thus, before fulfilling the authentication). Same situation gives you “802.1X (Identity)” in Extreme Access Control if I remember well.

Hope that helps,

Tomasz

Extreme Networks

Client failed 802.1x/EAP authentication on wlan

Client failed 802.1x/EAP authentication on wlan