DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2862 WiFi, external RADIUS, does not like one user
- john rumm
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 27
- Thank you received: 0
13 Jan 2019 15:45 #93719
by john rumm
2862 WiFi, external RADIUS, does not like one user was created by john rumm
This is a bit odd. We have a 2862 (Firmware 3.9.0_BT) setup at a clients office, and its configured to use an external RADIUS server to authenticate users on the WiFi. The same server serves multiple offices so staff can (in theory) walk into any office and their devices connect and work.
The other day a user was complaining that neither his laptop (recentish Lenovo Yoga ultra portable running Win 10 pro), or his phone (nothing special couple of years old iPhone). Would connect in this office. So having done the basic checks (devices connecting for other users ok, and checked the setup on his devices), I delved a bit deeper. It looks like the RADIUS server (FreeRadius running on CentOS7) was not even seeing authentication requests.
So I enabled logging to an external syslog client on the router. And found the following:
When he tries to connect, all you see is:
1502019-01-11 09:55:33Jan 11 09:55:28DrayTekWLAN_DBG - MLME Associate MAC 34:41:5d:f4:c4:1e,net_id=0
1502019-01-11 09:55:33Jan 11 09:55:28DrayTekWLAN_DBG - EAPoL_handler, from 34:41:5d:f4:c4:1e
1502019-01-11 09:55:33Jan 11 09:55:28DrayTekWLAN_DBG - WLAN_DBG - EAPoL_handler: EAPOL frame from an unknown/blocked client???
And the sequence repeats.
With a working device however we get a sequence that start off:
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - MLME Associate MAC ac:e4:b5:c7:40:9a,net_id=0
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - Dot1x_session_start
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - send_EAPOL
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - 802.1x handshake start for ac:e4:b5:c7:40:9a
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - EAPoL_handler, from ac:e4:b5:c7:40:9a
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - Dot1x_EAPOL_handler: EAP_Packet
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - send_RADIUS
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - ACCESS CHALLENGE
[snip a bunch of repeats of the send_RADIUS], then eventually:
1502019-01-11 09:56:57Jan 11 09:56:52DrayTekWLAN_DBG - ACCESS ACCEPT
1502019-01-11 09:56:57Jan 11 09:56:52DrayTekWLAN_DBG - 802.1x handshake finish for ac:e4:b5:c7:40:9a
[snip]
1502019-01-11 09:56:58Jan 11 09:56:52DrayTekWLAN_DBG - Rx message 4 in 4-way handshake
1502019-01-11 09:56:58Jan 11 09:56:52DrayTekWLAN_DBG - WPA handshake finish for ac:e4:b5:c7:40:9a
Any ideas as to why its objecting to some wireless clients and not others?
Kind regards
John
The other day a user was complaining that neither his laptop (recentish Lenovo Yoga ultra portable running Win 10 pro), or his phone (nothing special couple of years old iPhone). Would connect in this office. So having done the basic checks (devices connecting for other users ok, and checked the setup on his devices), I delved a bit deeper. It looks like the RADIUS server (FreeRadius running on CentOS7) was not even seeing authentication requests.
So I enabled logging to an external syslog client on the router. And found the following:
When he tries to connect, all you see is:
1502019-01-11 09:55:33Jan 11 09:55:28DrayTekWLAN_DBG - MLME Associate MAC 34:41:5d:f4:c4:1e,net_id=0
1502019-01-11 09:55:33Jan 11 09:55:28DrayTekWLAN_DBG - EAPoL_handler, from 34:41:5d:f4:c4:1e
1502019-01-11 09:55:33Jan 11 09:55:28DrayTekWLAN_DBG - WLAN_DBG - EAPoL_handler: EAPOL frame from an unknown/blocked client???
And the sequence repeats.
With a working device however we get a sequence that start off:
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - MLME Associate MAC ac:e4:b5:c7:40:9a,net_id=0
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - Dot1x_session_start
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - send_EAPOL
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - 802.1x handshake start for ac:e4:b5:c7:40:9a
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - EAPoL_handler, from ac:e4:b5:c7:40:9a
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - Dot1x_EAPOL_handler: EAP_Packet
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - send_RADIUS
1502019-01-11 09:55:55Jan 11 09:55:50DrayTekWLAN_DBG - ACCESS CHALLENGE
[snip a bunch of repeats of the send_RADIUS], then eventually:
1502019-01-11 09:56:57Jan 11 09:56:52DrayTekWLAN_DBG - ACCESS ACCEPT
1502019-01-11 09:56:57Jan 11 09:56:52DrayTekWLAN_DBG - 802.1x handshake finish for ac:e4:b5:c7:40:9a
[snip]
1502019-01-11 09:56:58Jan 11 09:56:52DrayTekWLAN_DBG - Rx message 4 in 4-way handshake
1502019-01-11 09:56:58Jan 11 09:56:52DrayTekWLAN_DBG - WPA handshake finish for ac:e4:b5:c7:40:9a
Any ideas as to why its objecting to some wireless clients and not others?
Kind regards
John
Please Log in or Create an account to join the conversation.
- john rumm
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 27
- Thank you received: 0
23 Jun 2019 14:36 #94655
by john rumm
Replied by john rumm on topic Re: 2862 WiFi, external RADIUS, does not like one user
Further experience seems to indicate this is a much wider problem. Basically the routers seem to give up accepting new wifi connections with RADIUS authentication
(the MO seems to be: accept the connection, forget to throw out the EAP request to the RADIUS server, fail (not unsurprisingly) to get any response from RADIUS, and then kick the client off!). Sometimes this seems to be for specific users, but often just for all new connections after a certain point. The only fix is to reboot the router.
Update on this... after much discussion with tech support, this appears to be a firmware bug in the routers. (I have seen it on a 2830, 2830V2, 2860, and a 2862). I have recently tried a new beta firmware that they sent me for a 2862 and it does fix the issue.
They are supposed to be working on a 2860 version, but say they won't provide a fix for the 2830 range as they are no longer supported. So will probably have to disable internal wifi on those and add an external AP. Client will love that - they have more 2830s that any other flavour.
Draytek; massively impressive list of features... some actually work.
(the MO seems to be: accept the connection, forget to throw out the EAP request to the RADIUS server, fail (not unsurprisingly) to get any response from RADIUS, and then kick the client off!). Sometimes this seems to be for specific users, but often just for all new connections after a certain point. The only fix is to reboot the router.
Update on this... after much discussion with tech support, this appears to be a firmware bug in the routers. (I have seen it on a 2830, 2830V2, 2860, and a 2862). I have recently tried a new beta firmware that they sent me for a 2862 and it does fix the issue.
They are supposed to be working on a 2860 version, but say they won't provide a fix for the 2830 range as they are no longer supported. So will probably have to disable internal wifi on those and add an external AP. Client will love that - they have more 2830s that any other flavour.
Draytek; massively impressive list of features... some actually work.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek