RADIUS

D

DiNet

n00b
Joined
Sep 23, 2012
Messages
1
Having problems with access points connected to NPS, w2k8 r2.
There are total of 7 AP's in network. 6 of them are Engenius EAP3660 PoE devices. HP procurve switches. 1 of them is Edimax low end cheap-o device.
Two WiFi network configured across 6 engeniu AP's. One is WAP (LAN1 172.x.x.x guest network) and second is 802.1x (LAN2 192.x.x.x) with AD based auth.
From time to time these 2 will stop authenticate users on 802.1x network. When this happens I still can connect to LAN1 and have access to web and lan. It won't drop clients that are already connected and authenticated with 802.1x, it will stop for new clients.
There are no warning or error event with NPS. Temp fix is just to reboot device.

On top of that there is Edimax device. I had there some cheap 3com switch. Instead of just stopping authenticate clients it would kill network on every single device connected to that switch. Now with hp 1810 it will kill only itself. No ping to device.


Some logs from AP:
Can't connect to network
Aug 15 16:19:44 (none) daemon.info hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.11: associated
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: PMKID found from PMKSA cache
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: event 1 notification
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: start authentication
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: PMK from PMKSA cache - skip IEEE 802.1X/EAP
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: start authentication
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: sending 1/4 msg of 4-Way Handshake
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: received EAPOL-Key frame (2/4 Pairwise)
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: sending 3/4 msg of 4-Way Handshake
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: received EAPOL-Key frame (4/4 Pairwise)
Aug 15 16:19:44 (none) daemon.info hostapd: ath1: STA 38:e7:d8:8e:20:86 WPA: pairwise key handshake completed (RSN)
Aug 15 16:19:44 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: authorizing port
Aug 15 16:19:44 (none) daemon.info hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: authenticated
Aug 15 16:19:44 (none) daemon.debug setup.cgi[30800]: main: process ./html/CM_LogList.htm takes 500 ms----------------------------
Aug 15 16:19:50 (none) daemon.debug hostapd: ath1: STA 88:c6:63:e2:d6:73 IEEE 802.1X: EAP timeout
Aug 15 16:19:50 (none) daemon.debug hostapd: ath1: STA 88:c6:63:e2:d6:73 IEEE 802.1X: aborting authentication
Aug 15 16:19:50 (none) daemon.debug hostapd: ath1: STA 88:c6:63:e2:d6:73 IEEE 802.1X: unauthorizing port
Click to expand...

Working
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: using EAP timeout of 30 seconds (from RADIUS)
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: decapsulated EAP packet (code=1 id=5 len=43) from RADIUS server: EAP-Request-PEAP (25)
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: STA 38:e7:d8:8e:20:86 IEEE 802.1X: received EAP packet (code=2 id=5 len=80) from STA: EAP Response-PEAP (25)
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: RADIUS Sending RADIUS message to authentication server
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: RADIUS Next RADIUS client retransmit in 3 seconds
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: RADIUS Received 143 bytes from RADIUS server
Aug 15 16:23:40 (none) daemon.debug hostapd: ath1: RADIUS Received RADIUS message
Click to expand...

Log from NPS when I couldn't connect
192.168.101.152,user,08/19/2012,12:43:58,IAS,TD-DC1,4,192.168.101.152,5,0,30,00-02-6F-A9-C5-C5:DOMAIN,31,38-E7-D8-8E-20-86,12,1400,61,19,77,CONNECT 11Mbps 802.11b,4108,192.168.101.152,4116,0,4128,AP - Main Door,4154,Secure Wireless Connections,4155,1,4129,DOMAIN\user,4130,DOMAIN\user,4149,Secure Wireless Connections,25,311 1 192.168.100.11 08/13/2012 04:41:02 15005,8136,1,4132,Microsoft: Secured password (EAP-MSCHAP v2),8111,0,8153,0,4127,11,4136,1,4142,0
192.168.101.152,user,08/19/2012,12:43:58,IAS,TD-DC1,25,311 1 192.168.100.11 08/13/2012 04:41:02 15005,4132,Microsoft: Secured password (EAP-MSCHAP v2),4127,11,8100,0,4108,192.168.101.152,4116,0,4128,AP - Main Door,4120,0x015444524F52,4154,Secure Wireless Connections,4155,1,4129,domain\user,4130,DOMAIN\user,4149,Secure Wireless Connections,8136,1,7,1,6,2,8111,0,8153,0,4136,2,4142,0
Click to expand...

What do you think?

P.S. Before you say devices are bad and need to be replaced think about edimax and TPlink (that was in edimax place and did same thing).
 
You must log in or register to reply here.
Back
Top