Radius feedback from AP to WiFi client

Question

We have the following setup at our company: a gateway PC with CentOS (gw), running Radius and some traffic filtering programs. All of our employees connect wirelessly, and we have a WPA2 Enterprise encryption in place. The users are in a MySQL database on the gw, and they have their user roles defined there - deciding which user has access to which SSID. We have 4 SSIDs (thus, 4 VLANs), and thus 4 user groups for now - each has its own rules about QoS, bandwidth limits etc.

The network works great, save for one issue - when the user mis-authenticates, he gets no feedback. The WiFi client (everyone is using iMacs and Macbooks, there's only a couple Windows/Linux boxes here in IT) gets stuck in some kind of limbo where he says he's connected, but has no valid IP and thus no internet access. Since MacOS remembers passwords by default, he concluded he was successfully connected and never asks for a password again. Which means anyone who made an invalid login gets stuck with it until they erase the remembered password from the archive. This, as you can imagine, is incredibly tedious for a rapidly growing company of 80+ people.

Our APs are WRT54GL with DD-WRT installed as firmware.

It seems as if the radius client on the AP doesn't send any proper feedback to the WiFi client on the employees' computers. Does anyone have any experience with this sort of setup? How would one fix this no-feedback issue? Would better APs be the answer? I've been looking at Cisco's WAP2000. The cost is not an issue.

This is the comment above mschapv2 in our eap.conf file:

  #
                #  This takes no configuration.
                #
                #  Note that it is the EAP MS-CHAPv2 sub-module, not
                #  the main 'mschap' module.
                #
                #  Note also that in order for this sub-module to work,
                #  the main 'mschap' module MUST ALSO be configured.
                #
                #  This module is the *Microsoft* implementation of MS-CHAPv2
                #  in EAP.  There is another (incompatible) implementation
                #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
                #  currently support.
                #

score 3 · Answer 1 · edited Jun 11 '20 at 10:02

Acquire a wireless card that supports "Monitoring" or "rfmon" mode and use it in conjunction with Wireshark to view the 802.11 headers in your network traffic. This is wildly chipset, operating system and driver dependent but Wireshark has some nice documentation to point you in the right direction. What you are after is the actual 802.11 management headers and not just "translated" Ethernet layer-2 information (again, see the Wireshark documentation). It sounds like your network is primarily over 802.11 so the time spent getting this figured out will probably be worth it later - you'll need to look at the actual 802.11 headers eventually for troubleshooting purposes.
Confirm that this actually is an issue with your access points (it probably is). Start Wireshark using '802.11' as your link layer type and then authenicate against an access point and purposely mistype the password. See what happens. You might need to also need to see what happens between the Radius server and the access point side of things as well. If you're having trouble interpreting the resulting data, you can always save it as a pcap and provide it here. You probably just want to confirm that it is an issue with the radius client before you spend a bunch of money on access points.
Once you've confirmed that it is an issue with the access points, go purchase some nice "enterprise-y" ones. We use D-Link DWL3200s which are a pretty middle of the road access point as far as access points go. My only real complaint is that their command line interface sucks but on the other hand they are only about $300 each so I can't really expect too much.

Bottom line: Before you start throwing money at the problem (even if you have lots of money to throw) figure out what's actually wrong first.

Without the ability to actually look at the 802.11 management traffic you're really just troubleshooting blind. Feel free to upload the .pcap capture file somewhere and link it in your question so people can see what you are seeing. — , Sep 16 '11 at 17:00

score 2 · Answer 2 · answered Sep 11 '11 at 11:30

2

You didn't mention which authentication protocol you are using. "WPA2 Enterprise" is an umbrella term. Are you using EAP-TLS? Or PEAP-MSCHAPv2? Do you have client certificates in place or just the CA certificate + username/password? Depending on the actual protocol, the authentication error happens at a different protocol stack level.

If you are using PEAP-MSCHAPv2 (most likely given your hint at passwords), make sure the Radius server is configured to send the MS-CHAP-Error message back to the client. I think it's disabled by default in some versions of freeradius. Look for this in eap.conf:

           mschapv2 {
                    #  Prior to version 2.1.11, the module never
                    #  sent the MS-CHAP-Error message to the
                    #  client.  This worked, but it had issues
                    #  when the cached password was wrong.  The
                    #  server *should* send "E=691 R=0" to the
                    #  client, which tells it to prompt the user
                    #  for a new password.
                    #
                    #  The default is to behave as in 2.1.10 and
                    #  earlier, which is known to work.  If you
                    #  set "send_error = yes", then the error
                    #  message will be sent back to the client.
                    #  This *may* help some clients work better,
                    #  but *may* also cause other clients to stop
                    #  working.
                    #
                    #send_error = no
            }

and change it to yes.

answered Sep 11 '11 at 11:30

Giovanni Bajo

425
3
9

Setting it to yes did not solve the problem - in fact, I was unable to authenticate at all after I did this. We use TTLS and PEAP for authentication protocols if that means anything to you. If PEAP is mschapv2, then that's it, yeah, but when I successfully authenticate it says authenticated via TTLS. Not sure what you mean about the certificates. – Swader Sep 12 '11 at 10:28
By the way, the comment above our mschapv2 in eap.conf is what I just added into the main post – Swader Sep 12 '11 at 12:34
I'm not aware of any TTLS+PEAP protocol. My understanding is that you are using PEAPv0 + MSCHAPv2. Can you please post a link to the full eap.conf you are using? – Giovanni Bajo Sep 12 '11 at 20:08
BTW you should create a CA certificate on the server and install it on the clients. Otherwise, an attacker can easily setup an AP with the same ESSID of your network, and clients will send him the passwords (actually, MSCHAPv2 requires a challenge-response, but it's old stuff that can be broken in minutes, see http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol#PEAPv0_with_EAP-MSCHAPv2) – Giovanni Bajo Sep 12 '11 at 20:10
The problem with certificates is that we would like guests to be able to easily join our network as well when needed without having to install certificates on their machines manually. But I digress, we'll get some other kind of certification soon enough. For now, here is the link to my eap.conf https://rapidshare.com/files/3262246693/eap.conf – Swader Sep 13 '11 at 10:38
Try "default_eap_type = peap" at the beginning of the file. Re the certificate: the wifi standard does not allow to identify the server BUT with a certificate. Without the server certificate, your passwords can be easily stolen. Notice that I'm not speaking of generating a certificate per each client; just the server certificate, to be installed on each client, and then you can still authenticate with username/password. – Giovanni Bajo Sep 13 '11 at 21:36
I understand what you mean - but we would like to not have to install certificates on clients AT ALL. It's a real bother in a company of 200+ people, and when guests come by it'll be a real bother to do so on each of their machines. Wouldn't buying an actual commercial certificate solve that? I'll try the default type now. – Swader Sep 14 '11 at 08:44
The default type param did not help - same thing happens. – Swader Sep 14 '11 at 09:19
Uhm. If you manually run radiusd -X, you get full debugging trace (no passwords). Can you please produce two traces, one for a valid authentication and one for a wrong authentication, and the publish them (or at least their diff)? – Giovanni Bajo Sep 14 '11 at 17:04
The diff is quite big, so here's a link to the zip containing all three transcripts. The first one is auth success, the second one is rejection with feedback (I get some sort of undefined "connecting failed" feedback every 100 tries) and the third is the usual feedback-less fail that gets stuck in limbo. https://rapidshare.com/files/519164901/transcripts.zip – Swader Sep 15 '11 at 12:40
Well this is a good point. Maybe MacOSX will behave differently with a different authentication scheme and actually work correctly. – hookenz Sep 18 '11 at 22:23

cstamas · Answer 3 · 2011-09-16T12:41:44.983

1

If you are sure about that cost is not an issue then get a real Cisco access point (like cisco aironet) avoid linksys if you can.

http://www.cisco.com/en/US/products/hw/wireless/index.html

Linksys is ok for home and small offices. It is not recommended for anything bigger however.

You can even get a WLC (wireless lan controller). It's a bigger investment, but it worth it. You can manage your aps from a central place and the wireless clients can also benefit as it manages your channel settings, antenna power levels and client roaming.

Update (reply to comment): I use wrt54gl at home it works great in general, but if I download with high speed the wireless part can die (which is fixable with a reboot). The switch fuction is implemented in CPU. If you copy a large file from one machine to another cpu usage goes up significantly. With high cpu usage it is not that stable.

update2: No WLC is not strictly necessary. I do not even have one at work, but I would like to because it just makes things easier. To test if your AP is causing the trouble get a Cisco (standalone) Aironet AP (just one) and test it with the same setup to see if it solves your problem. I am sure you can get a test drive from a decent vendor.

edited Sep 16 '11 at 12:41

answered Sep 08 '11 at 16:58

cstamas

6,707
25
42

Linksys + Linksys firmware is ok for home. DDWRT or Openwrt or tomato + Linksys WRT54GL is very stable and full featured. Don't knock them. – hookenz Sep 09 '11 at 01:36
1

I have also had similar negative experiences with DDWRT and Linksys COTS Access Points. They work 'OK' but just aren't that stable. It's not that they're bad, they're just not great. – Sep 15 '11 at 01:27
Cost is not an issue, but I would like to be sure it's the AP that's giving me trouble first. If I build the same setup on Ciscos and Mac's crappy client does the same thing, I'll have gotten nowhere. A WLC isn't really necessary, I manage everything from the GW in a centralized manner anyway, unless there are any other benefits beyond this? – Swader Sep 16 '11 at 06:33
@Swader: "...I would like to be sure it's the AP that's giving me the trouble first" -- Agreed, hence my suggestion to put a 802.11 aware packet sniffer between the client and the AP. Until you do that and see what is *really* going on, this is all just bench racing. – Sep 16 '11 at 19:31

score 0 · Answer 4 · answered Sep 09 '11 at 01:41

0

I think may be a problem with MacOSX as I have a similar issue but it's not using radius or Linksys gear.

Have you got a another OS to test it with? see if it does it with an iphone or windows pc.

answered Sep 09 '11 at 01:41

hookenz

14,472
23
88
143

It refuses to connect on Windows and smartphones - it does not get stuck in limbo. There is no feedback (the device does not tell the user the password is invalid, nor does it ask them to retry) but the connection is simply refused. Only on MacOS does the connection get stuck in Limbo. – Swader Sep 12 '11 at 10:30
I think you've just answered your question. Changing wifi routers isn't going to change that. It's a problem with MacOSX. I've noticed this myself – hookenz Sep 14 '11 at 22:29
True, but it's really baffling - it's 2011 and we're still having SUCH difficulties easily setting up networks across platforms? It's absurd. I wish Apple would clarify or confirm things - I'm at a loss like this. Not sure what to think of which manufacturer, or who to blame. – Swader Sep 15 '11 at 06:52
I feel like at least half of my job is to make a Technology Z that was designed to specifically do Thing A, do Thing B and work perfectly well with Technology X which was never built for interoperability with Technology Z. Meanwhile, Technology Y fulfills all of our needs, costs half as much, and will make you a fresh pot of coffee in the morning, but no one asked me for a recommendation for what to purchase or use. Welcome to SysAdmin-ing. :D – Sep 16 '11 at 17:04
Try logging a fault. Hopefully they'll listen. http://www.apple.com/feedback/macosx.html – hookenz Sep 18 '11 at 22:22

Radius feedback from AP to WiFi client

4 Answers4