1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WAP54G & Freeradius

Discussion in 'Other Linksys Equipment' started by clerk, Jun 1, 2005.

  1. clerk

    clerk Network Guru Member

    Hello :)

    I have many access points WAP54G with the official 2.08 firmware but it doesn't work well with my freeradius server (in WPA RADIUS mode). I would know if someone has got the same problem because it works sometimes with Linksys AP and always with D-link AP.

    Moreover, the RADIUS mode (WEP & WPA in the same time) doesn't work in WEP and in WPA. I would know if someone has got this problem too :)

    Only the WEP mode and the WPA-PSK mode work well but it doesn't interest me.

    Thank you :)
     
  2. rory45tt

    rory45tt Network Guru Member

    I'm having a similar problem with a WRT54G and a wap54g in repeater mode...
    running tinypeap on the WRT54G
     
  3. Haseldow

    Haseldow Guest

    I also have a problem with WAP54G and freeradius. I've tried several different linksys "official" firmware versions with no luck. I've even contacted linksys support (without any help). I've asked linksys to put this in their knowledgebase (easy answers) as unsolved, but they haven't.

    Here's my setup

    Background:
    Four Linksys WAP54G APs
    All with European firmware version 2.08
    Channels 5, 7, 9 and 11 used
    Every AP in "Access Point" mode

    Security:
    WPA RADIUS, TKIP
    Authentication against OpenLDAP via FreeRADIUS

    Problem description

    Everything works fine for a few days until some authentication package doesn't reach the server for any reason. After this that AP doesn't try to authenticate again until hard resetted. The others keep working until the same thing happens to each. So the authentication problems are AP specific. One might not work and still all the rest will. Also the radius authentication still works from any other sources (Cisco PIX VPN for instance) even when none of the APs are not authenticating anymore. Thus this must be a problem with the AP and not FreeRADIUS.

    And as for hard reset you have to do to get things working again on a single AP, I mean unplugging and replugging the power cord. The reset button doesn't help.

    Reproducing the problem

    The problem can be reproduced by doing the following:

    ### Everything is working fine

    Code:
    [root@shodan root]# tcpdump -i eth0 port 1812
    tcpdump: listening on eth1
    13:42:41.688595 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 127 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.697407 192.168.0.1.radius > primarywlan.3072: rad-access-cha 91 [id 0] Attr[ [|radius] (DF)
    13:42:41.701524 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 139 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.705387 192.168.0.1.radius > primarywlan.3072: rad-access-cha 64 [id 0] Attr[ EAP_msg{..} Message_auth{..)~c.L;[._.....} [|radius] (DF)
    13:42:41.709138 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 239 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.714061 192.168.0.1.radius > primarywlan.3072: rad-access-cha 880 [id 0] Attr[ [|radius] (DF)
    13:42:41.720694 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 341 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.730327 192.168.0.1.radius > primarywlan.3072: rad-access-cha 123 [id 0] Attr[ [|radius] (DF)
    13:42:41.733972 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 139 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.737635 192.168.0.1.radius > primarywlan.3072: rad-access-cha 138 [id 0] Attr[ [|radius] (DF)
    13:42:41.741700 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 213 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.748905 192.168.0.1.radius > primarywlan.3072: rad-access-cha 170 [id 0] Attr[ [|radius] (DF)
    13:42:41.753737 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 277 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.761262 192.168.0.1.radius > primarywlan.3072: rad-access-cha 186 [id 0] Attr[ [|radius] (DF)
    13:42:41.765087 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 213 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.771814 192.168.0.1.radius > primarywlan.3072: rad-access-cha 138 [id 0] Attr[ [|radius] (DF)
    13:42:41.775641 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 213 [id 0] Attr[ User{jsetala} NAS_ipaddr {primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    13:42:41.779415 192.168.0.1.radius > primarywlan.3072: rad-access-accept 169 [id 0] Attr[ [|radius] (DF)
    
    ### Shut down the radius daemon and trying to connect to WLAN

    Code:
    13:47:39.439877 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 127 [id 0] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    
    ### After the first failed authentication, no more radius authentication packets are received by tcpdump (ie. the AP doesn't even try to connect the radius server anymore).

    ### After starting the radius daemon again, no radius authentication packets are still received by tcpdump.

    ### After resetting the AP (by unplugging and replugging the powercord, reset button doesn't help).

    Code:
    14:04:10.305691 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 127 [id 1] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.406992 192.168.0.1.radius > primarywlan.3072: rad-access-cha 91 [id 1] Attr[ [|radius] (DF)
    14:04:10.411307 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 139 [id 1] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.414830 192.168.0.1.radius > primarywlan.3072: rad-access-cha 64 [id 1] Attr[ EAP_msg{..} Message_auth{|...../.....f..n} [|radius] (DF)
    14:04:10.419126 primarywlan.3072 > 192.168.0.1.radius: rad-access-req 239 [id 1] Attr[ User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.423979 192.168.0.1.radius > primarywlan.3072: rad-access-cha 880 [id 1] Attr[ [|radius] (DF)
    14:04:10.431002 primywlan.3072 > 192.168.0.1.radius: rad-access-req 341 [id 1] Attr[  User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.440187 192.168.0.1.radius > primarywlan.3072:  rad-access-cha 123 [id 1] Attr[  [|radius] (DF)
    14:04:10.444037 primarywlan.3072 > 192.168.0.1.radius:  rad-access-req 139 [id 1] Attr[  User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.447590 192.168.0.1.radius > primarywlan.3072:  rad-access-cha 138 [id 1] Attr[  [|radius] (DF)
    14:04:10.451770 primarywlan.3072 > 192.168.0.1.radius:  rad-access-req 213 [id 1] Attr[  User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.458802 192.168.0.1.radius > primarywlan.3072:  rad-access-cha 170 [id 1] Attr[  [|radius] (DF)
    14:04:10.463305 primarywlan.3072 > 192.168.0.1.radius:  rad-access-req 277 [id 1] Attr[  User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.470487 192.168.0.1.radius > primarywlan.3072:  rad-access-cha 186 [id 1] Attr[  [|radius] (DF)
    14:04:10.474158 primarywlan.3072 > 192.168.0.1.radius:  rad-access-req 213 [id 1] Attr[  User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.480487 192.168.0.1.radius > primarywlan.3072:  rad-access-cha 138 [id 1] Attr[  [|radius] (DF)
    14:04:10.484293 primarywlan.3072 > 192.168.0.1.radius:  rad-access-req 213 [id 1] Attr[  User{jsetala} NAS_ipaddr{primarywlan} Called_station{000f66edb40b} [|radius] (DF)
    14:04:10.488079 192.168.0.1.radius > primarywlan.3072:  rad-access-accept 169 [id 1] Attr[  [|radius] (DF)
    
    So as we can see, after one failed authentication the AP just stops trying to authenticate.

    This is extremely annoying and I'm currently seriously considering of returning the WAP54G's (if I can) to the supplier and getting something that works. I'm also very disappointed of the Linksys support.

    I'd be glad to test any third party firmware that does the trick, but I have no clue of what to even test.
     
  4. kartthikr

    kartthikr Guest

    Am facing the similar issue with wap54g firmware v3.04, does anyone has a solution for it.

    Here is my setup in brief:

    In my setup am trying to authenticate wifi users using PEAP with TLS against
    the active directory using freeradius. i m using linksys wap54g AP.

    I was able to successfully configure the freeradius v1.1.1 on a RHEL 4 box
    and integrated with windows 2003 active directory. I was able to pull the
    users and groups from active directory using getent group and getent passwd
    command and ntlm_auth also work great.

    I configured the windows XP supplicant as mentioned in this link:
    http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

    The issue is when i try to connect the wireless client, i dont see any
    traffic hitting the freeradius server unless i enable "Authentication as
    computer when computer info is available" in client.

    any help would be appreciated.
     

Share This Page