NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

base9's avatar
base9
Aspirant
Jul 17, 2023

WAX220 WPA2-Enterprise help with VLAN?

I have 3 WiFi networks configured like so:

 

ESSID_1 - 5gz only - WPA2-Personal - VLAN 101

ESSID_2 - 2.4ghz only - WPA2-Personal - VLAN 107

ESSID_3 - 2.4ghz and 5ghz - WPA2-Personal + fast roaming enabled - VLAN 102

 

The management VLAN is set to VLAN 101.

 

On my OPNsense router, the networks I've configured for each VLAN are as follows:

VLAN 101 - 192.168.101.0/24

VLAN 107 - 192.168.107.0/24

VLAN 102 - 192.168.102.0/24

 

My WAX220 is connected physically to a port on the OPNsense firewall that has its interface configured with the 3 VLANs only. No untagged traffic should be passed on this interface.

 

In this configuration, everything works as expected. Clients connected to either of the 3 networks are assigned DHCP from the OPNsense router on the correct ranges.

 

Then, I tried setting ESSID_2 to WPA2-Enterprise with the following configuration:

Group Key Interval - 3600

Radius Server - 192.168.101.1 (FreeRADIUS running on the OPNsense firewall)

Radius Port - 1812

Radius Secret - [triple checked for correctness]

 

In this configuration, I'm unable to get any clients to connect. They fail by being unable to complete the 4-way handshake.

I suspect the issue is that the WAX220 is not able to reach the Radius server running on the OPNsense firewall.

 

Steps I tried to troubleshoot this:

I configured radius to log as much as possible, including successful and failed login attempts, and tried connecting from multiple clients. In every case, nothing was logged by the radius server.

I downloaded the logs from the WAX220, but these are only kernel dmesg and nothing stood out to me here indicating why the WAX220 presumably does not talk to my radius server.

I made sure there are no filter rules in place that could prevent the WAX220 from communicating with the radius server on my OPNsense firewall.

I did a ping test from the diagnostics page of the WAX220, and confirmed that it is able to reach the firewall.

I used tcpdump on the vlan bridges, the individual vlan interfaces, the untagged physical interfaces to see if anything at all was being sent from the WAX220 to my radius server, and there was no radius traffic at all.

I tried all of the above tests with the radius server set to 192.168.107.1 (it listens there too, as it listens on every vlan)

I tried all of the above tests with WPA3-Enterprise as well.

 

Steps I did not try (yet):

WPA2-Enterprise without VLANs on the wifi networks nor a management VLAN configured. (i.e. the stock configuration for the WAX220).

 

Could there be a bug with 802.1X on the WAX220 when using VLANs in this way? It seems the WAX220 does not even attempt to contact the radius server, or perhaps it is trying to send these packets untagged when it should be sending them over what I presume is the configured management VLAN?

11 Replies

  • base9's avatar
    base9
    Aspirant
    Jul 17, 2023

    This is the only packet that I see over the wire on vlan 107 when I attempt to auth WPA2-Enterprise

    Nothing seen over vlan 101 (the WAX220's configured management vlan)

     

    # tcpdump -vvXXeni igb2 'vlan 107 && not ip6'
    tcpdump: listening on igb2, link-type EN10MB (Ethernet), capture size 262144 bytes
    16:26:42.156219 12:31:1d:08:d4:75 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 107, p 0, LLC, dsap Null (0x00) Individual, ssap Null (0x00) Response, ctrl 0xaf: Unnumbered, xid, Flags [Response], length 42: 01 02
    0x0000: ffff ffff ffff 1231 1d08 d475 8100 006b .......1...u...k
    0x0010: 0006 0001 af81 0102 0000 0000 0000 0000 ................
    0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    0x0030: 0000 0000 0000 0000 0000 0000 ............

     

    Don't know what to make of this.

     

    The firmware apparently doesn't work with WPA2-Enterprise and VLANs? Is my configuration incorrect or have I purchased a business product that doesn't do business?

     

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Jul 17, 2023

      Looks like the RADIUS traffic supposed to be directed the management VLAN goes massively wrong.  

      • base9's avatar
        base9
        Aspirant
        Jul 17, 2023

        I didn't want to jump to any conclusions but if WPA2&3-Enterprise works for me once I get the chance to re-configure the WAX220 and my firewall to NOT use VLANs, then I think we might have a problem here đŸ€Ł

         

        Provided the WAX220 plays nicely with freeradius's vlan assignment and properly isolates users to their VLANs, it could conceivably be a solution, but unfortunately not good enough for me, because:

         

        What's the point in being able to have multiple ESSIDs on separate VLANs if I can't mix and match the security? In my case, I have several IoT devices that are incapable of dot1q and dot1x. If I disable all VLAN capability in the WAX220's configuration and rely on my radius server to assign users to VLANs, my assumption is that an ESSID with WPA2-Personal, for example, would probably work - but would be untagged - and would not adhere to my security requirements.

         

        Also, if this is indeed some kind of bug. What's your best guess of whether netgear will address it, and in what kind of timeframe? Should I take this loss and pay up for a more capable brand?

         

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More