NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

base9's avatar
base9
Aspirant
Jul 17, 2023

WAX220 WPA2-Enterprise help with VLAN?

I have 3 WiFi networks configured like so:   ESSID_1 - 5gz only - WPA2-Personal - VLAN 101 ESSID_2 - 2.4ghz only - WPA2-Personal - VLAN 107 ESSID_3 - 2.4ghz and 5ghz - WPA2-Personal + fast roamin...
base9's avatar
base9
Aspirant
Jul 17, 2023

This is the only packet that I see over the wire on vlan 107 when I attempt to auth WPA2-Enterprise

Nothing seen over vlan 101 (the WAX220's configured management vlan)

 

# tcpdump -vvXXeni igb2 'vlan 107 && not ip6'
tcpdump: listening on igb2, link-type EN10MB (Ethernet), capture size 262144 bytes
16:26:42.156219 12:31:1d:08:d4:75 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 107, p 0, LLC, dsap Null (0x00) Individual, ssap Null (0x00) Response, ctrl 0xaf: Unnumbered, xid, Flags [Response], length 42: 01 02
0x0000: ffff ffff ffff 1231 1d08 d475 8100 006b .......1...u...k
0x0010: 0006 0001 af81 0102 0000 0000 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 0000 0000 0000 0000 ............

 

Don't know what to make of this.

 

The firmware apparently doesn't work with WPA2-Enterprise and VLANs? Is my configuration incorrect or have I purchased a business product that doesn't do business?

 

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Jul 17, 2023

    Looks like the RADIUS traffic supposed to be directed the management VLAN goes massively wrong.  

    • base9's avatar
      base9
      Aspirant
      Jul 17, 2023

      I didn't want to jump to any conclusions but if WPA2&3-Enterprise works for me once I get the chance to re-configure the WAX220 and my firewall to NOT use VLANs, then I think we might have a problem here đŸ€Ł

       

      Provided the WAX220 plays nicely with freeradius's vlan assignment and properly isolates users to their VLANs, it could conceivably be a solution, but unfortunately not good enough for me, because:

       

      What's the point in being able to have multiple ESSIDs on separate VLANs if I can't mix and match the security? In my case, I have several IoT devices that are incapable of dot1q and dot1x. If I disable all VLAN capability in the WAX220's configuration and rely on my radius server to assign users to VLANs, my assumption is that an ESSID with WPA2-Personal, for example, would probably work - but would be untagged - and would not adhere to my security requirements.

       

      Also, if this is indeed some kind of bug. What's your best guess of whether netgear will address it, and in what kind of timeframe? Should I take this loss and pay up for a more capable brand?

       

       

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Jul 18, 2023

        MikeD1234 if you have a minute to put up a similar environment. Can reproduce it here on my v1.0.3.0 WAX220. Work for QA and engineering. Thank you!

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More