NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
wndap360 radius failover with 3.6.9.0 firmware not working
Hello,
we are just cleaning up our WLAN infrastructure, and for this we upgrade the WNDAP360 AP from firmware 3.5.6.0 to the most recent 3.6.9.0.
In the same step we also change the radius infrastructure to use two new servers instead of one old server.
Upgrade and Radius work fine under normal conditions.
But what is not working, is the failover to the secondary radius server, when the first one is not responding.
The primary Radius server is 192.168.163.9:1812, the secondary one at 192.168.163.10:1812
Both servers are running Windows 2016 Server, with NPS installed and configured for Radius.
In the log of the AP I see this:
Jun 1 17:36:05 hostapd: wifi1vap7: RADIUS Authentication server 192.168.163.9:1812
Here a station connects with WPA2-Enterprise and auth via the primary radius server works fine
Jun 1 17:36:18 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 17:36:18 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:36:18 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 17:36:19 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 WPA: pairwise key handshake completed (RSN) Jun 1 17:36:19 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
We then disconnect the station, and shut down the primary radius server.
Then we try to connect to the station again, but here we see repeated auth failures:
Jun 1 17:38:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 17:38:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:38:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 17:38:35 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:38:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (67) Jun 1 17:38:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated
At the same time, we see many ARP requests on the LAN for the IP 192.168.163.9 from the AP (So the AP is trying to find the now gone radius server)
We did leave the primary radius server turned off for about 15 minutes, and the AP did still try to find the 192.168.163.9 radius server, no failover
Then we turned the primary radius server on again, and authentication works fine again:
Jun 1 17:52:37 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:52:37 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 17:52:38 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 WPA: pairwise key handshake completed (RSN) Jun 1 17:52:38 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Also when we reboot the AP with the primary radius offline, it does not pick the secondary radius server.
FW Version WNDAP360_V3.6.9.0 Config Version 4.0 CMAPD Version: 1701.27.1803.40 Jun 1 02:00:50 init: init: starting pid 1808, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 9600 vt100' Mar 17 15:29:06 udhcpc[656]: Sending discover... Mar 17 15:29:06 udhcpc[656]: Sending select for 192.168.163.233... Mar 17 15:29:06 udhcpc[656]: Lease of 192.168.163.233 obtained, lease time 2678400 Mar 17 15:29:10 kernel: php used greatest stack depth: 5092 bytes left Mar 17 15:29:10 kernel: php used greatest stack depth: 4764 bytes left Jun 1 18:25:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 18:25:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:25:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 18:25:17 hostapd: wifi0vap2: RADIUS Send failed - maybe interface status changed - try to connect again Jun 1 18:25:17 hostapd: wifi0vap2: RADIUS Authentication server 192.168.163.9:1812 Jun 1 18:25:35 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:25:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (67) Jun 1 18:25:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated Jun 1 18:26:07 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 18:26:07 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:26:07 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 18:26:25 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:26:43 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (67) Jun 1 18:26:43 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated Jun 1 18:26:58 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 18:26:58 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:26:58 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 18:27:16 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:27:34 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (68) Jun 1 18:27:34 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated
Any ideas what I can try, to get the failover working?
4 Replies
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
