Re: WAX630: authentication failed - EAP type: 13 (TLS)

yawm · ‎2022-09-22

Hi,

we have 8 WAX630 devices with the latest firmware (10.2.0.16). We are using 802.1X with external Radius system. Everything is working properly, however, every now and then random users cannot login to the SSID with radius enabled. The server responds "authentication failed" and the syslog servers show these entries:

(mac address and hostname were intentionally replaced)

Sep 22 16:19:25 REMOVED_HOSTNAME hostapd: wifi2vap3: STA XX:XX:XX:d4:46:fe IEEE 802.11: associated (aid 3)
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: wifi2vap3: STA XX:XX:XX:d4:46:fe IEEE 802.1X: authentication failed - EAP type: 13 (TLS)
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Tx leave update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:27 REMOVED_HOSTNAME hostapd: SSID ROAM: Received station leave / disconnect update for sta XX:XX:XX:d4:46:fe
Sep 22 16:19:30 REMOVED_HOSTNAME hostapd: wifi2vap3: STA XX:XX:XX:d4:46:fe IEEE 802.11: authenticated
Sep 22 16:19:30 REMOVED_HOSTNAME configd[3673]: EEM: Received Event: NEW_STA_ASSOC_EEM
Sep 22 16:19:30 REMOVED_HOSTNAME hostapd: wifi2vap3: STA XX:XX:XX:d4:46:fe IEEE 802.11: associated (aid 3)
Sep 22 16:19:32 REMOVED_HOSTNAME hostapd: wifi2vap3: STA XX:XX:XX:d4:46:fe IEEE 802.1X: authentication failed - EAP type: 13 (TLS)

Checking RADIUS Server logs, there is not even the request to the RADIUS that would be sent at that point.

Currently, the workaround is to reboot the specific AP, ask user to re-authenticate, which, first, shows the same error, however, the request looks to be sent to the RADIUS server which then also give a proper feedback and logs the event (see screenshot below):

Checking the radius server logs, it show that the specific user was granted access:

The user can now connect to SSID without any issues.

Can someone help us out what is causing this issue?

DaneA · ‎2022-10-12

@yawm,

Is the WAX630 managed via NETGEAR Insight?

Kindly try to disable RADIUS authentication then re-enable it and check if the same problem will occur.

Regards,

DaneA

NETGEAR Community Team

RaghuHR · ‎2022-10-13

Hi @yawm Could you please capture the ethernet packet between WAX630 and your Radius server? Also send me the detailed logs. You can save the detailed logs by logging into WAX630 UI -> Monitoring page ->logs and download detailed logs. You can upload

packet captures and logs into any cloud storage such as google drive/one drive/drop box etc.. and send me a link to download via PM. Thank you !