Reply

WNDAP360 firmware 3.7.9.0 problems with radius server

spuch
Guide

WNDAP360 firmware 3.7.9.0 problems with radius server

Hello together,

 

yesterday I had to set up a WNDAP360 within out network in conjunction with a FreeRadius server. First of all I ensured that the last firmware 3.7.9.0 is on the device and before starting the configuration the device was reset to factory defaults.

 

During configuration process I recognized the following problems:

 

1) The device send a wrong NAS-Identifier and "Connect-Info" within radius packages. The details are already described in this discussion for an WNDAP660, its seems to me that the same problem applies to the WNDAP360 (maybe others like WNDAP620 WNDAP320 with same firmware basis, too). The wrong setting are configured on the Access Point in file /etc/bss*.conf.wifi*

 

2) There seems to be a timing problem during startup of the device regarding the hostapd service which tries to connect the configured radius server before the access point gets an IP address via dhcp from a server in the local network. Due to the default IP address 192.168.0.100 the authentication to the radius server fails.

How to reproduce:

- setup up a radius server within WNDAP360 and reboot the access point

- look into the logs there you will find

FW Version WNDAP360_V3.7.9.0
Config Version 4.0
CMAPD Version: 1710.07.0035.50
Jun  1 02:00:53 hostapd: wifi0vap0: RADIUS Send failed - maybe interface status changed - try to connect again
Jun  1 02:00:53 hostapd: wifi0vap0: RADIUS Accounting server 192.168.XX.2:1813
Jun  1 02:00:53 hostapd: wifi0vap1: RADIUS Send failed - maybe interface status changed - try to connect again
Jun  1 02:00:53 hostapd: wifi0vap1: RADIUS Accounting server 192.168.XX.2:1813
Jun  1 02:00:53 hostapd: wifi0vap2: RADIUS Send failed - maybe interface status changed - try to connect again
Jun  1 02:00:53 hostapd: wifi0vap2: RADIUS Accounting server 192.168.XX.2:1813
Jun  1 02:00:53 hostapd: wifi0vap3: RADIUS Send failed - maybe interface status changed - try to connect again
Jun  1 02:00:53 hostapd: wifi0vap3: RADIUS Accounting server 192.168.XX.2:1813
Jun  1 02:00:53 hostapd: wifi0vap4: RADIUS Send failed - maybe interface status changed - try to connect again
Jun  1 02:00:53 hostapd: wifi0vap4: RADIUS Accounting server 192.168.XX.2:1813
Jun  1 02:00:53 hostapd: wifi0vap5: RADIUS Send failed - maybe interface status changed - try to connect again
Jun  1 02:00:53 hostapd: wifi0vap5: RADIUS Accounting server 192.168.XX.2:1813
Jun  1 02:00:53 init: init: starting pid 1282, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 9600 vt100'
Oct  9 12:22:44 kernel: cp used greatest stack depth: 5680 bytes left
Oct  9 12:22:45 hostapd: wifi0vap6: RADIUS Send failed - maybe interface status changed - try to connect again
Oct  9 12:22:45 hostapd: wifi0vap6: RADIUS Accounting server 192.168.XX.2:1813
Oct  9 12:22:45 hostapd: wifi0vap7: RADIUS Send failed - maybe interface status changed - try to connect again
Oct  9 12:22:45 hostapd: wifi0vap7: RADIUS Accounting server 192.168.XX.2:1813

On the other site (in the logfile of the radius server) you can see

Thu Sep  6 23:05:50 2018 : Info: rlm_radutmp: NAS 192.168.0.100 restarted (Accounting-On packet seen)
Thu Sep  6 23:05:50 2018 : Info: rlm_radutmp: NAS 192.168.0.100 restarted (Accounting-On packet seen)
...
...

- restarting the hostapd service after the startup of WNDAP360 is finished fixes the problem. This can be triggered from the webgui in Configuration -> Security -> Radius server Settings e.g. by uncheck und check again the option "Update Global Key Every (Seconds)" and pressing the "Apply" button after that.

 

- looking into the logfile it is possible to observe the authentication to radius server is now successful although nothing within the configuration was changed (prove that the settings are valid)

Sep  6 23:09:59 hostapd: wifi0vap0: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:09:59 hostapd: wifi0vap0: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:09:59 hostapd: wifi0vap1: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:09:59 hostapd: wifi0vap1: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:09:59 hostapd: wifi0vap2: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:09:59 hostapd: wifi0vap2: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:10:00 hostapd: wifi0vap3: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:10:00 hostapd: wifi0vap3: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:10:00 hostapd: wifi0vap4: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:10:00 hostapd: wifi0vap4: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:10:00 hostapd: wifi0vap5: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:10:00 hostapd: wifi0vap5: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:10:00 hostapd: wifi0vap6: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:10:00 hostapd: wifi0vap6: RADIUS Accounting server 192.168.XX.2:1813
Sep  6 23:10:00 hostapd: wifi0vap7: RADIUS Authentication server 192.168.XX.2:1812
Sep  6 23:10:00 hostapd: wifi0vap7: RADIUS Accounting server 192.168.XX.2:1813

Slightly delaying the start of hostapd service during boot of WNDAP until the IP address from local dhcp server is set to the netword interface should solve that problem.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Is it possible that you provide a beta firmware which fixes this problems?

 

Kind Regards and thanks in advance

SPuch

 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Two minor questions/remarks which doesn't belong to the problems mentioned above but maybe interesting for other, too.

1)

I tried to increase the amount of max. wifi clients from 64 to 128 and got a hint that 64 is already the maximum. First I thought of another bug in the firmware, because several product data sheets (WNDAP360 WNDAP660 etc.) are pointing out an amount of 128 clients. Only the big reference manual (WNDAP360_RM_2Nov2015) says that there are only 64 clients possible. Very confusing.....

 

2)

So far I didn't find a way to replace the self signed SSL certificates within netgear access point WNDAP360 (WNDAP660 al well). The actual one are valid until April 2019. Are there any plans to renew them during a further maintainence release so that web browsers will not complain about them if an appropriate exception is defined?

Model: WNDAP360|ProSafe Wireless-N Access Point
Message 1 of 1
Top Contributors
Discussion stats
  • 0 replies
  • 1064 views
  • 0 kudos
  • 1 in conversation
Announcements