× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Vote
Hide Results
Top Contributors
See All

WC7600v2 really RFC 2866 Radius Accounting Compliant?

Status: New Idea Submitted by Initiate on ‎2017-07-24 05:14 AM
18 Comments (18 New)

Hi Netgear Community,

 

Before I contact Netgear support to give feedback in regards to the quality of their wireless controllers I wanted to seek clarification from Netgear community about an issue we are currently facing at our site.

 

We would like to utilise the Radius accounting information generated by our WC7600v2 (firmware v6.5.1.11) to be utilised by our Windows 2012r2 NPS server. The specific attribute we need is the "Framed-IP-Address" attribute to contain the IP address of the client / user requesting the authentication. This attribute is helpful in identifying successfully authenticated clients to be simultaneously authenticated against other systems i.e. like internet filters. Some internet filters providers utilise agent software that can sit on a Windows NPS server and read the logs generated by the NPS service and automatically apply the appropriate internet access policy to the client devices / users at the moment of wireless authentication essentially providing a Single Sign On process.

 

After attempting to undertake this process at a site that utilises a Netgear WC7600v2 we have come to the conclusion that the WC7600v2 does not provide the Framed-IP-Address. This has been confirmed by reviewing the NPS server logs where Framed-IP-Address radius attribute is 0.0.0.0 for all clients authenticating via the WC7600v2

 

Thanks to previous advice on this forum, we were able to make contact with Netgear text based support and after sometime the Netgear technician, he was able to confirm that the WC7600v2 does not provide the Framed-IP-Address as part of its radius account response to the NPS (radius) server. This feature maybe included sometime in the future but could not give any ETA on its implementation; he was also able to confirm that other customers of the WC7600 series have requested this feature to be implemented.

 

What my site is trying to perform is something that is not to complex, I have done it many times via cisco / h3c / Aruba controllers and wireless implementations. These devices are more compliant with the RFC 2866 radius standard than what Netgear equipment is, even though your product information sheet (https://www.netgear.com/images/datasheet/wireless/wirelessmanagement/WC7600v2.pdf) states that the controller is complaint with this spec.

 

How are we meant to recommend Netgear equipment to clients in enterprise when the device does not standard up against large enterprise network equipment manufactures. I can understand something like "it will be included in the next firmware release" but when something like "No ETA at this time" it makes us feel like recommending to the site management the entire removal the Netgear wireless implementation and going for something "more enterprise".

 

Do you think if the site invested in Prosafe support agreement it would carry more weight with Netgear in implementing a basic feature like a more extensive implementation of the RFC 2866 accounting standard?

 

I hope that I do not come across as too negative in this forum thread, but was hoping to provide constructive feedback to help improve your products and the process to improve them.

 

Peter

See more ideas labeled with:
18 Comments
broadld87
Fledgling
Fledgling
‎2017-08-09 09:21 AM
‎2017-08-09 09:21 AM

@DaneA

Does Netgear have a controller where this works correctly? Does it just affect the WC7600v2?

 

Thanks

David

Garwooden
Fledgling
Fledgling
‎2017-08-10 12:25 AM
‎2017-08-10 12:25 AM

This is a basic feature of RADIUS accounting and should be included!

DaneA
NETGEAR Employee Retired
‎2017-08-10 04:02 AM
‎2017-08-10 04:02 AM

@broadld87 / @Garwooden,

 

As per the data sheet of the WC7600v2 here, it supports the RFC standards indicated which includes RADIUS (Authentication, Authorization and Accounting).  It might be possible that its an issue with the firmware.  

 

As far as I have checked, there has been no similar issue reported yet on the WC9500 wireless controller.  Kindly check the WC9500 data sheet here.

broadld87
Fledgling
Fledgling
‎2017-08-10 04:34 AM
‎2017-08-10 04:34 AM

Hi there,

So the data sheet for the WC7600V2 says that it is RFC 2866 compliant but doesn't give out the correct attributes as per the RFC. framed-ip-address is one of the attribute that is in the RFC. But the controller is not passing this attribute so it is not compiant with the standard as per your documentation.

 

https://www.ietf.org/rfc/rfc2866.txt

 

Thanks

David

 

PeterA23
Initiate
Initiate
‎2017-08-23 02:48 AM
‎2017-08-23 02:48 AM

Hi Netgear and everyone in this thread,

 

I am happy that this thread is performing its intended purpose of providing an avenue where customers like myself and others can provide you feedback about your products in real time. I also appreciate the fact that Netgear have directly responded to my concerns and the concerns of others that the WC7600v2 may not be operating in a way that is intended or if it is working as intended is greatly deficient when compared to other products in its class.

 

In line with my previous posts I had set certain time constraints in regards to trialling competing vendor products. Netgear support where able to email me one day before my upper management's imposed deadline and thus I paused the deployment of several UniFi AP's from Ubiquiti and our initial negotiations HPE Aruba . As a man of my word I feel obligated to give Netgear's engineering team the benefit of the doubt on how quickly they can identify, respond and resolve the above issues with the WC7600v2 controller.

 

But my ability to hold back upper management pressure can only go so far. They have allowed me 2 more weeks before they expect results and some sort of action plan to resolve this issue. If we could get some sort of feedback from Netgear's engineering team (even a PM) that would go far in helping my organisation in preparing other product vendors that will utilise the new radius accounting modifications made to the WC7600v2 and provide feedback.

 

If you require a site to trial beta firmware etc. We are willing to participate as long as there is an easy process to go back to stable firmware if there are any major problems encountered.

 

I would like to say at least a thank you for considering our plight and we am trying now to avoid a situation where we spend $40,000+ dollars with another vendor only to have Netgear release a firmware that fixes the Frame-IP-address issue the next day the WC7600v2 is replaced.

 

Regards

 

Peter

broadld87
Fledgling
Fledgling
‎2017-08-23 02:57 AM
‎2017-08-23 02:57 AM

@PeterA23

 

Hi Peter

Do you have a case logged with Netgear for this fault?

We have a case logged 28855745 but have heard nothing back from them with regards to this.

I can see the attributes that are being passed and Framed IP is not one of them.

Any update from anyone regarding this would be good especially from Netgear!

 

Thanks

David

PeterA23
Initiate
Initiate
‎2017-08-23 03:23 AM
‎2017-08-23 03:23 AM

Hi David,

 

We have received feedback from Netgear that this feature is being worked on but that was 2 weeks ago and I have been monitoring this thread for feedback ever since. In my organisation we usually have fortnightly project status meetings. We have just completed this fortnights meeting were we received updated directives from leadership on how they would like this situation resolved in a way that is in line with our organisations business directions and expected outcomes.

 

In fact I was following DaneA's advice in comparing the WC9500 and 7600v2 and I find them basically identical (nearly a direct Copy-Paste) but in major differences in licensing / AP number, total simultaneous client numbers and feature set.

 

An easy way to confirm if it is a weakness in the WC7600v2 is to test the WC9500 to see if it provides the Frame-IP-Address, if it does then it means the WC7600v2 firmware is broken IF it doesn't then we have a product or even a product range that may not be fully compliant with RFC standards depending on how people choose to interpret / implement them.

 

Let me put it simply, do you think you would have purchased the WC7600v2 if it said in the technical specs that "We do not provide the Frame-IP-Address as part of our radius accounting"  but the Aurba, Cisco and Unifi products do.

 

It makes one wonder how many large enterprises use Netgear kit in their core. As I mentioned above we inherited this configuration and we are currently doing the best we can with it.

 

We are just glad Netgear is at least coming to the table, somewhat at the moment.

 

Regards

 

Peter

ChristineT
Admin
Admin
‎2017-09-26 09:12 AM
‎2017-09-26 09:12 AM
Status changed to: New Idea