NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

radius

3 Topics

Insight - RADIUS attribute bug - External Captive Portal
Hi, I am from Purple Wifi - we are a Guest WiFi service provider offering external captive portal and RADIUS solutions. We've recently been asked by a customer to integrate our solution with NETGEAR Insight. We've configured the captive portal setting as per https://kb.netgear.com/000066743/How-do-I-set-up-an-Insight-External-Captive-Portal-service and everything is working, except that when the AP makes the RADIUS request to the RADIUS server, it's missing some basic/crucial attributes. We can see the following in the Access-Request: Access-Request Id 0 ens4:51.7.213.100:57854 -> 10.210.63.147:1812 +9.011 User-Name = "2-3599a6f342d645c89d6741386daf936f-form@195dff" User-Password = "..." NAS-IP-Address = 192.168.1.149 NAS-Identifier = "14:59:c0:28:xx:xx" Message-Authenticator = 0xf3df60664dc768f4271309e6651ba6db However, as per RFC 2865, all RADIUS Access and Accounting requests should contain the following attributes also: Called-Station-Id (MAC of the AP) Calling-Station-Id (MAC of the client device) Without this, the RADIUS server cannot look up the AP or the client, to authorize successfully. I realize the NAS-Identifier is the MAC of the AP, but the above attributes should be included as a minimum. Please can this be looked at? Thanks, James
purple-james
May 11, 2026 Place Pro WiFi Access Points
25Views
0likes
1Comment
Multiple radius authentication on the same port - 802.1x M5300
Hi, I'm setting up 802.1x on our M5300 switch and I wanted to let my computers plugged on my ip phones. I wanted to know how to set up my switch to allow two different authentication on the same port, one for the phone taged on voice vlan and one for the computer untaged on data vlan. I found the 'multi-domain' option on cisco switches which seems to do what I want, is she available on M5300 switches ? Thanks for ur answers, Best regards,
Solved
Arnaud_D
Aug 02, 2017 Place Switches Manageables
5.6KViews
0likes
3Comments
wndap360 radius failover with 3.6.9.0 firmware not working
Hello, we are just cleaning up our WLAN infrastructure, and for this we upgrade the WNDAP360 AP from firmware 3.5.6.0 to the most recent 3.6.9.0. In the same step we also change the radius infrastructure to use two new servers instead of one old server. Upgrade and Radius work fine under normal conditions. But what is not working, is the failover to the secondary radius server, when the first one is not responding. The primary Radius server is 192.168.163.9:1812, the secondary one at 192.168.163.10:1812 Both servers are running Windows 2016 Server, with NPS installed and configured for Radius. In the log of the AP I see this: Jun 1 17:36:05 hostapd: wifi1vap7: RADIUS Authentication server 192.168.163.9:1812 Here a station connects with WPA2-Enterprise and auth via the primary radius server works fine Jun 1 17:36:18 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 17:36:18 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:36:18 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 17:36:19 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 WPA: pairwise key handshake completed (RSN) Jun 1 17:36:19 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: authenticated - EAP type: 25 (PEAP) We then disconnect the station, and shut down the primary radius server. Then we try to connect to the station again, but here we see repeated auth failures: Jun 1 17:38:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 17:38:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:38:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 17:38:35 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:38:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (67) Jun 1 17:38:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated At the same time, we see many ARP requests on the LAN for the IP 192.168.163.9 from the AP (So the AP is trying to find the now gone radius server) We did leave the primary radius server turned off for about 15 minutes, and the AP did still try to find the 192.168.163.9 radius server, no failover Then we turned the primary radius server on again, and authentication works fine again: Jun 1 17:52:37 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 17:52:37 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 17:52:38 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 WPA: pairwise key handshake completed (RSN) Jun 1 17:52:38 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: authenticated - EAP type: 25 (PEAP) Also when we reboot the AP with the primary radius offline, it does not pick the secondary radius server. FW Version WNDAP360_V3.6.9.0 Config Version 4.0 CMAPD Version: 1701.27.1803.40 Jun 1 02:00:50 init: init: starting pid 1808, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 9600 vt100' Mar 17 15:29:06 udhcpc[656]: Sending discover... Mar 17 15:29:06 udhcpc[656]: Sending select for 192.168.163.233... Mar 17 15:29:06 udhcpc[656]: Lease of 192.168.163.233 obtained, lease time 2678400 Mar 17 15:29:10 kernel: php used greatest stack depth: 5092 bytes left Mar 17 15:29:10 kernel: php used greatest stack depth: 4764 bytes left Jun 1 18:25:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 18:25:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:25:17 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 18:25:17 hostapd: wifi0vap2: RADIUS Send failed - maybe interface status changed - try to connect again Jun 1 18:25:17 hostapd: wifi0vap2: RADIUS Authentication server 192.168.163.9:1812 Jun 1 18:25:35 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:25:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (67) Jun 1 18:25:53 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated Jun 1 18:26:07 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 18:26:07 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:26:07 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 18:26:25 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:26:43 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (67) Jun 1 18:26:43 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated Jun 1 18:26:58 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: associated Jun 1 18:26:58 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:26:58 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: EAP Identifier of the Response-Identity does not match (was 0, expected 1) - ignored Jun 1 18:27:16 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.1X: aborting authentication Jun 1 18:27:34 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: recvd disassoc msg from STA, reason code (8), rssi (68) Jun 1 18:27:34 hostapd: wifi0vap2: STA 74:de:2b:9f:3e:e4 IEEE 802.11: disassociated Any ideas what I can try, to get the failover working?
Solved
Aarboard
Jun 05, 2017 Place Pro WiFi Access Points
5.5KViews
0likes
4Comments