(RADIATOR) problems w/ HP420 802.11g, radiator 3.11, PEAP, TTLS auth

Mon Oct 3 22:44:58 CDT 2005

Hello Jennifer,

On Tuesday 04 October 2005 13:20, Jennifer Mehl wrote:
> Hi everyone,
>
> I'm experiencing some strange problems, and I'm not sure if this is a
> Radiator issue or an AP issue, or some combination thereof, so I'm
> hoping for some ideas from any of you who may have a similar setup or
> have similar equipment you could test.

This _sounds_ like an AP issue. Some APs do not do mixed mode very well and g 
compatibility is sometimes poor in early firmware.

Do you have the latest firmware for your AP?

Are you able to try different pc client wireless cards? What is the result?

Cheers.

>
> Here is my environment:
>
> HP ProCurve 420 AP (2.1.0 firmware)
> WPA/TKIP and WPA2/AES supported
> 802.1x authentication to Radiator 3.11 on RedHat Enterprise Linux 3
> Radiator config for PEAP and TTLS to flat file, dynamic VLAN assignment,
> SSL cert issued by Thawte Premium CA
> Various wireless cards for WinXP built-in client or SecureW2 client
> (Dell 1350 and D-Link DWL-G650) and Mac OS X 10.4 (Airport)
>
> Here is the problem:
> If I configure the 420 AP radio to 802.11b-only mode, authentication
> happens successfully, and quickly, for TTLS and PEAP clients.  BUT, If I
> change the 420 AP radio back to its default radio setting, 802.11g+b or
> 802.11g only, the 802.1x authentication process never completes.  It
> seems that the Access-Challenge is the last thing sent by the RADIUS
> server to the AP/client.  The client keeps sending Access-Requests until
> it gives up.
>
> I have tried playing around with EAPTLS_MaxFragmentSize in my Radiator
> config, but I haven't had any luck, and I'm not entirely sure if that
> option even has anything to do with the problem... it doesn't make sense
> to me that authentication would complete with 802.11b but not 802.11g if
> packet size or fragmentation were the issue (please correct me if I'm
> wrong!).  The AP 2.1.0 firmware has a new configuration option in the
> wireless-g config interface called "fragmentation-threshold" and the
> default value is 2346.  Not sure if/how this might relate to
> EAPTLS_MaxFragmentSize (which I currently have set at 1000).
>
> I believe I had the same problem with the older HP 420 firmware, 2.0.41.
> I also have a support call in with HP (their 1st line of support says
> she's never heard of this issue), but I'd like to be able to rule out
> Radiator as a "suspect" in this problem before continuing on with HP.
>
> I have 7 APs that all exhibit this exact same problem, and I have tried
> configuring a fresh "bare bones" config on them as well.  I do not have
> another AP to test with Radiator, nor another RADIUS server to test the
> APs with, to rule either of them out.  Right now, I have all of the
> production APs running at 802.11b, and one test AP with a different SSID
> running at 802.11b+g so I can troubleshoot this issue.
>
> My Radiator config is below, as well as a Level 5 trace of a "failed"
> authentication while on the 802.11g radio.
>
> Thanks for any help you all can provide,
> Jennifer

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.