(RADIATOR) problems w/ HP420 802.11g, radiator 3.11, PEAP, TTLS auth

Mike McCauley mikem at open.com.au
Tue Oct 4 19:32:08 CDT 2005


Hello Jennifer,


On Wednesday 05 October 2005 08:25, Jennifer Mehl wrote:
> Mike, thanks for the reply.
>
> I do have the latest firmware for the HP 420 (2.1.0).
>
> I have tried many different cards, and all seem to work fine on the
> b-only radio mode of the AP with WPA/WPA2 and AES/TKIP, cards using EAP
> methods PEAP and/or TTLS in supplicant.
>
> (The cards also work fine when the AP radio is set to b+g or g and using
> no auth/encryption or simple WEP on a separate SSID.)
>
> For the b+g or g-only modes on the AP with WPA, here are the results:
> 1) D-Link DWL-G650 (b+g card) authenticates finally after 45 sec or so
> on both b+g and g
> 2) SMC2532W (b-only card) authenticates quickly on b+g
> 3) Linksys WPC54Gv3 (b+g) never authenticates
> 4) Dell Wireless 1350 (b+g) never authenticates
> 5) Motorola WN825G (b+g) never authenticates
>
> I have the latest drivers for all wireless PC cards, and the WPA2 update
> for XPSP2 installed on the host systems.

Hmmm, this is very puzzling.
We know that WPA and WPA2 work with Radiator and other APs and clients tested 
here. The a/g type and encryption type is completely transparent to Radiator, 
so if it works with g and not a, we suspect either the AP or the client 
wireless card. We have not tested the HP 420 here, though.

It still looks like a client/AP problem to me.

Cheers.

>
> Jennifer
>
> ========================================
> Jennifer L. Mehl
> Senior Systems Administrator
> University of California, Santa Barbara
> Physics Computing Services
> jmehl -at- physics.ucsb.edu
> (805) 893-8366 work
> (805) 451-7486 cell
> ========================================
>
> Mike McCauley wrote:
> > Hello Jennifer,
> >
> > On Tuesday 04 October 2005 13:20, Jennifer Mehl wrote:
> >>Hi everyone,
> >>
> >>I'm experiencing some strange problems, and I'm not sure if this is a
> >>Radiator issue or an AP issue, or some combination thereof, so I'm
> >>hoping for some ideas from any of you who may have a similar setup or
> >>have similar equipment you could test.
> >
> > This _sounds_ like an AP issue. Some APs do not do mixed mode very well
> > and g compatibility is sometimes poor in early firmware.
> >
> > Do you have the latest firmware for your AP?
> >
> > Are you able to try different pc client wireless cards? What is the
> > result?
> >
> > Cheers.
> >
> >>Here is my environment:
> >>
> >>HP ProCurve 420 AP (2.1.0 firmware)
> >>WPA/TKIP and WPA2/AES supported
> >>802.1x authentication to Radiator 3.11 on RedHat Enterprise Linux 3
> >>Radiator config for PEAP and TTLS to flat file, dynamic VLAN assignment,
> >>SSL cert issued by Thawte Premium CA
> >>Various wireless cards for WinXP built-in client or SecureW2 client
> >>(Dell 1350 and D-Link DWL-G650) and Mac OS X 10.4 (Airport)
> >>
> >>Here is the problem:
> >>If I configure the 420 AP radio to 802.11b-only mode, authentication
> >>happens successfully, and quickly, for TTLS and PEAP clients.  BUT, If I
> >>change the 420 AP radio back to its default radio setting, 802.11g+b or
> >>802.11g only, the 802.1x authentication process never completes.  It
> >>seems that the Access-Challenge is the last thing sent by the RADIUS
> >>server to the AP/client.  The client keeps sending Access-Requests until
> >>it gives up.
> >>
> >>I have tried playing around with EAPTLS_MaxFragmentSize in my Radiator
> >>config, but I haven't had any luck, and I'm not entirely sure if that
> >>option even has anything to do with the problem... it doesn't make sense
> >>to me that authentication would complete with 802.11b but not 802.11g if
> >>packet size or fragmentation were the issue (please correct me if I'm
> >>wrong!).  The AP 2.1.0 firmware has a new configuration option in the
> >>wireless-g config interface called "fragmentation-threshold" and the
> >>default value is 2346.  Not sure if/how this might relate to
> >>EAPTLS_MaxFragmentSize (which I currently have set at 1000).
> >>
> >>I believe I had the same problem with the older HP 420 firmware, 2.0.41.
> >>I also have a support call in with HP (their 1st line of support says
> >>she's never heard of this issue), but I'd like to be able to rule out
> >>Radiator as a "suspect" in this problem before continuing on with HP.
> >>
> >>I have 7 APs that all exhibit this exact same problem, and I have tried
> >>configuring a fresh "bare bones" config on them as well.  I do not have
> >>another AP to test with Radiator, nor another RADIUS server to test the
> >>APs with, to rule either of them out.  Right now, I have all of the
> >>production APs running at 802.11b, and one test AP with a different SSID
> >>running at 802.11b+g so I can troubleshoot this issue.
> >>
> >>My Radiator config is below, as well as a Level 5 trace of a "failed"
> >>authentication while on the 802.11g radio.
> >>
> >>Thanks for any help you all can provide,
> >>Jennifer

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list