• Troubleshooting RADIUS Authentication/Authorization Issues

 
 
Print Friendly, PDF & Email

Introduction

Arista Access Points offer several authentication methods for client connectivity, including the use of external authentication servers to support WPA2-Enterprise. This article outlines Dashboard configuration to use a RADIUS server for WPA2-Enterprise authentication, RADIUS server requirements and basic troubleshooting of RADIUS authentication.

Prerequisites

  • All Arista APs must be added as RADIUS clients on the RADIUS server.
  • It is recommended that a static IP assignment or a DHCP fixed IP assignment should be used on the APs.
  • Corresponding user authentication policies must be in place on the RADIUS server.

Feature Description

WPA2-Enterprise with 802.1x authentication can be used to authenticate Users, also called as supplicants. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using any EAP method configured on the RADIUS server. The Arista AP works as an authenticator and sends authentication messages between the supplicant and authentication server.

APs perform EAPOL exchanges between the supplicant and convert these to RADIUS Access-Requests messages, which are sent to the RADIUS server’s IP address and UDP port configured. Arista APs must receive a RADIUS Access-Accept message from the RADIUS server as a go-ahead to grant the supplicant access to the network.

Solution

After setting up a RADIUS server with the appropriate requirements to support authentication, the following steps must be carried out to configure an SSID to authenticate user via the RADIUS:

  1. On Wireless Manager, navigate to Configuration> Device Configuration > SSID Profiles.
  2. Click on the SSID Profile Name from the SSID list or create a new one by clicking on “Add New Wi-Fi Profile”.
  3. Under the Security section, choose WPA2  Security Mode, with 802.1X instead of PSK.
  4. If RADIUS profiles have not yet been set up, create one or more by navigating to Configuration>> Device Configuration >> RADIUS Profiles. Otherwise, proceed to step 7 directly.
  5. Click on “Add RADIUS Profile” and enter the details required.
    • Profile Name
    • RADIUS IP Address (must be reachable from the APs),
    • Authentication Port (1812 by default – UDP port where the RADIUS server listens for Access-requests; ),
    • Accounting Port (1813 by default – UDP port where the AP sends accounting start packet to the RADIUS server along with the required RADIUS attributes)
    • RADIUS client Shared Secret
  6. Click Save for the changes to take effect.
  7. On the SSID Profile, add the Primary and Secondary RADIUS servers for this SSID by selecting RADIUS Profiles for Authentication and Accounting.
  8. Click Save for the changes to take effect.

Note:

  • Apart from the RADIUS server requirements outlined, all authenticating APs will need to be able to contact the IP address and port specified.
  • Ensure that all the APs have network connectivity to the RADIUS server and no firewalls are preventing this access.

Troubleshooting

Basic Checks

  • Check the connectivity between the RADIUS server and the Arista APs and ensure that UDP port 1812/1813 is open for communication.
  • Ensure that the Shared Secret configuration matches on the AP and RADIUS server.
  • Take connection logs for the affected client and check the RADIUS authentication flow by examining the messages. Follow the below steps to take connection logs:
  • Log in to Wireless Manager > Devices > Client > Select a client > Click on More > Connection logs > Type in the SSID name > Select the AP with the highest RSSI value > Start troubleshooting.
  • Try connecting the client now.
  • Copy the logs.
  • In the client connection logs, you may observe a message such as-< 8005 No response from RADIUS authentication server while authenticating client> This indicates that the RADIUS server is not responding to the RADIUS-Access-Request.
  • You may also observe an Access-Reject message such as below coming from the RADIUS server:<1841 Received ACCESS REJECT from Authentication server> <1847 DOT1X authentication failed>
  • Please check the credentials and authentication mechanism used on the client side and the corresponding network policies on the RADIUS server.
  • You may also want to check the event/logs on the RADIUS server for any error messages.
  • If the above points are in place and the issue persists, please take a wired trace from the Arista AP and send it over to our support team for analysis. Refer to the following guides for taking packet captures:How To Collect Wired Packet Capture From An Arista APHow To Collect Wired And Wireless Traces From CloudVision WiFi

Common Configuration Errors

The following common configuration errors may result in RADIUS authentication failing:

  • No certificate installed on the RADIUS Server or the certificate has expired.
  • Arista APs are not added as RADIUS Clients.
  • Arista APs are getting their IPs via DHCP.
  • Incorrect RADIUS Secret on the Dashboard.
  • Network Policy is Misconfigured.
  • Connection Request Policy is Misconfigured.
  • Mismatch in Authentication Settings.
  • Incorrect Username or Password.
  • Root Certificate is not added to the client Device.

Common Error Codes and Possible Solutions

Although the error codes outlined below are specific to Windows NPS, the following configuration check should be made regardless of RADIUS server vendor:

  • Event ID 6273 with reason code 23 (bad/missing certificate) Connection issues may occur because a digital certificate is not installed on the RADIUS Server or due to expiry of the certificate. If this is the case, you will see Event ID 6273 with Reason Code 23 in the Network Policy and Access Services logs. To resolve this, a certificate will need to be installed or renewed on your NPS server, to establish TLS.Reason mentioned in the event viewer: An error occurred during the Networks Policy Server use of the Extensible Authentication Protocol(EAP). Check EAP log files for EAP errors.
  • Event ID 13: A RADIUS message was received from the invalid RADIUS client (APs not added as clients) WPA2 Enterprise authentication requires the Arista Access Points be added as RADIUS Clients on your NPS Server. Thus, a static IP assignment or a DHCP fixed IP assignment should be used on your APs. If the APs are not added as RADIUS Clients, you will see Event ID 13 in the Network Policy and Access Services logs.Reason mentioned in the event viewer: A RADIUS message was received from the invalid RADIUS client IP address.
  • Event ID 18: An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid (bad shared secret) When configuring the RADIUS server under the “Security” tab in Configuration>Device Configuration >SSID Profiles, a shared secret must be entered. This secret must match the shared secret you entered while adding the Arista APs as RADIUS clients. When the secrets do no match, you will see Event ID 18 in the Network Policy and Access Services logs.Reason mentioned in the event viewer: An Access-Request message was received from RADIUS client with a Message-Authenticator attribute that is not valid.
  • Event ID 6273 Reason Code 48 (bad network policy) An Event ID 6273 with Reason Code 48 usually indicates that a Network Policy is incorrectly configured on your NPS server. It is also possible that the network policy order is not correct and while processing the client through the policies serially, there was no match found.Reason mentioned in the event viewer: The connection request didt not match any configured network policy.
  • Event ID 6273 Reason Code 66 (Auth settings mismatch) If you receive Event ID 6273 with Reason Code 66 when testing with the RADIUS Test feature on Dashboard, this is usually indicative of the authentication settings incorrectly configured the Network Policy on your NPS server.Reason mentioned in the event viewer: The user attempted to use an authentication method that is not enabled on the matching network policy.
  • Event ID 6273 Reason Code 8 (bad username or password) When testing with RADIUS based authentication, it is quite possible that the username may be incorrect or may not be in the Windows group specified in the Network Policy. In that case, you will see Event ID 6273 with Reason Code 8 in the Network Policy and Access Services logs.Ensure the username is correct and is present in the Windows group specified on your network policy.

    Reason mentioned in the event viewer: The specified user account does not exist.

  • Similarly, it is also possible that though the username is valid, the password may be incorrect. For this, you will see Event ID 4625 in the Windows Security logs, shown below. Check the user’s password and/or perform a password reset in Active Directory.
  • Event ID 6273 Reason Code 265 (untrusted CA) Windows client devices give us the option to validate the server certificate sent by the server when using WPA-2 Enterprise. When implemented, the Certificate Authority must be added to the client’s list of Trusted Root Certification Authorities. If the Certificate Authority is not added to the Windows Client, the Event 6273 Reason Code 265 can be seen in the Network Policy and Access Services logs.
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: