WPA2 authentication fails on 2.4ghz virtual interfaces

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Mon Apr 25, 2022 21:47    Post subject: WPA2 authentication fails on 2.4ghz virtual interfaces Reply with quote
Hello,

I have a Netgear AC1450 I use as a wireless access point (WAP)/extender for four vlans coming from my main router. Since all of the network SSIDs are on both the 5ghz and the 2.4ghz radio, and clients can oftentimes still connect to the main router too, I didn’t notice an issue that seems to have been around for a long while, and was tricky to isolate:

Clients are unable to authenticate (WPA2/AES) to virtual interfaces associated with the 2.4ghz radio. Here are some pertinent facts:
- clients can authenticate to the main 2.4ghz network (ie non-virtual interfaces)
- the radio seems to otherwise work fine. If I disable the WPA2/AES security altogether, clients can connect to virtual interfaces as well
- the 5ghz main and virtual networks all work fine
- it doesn’t seem to have anything to do with the password or the vlans
- this affects linux, android, and iPadOS clients. Thus it doesn’t seem to be a client issue
-it affects builds back to at least 2020 (42xxx) because that’s what I was running when I found the issue. I find that it remains with the latest build 48646, after upgrading with a full reset.
- I noticed that the MAC addresses mentioned in the dd-wrt gui (and in nvram) do not match the MAC addresses being advertised for these virtual interfaces from the client perspective. They are unique however, within the router.

It’s all a bit puzzling to me, and I didn’t find anything on the forums about it. I would be most grateful if anyone has any insight into why this might be happening or what might be done about it.

Best regards
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Mon Apr 25, 2022 22:09    Post subject: Reply with quote
Can you help me understand a little better...

Are the clients able to see the 2.4ghz radios?
Are the 2.4 ghz radios set to the same standard as the clients (ie b/g/n or whatever combination)
What are the specific network authentication and WPA algorithms selected?

Screenshots help...
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Tue Apr 26, 2022 9:39    Post subject: Reply with quote
Thanks for your response. I need to amend my problem slightly. It turns out sometimes, some of the virtual interfaces on 2.4ghz do work with WPA2/AES security; normally the first works (in addition to the physical interface). But the second and third normally do not (and the third has never once worked with any client). If I swap the SSID and passwords for the first and second virtual interfaces, they reverse which one works.

To answer your questions:

Yes, clients can see all the interfaces. When they try to connect, they say either that the password is incorrect, it cannot connect, or that they time out when authenticating.

I only use WPA2/AES for security. But when I disable security altogether, they can connect fine.

In the attached screenshots, you can see two virtual interfaces. It is only possible to connect to interweb_pia2 with security disabled. If I re-enable WPA2/AES for that interface, it becomes impossible to connect.

Note that the BSSID (as gathered by my linux computer) does not match the one in the gui for these virtual interfaces:
Code:

IN-USE  BSSID              SSID                 MODE   CHAN  RATE        SIGNAL  BARS  SECURITY 
        06:A1:51:0E:7B:11  interweb_us2         Infra  3     195 Mbit/s  100     ▂▄▆█  WPA2     
        06:A1:51:0E:7B:10  interweb_pia2        Infra  3     195 Mbit/s  100     ▂▄▆█  --       
*       04:A1:51:0E:7B:0F  interweb2            Infra  3     195 Mbit/s  85      ▂▄▆█  WPA2   


Virtual interfaces for the 5ghz radio DO match what the gui says (and they work fine).



Wireless_Security.png
 Description:
 Filesize:  69.7 KB
 Viewed:  1953 Time(s)

Wireless_Security.png



Wireless.png
 Description:
 Filesize:  132.69 KB
 Viewed:  1953 Time(s)

Wireless.png


egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Tue Apr 26, 2022 12:52    Post subject: Reply with quote
I am running multiple interfaces without a problem but my router is in normal gateway mode (and my Wireless Network Mode is N/G mixed but I doubt that has anything to do with it)

Did yo try rebooting?

As you are using this router as a WAP check the proper settings:
Quote:
VAP on WAP
If you place the unbridged VAP on a wireless access point:
A secondary router connected wired LAN<>LAN on the same subnet as a the primary router:
• WAN disabled
• DHCP server Disabled (=off and NOT set as Forwarder!)
• Local IP address in subnet of primary router but outside DHCP scope (you can run udhcpc to give the WAP a static lease but because you can it doesn't mean you should Wink
• Gateway and Local DNS pointing to primary route
• DNSMasq enabled
• Router kept in the default Gateway mode (the wiki says Router mode but do not do that, Router can break things)

If so then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router (the WAP): Administration/Commands save Firewall:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


If everything else fails consider resetting to defaults and rebuild manually

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Tue Apr 26, 2022 14:13    Post subject: Reply with quote
One other thing, it is quite possible that you need the same encryption on all VAP's (at least if they are all bridged like in this case) e.g WPA2-PSK/AES 128 but you should perhaps be able to use a different password
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Tue Apr 26, 2022 15:01    Post subject: Reply with quote
Thanks for your help.

I tried changing from router mode to gateway mode and rebooting, but the behavior seems unchanged.

The other things you mentioned in the setup are alright, except I don't use DNSMASQ (dns queries go to the main router, but I think that's fine). I also don't have that firewall rule, but it seems to be working fine (?) (I can use all the vlans fine via the 5ghz radio and they can access the WAN).

I've already reset when upgrading to the latest firmware, so no luck on that front either -- same behavior.

Maybe these logs from linux when trying and failing to connect to the third virtual interface might help:

Code:

16:36:13 wpa_supplicant[1216]: wlp2s0: SME: Trying to authenticate with 06:a1:51:0e:7b:10 (SSID='interweb_iot3' freq=2422 MHz)
16:36:13 kernel: [354947.956630] wlp2s0: authenticate with 06:a1:51:0e:7b:10
16:36:13 kernel: [354948.013399] wlp2s0: send auth to 06:a1:51:0e:7b:10 (try 1/3)
16:36:13 NetworkManager[992]: <info>  [1650983773.8288] device (wlp2s0): supplicant interface state: disconnected -> authenticating
16:36:13 NetworkManager[992]: <info>  [1650983773.8289] device (p2p-dev-wlp2s0): supplicant management interface state: disconnected -> authenticating
16:36:13 wpa_supplicant[1216]: wlp2s0: Trying to associate with 06:a1:51:0e:7b:10 (SSID='interweb_iot3' freq=2422 MHz)
16:36:13 NetworkManager[992]: <info>  [1650983773.8315] device (wlp2s0): supplicant interface state: authenticating -> associating
16:36:13 NetworkManager[992]: <info>  [1650983773.8315] device (p2p-dev-wlp2s0): supplicant management interface state: authenticating -> associating
16:36:13 kernel: [354948.015067] wlp2s0: authenticated
16:36:13 kernel: [354948.017678] wlp2s0: associate with 06:a1:51:0e:7b:10 (try 1/3)
16:36:13 kernel: [354948.021335] wlp2s0: RX AssocResp from 06:a1:51:0e:7b:10 (capab=0x1411 status=0 aid=1)
16:36:13 wpa_supplicant[1216]: wlp2s0: Associated with 06:a1:51:0e:7b:10
16:36:13 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
16:36:13 kernel: [354948.023528] wlp2s0: associated
16:36:13 NetworkManager[992]: <info>  [1650983773.8442] device (wlp2s0): supplicant interface state: associating -> associated
16:36:13 NetworkManager[992]: <info>  [1650983773.8442] device (p2p-dev-wlp2s0): supplicant management interface state: associating -> associated
16:36:23 kernel: [354958.025111] wlp2s0: deauthenticating from 06:a1:51:0e:7b:10 by local choice (Reason: 3=DEAUTH_LEAVING)
16:36:23 wpa_supplicant[1216]: wlp2s0: Authentication with 06:a1:51:0e:7b:10 timed out.
16:36:23 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-DISCONNECTED bssid=06:a1:51:0e:7b:10 reason=3 locally_generated=1
16:36:23 NetworkManager[992]: <warn>  [1650983783.8500] sup-iface[0x55c4096321e0,wlp2s0]: connection disconnected (reason -3)
16:36:24 NetworkManager[992]: <info>  [1650983784.0593] device (wlp2s0): supplicant interface state: associated -> disconnected
16:36:24 NetworkManager[992]: <info>  [1650983784.0594] device (p2p-dev-wlp2s0): supplicant management interface state: associated -> disconnected
16:36:24 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
16:36:24 NetworkManager[992]: <info>  [1650983784.2542] device (wlp2s0): supplicant interface state: disconnected -> scanning
16:36:24 NetworkManager[992]: <info>  [1650983784.2542] device (p2p-dev-wlp2s0): supplicant management interface state: disconnected -> scanning
16:36:24 systemd[1]: NetworkManager-dispatcher.service: Succeeded.
16:36:25 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=BEACON_HINT type=UNKNOWN
16:36:29 wpa_supplicant[1216]: wlp2s0: SME: Trying to authenticate with 06:a1:51:0e:7b:10 (SSID='interweb_iot3' freq=2422 MHz)
16:36:29 kernel: [354963.382096] wlp2s0: authenticate with 06:a1:51:0e:7b:10
16:36:29 NetworkManager[992]: <info>  [1650983789.2500] device (wlp2s0): supplicant interface state: scanning -> authenticating
16:36:29 NetworkManager[992]: <info>  [1650983789.2500] device (p2p-dev-wlp2s0): supplicant management interface state: scanning -> authenticating
16:36:29 kernel: [354963.434775] wlp2s0: send auth to 06:a1:51:0e:7b:10 (try 1/3)
16:36:29 kernel: [354963.437671] wlp2s0: authenticated
16:36:29 wpa_supplicant[1216]: wlp2s0: Trying to associate with 06:a1:51:0e:7b:10 (SSID='interweb_iot3' freq=2422 MHz)
16:36:29 NetworkManager[992]: <info>  [1650983789.2531] device (wlp2s0): supplicant interface state: authenticating -> associating
16:36:29 NetworkManager[992]: <info>  [1650983789.2531] device (p2p-dev-wlp2s0): supplicant management interface state: authenticating -> associating
16:36:29 kernel: [354963.441764] wlp2s0: associate with 06:a1:51:0e:7b:10 (try 1/3)
16:36:29 kernel: [354963.446713] wlp2s0: RX AssocResp from 06:a1:51:0e:7b:10 (capab=0x1411 status=0 aid=1)
16:36:29 kernel: [354963.449453] wlp2s0: associated
16:36:29 wpa_supplicant[1216]: wlp2s0: Associated with 06:a1:51:0e:7b:10
16:36:29 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
16:36:29 NetworkManager[992]: <info>  [1650983789.2702] device (wlp2s0): supplicant interface state: associating -> associated
16:36:29 NetworkManager[992]: <info>  [1650983789.2702] device (p2p-dev-wlp2s0): supplicant management interface state: associating -> associated
16:36:39 wpa_supplicant[1216]: wlp2s0: Authentication with 06:a1:51:0e:7b:10 timed out.
16:36:39 kernel: [354973.450152] wlp2s0: deauthenticating from 06:a1:51:0e:7b:10 by local choice (Reason: 3=DEAUTH_LEAVING)
16:36:39 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-DISCONNECTED bssid=06:a1:51:0e:7b:10 reason=3 locally_generated=1
16:36:39 wpa_supplicant[1216]: wlp2s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="interweb_iot3" auth_failures=1 duration=10 reason=CONN_FAILED
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Tue Apr 26, 2022 15:30    Post subject: Reply with quote
Did you use the same encryption (WPA2-PSK/AES 128) for all radio's/VAPS
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Tue Apr 26, 2022 16:04    Post subject: Reply with quote
egc wrote:
Did you use the same encryption (WPA2-PSK/AES 128) for all radio's/VAPS


Yes, always the same (except when I experimented with turning off encryption altogether).
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Tue Apr 26, 2022 22:33    Post subject: Reply with quote
I have had it happen before where I had to completely delete the password save and reboot, then reenter it.

ecg already asked a few of the questions I was going to...

Based on the verbosity it looks as though you are getting authenticated and connected but immediately drop...

Have you tried changing the 2.4 GHz radio name or the mac address of the 2.4 GHz radio and it connects?
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Wed Apr 27, 2022 12:07    Post subject: Reply with quote
Thanks for your input. I tried changing the password, rebooting, changing it back, rebooting again. Unfortunately no luck.

Then I tried playing with the interface MAC addresses found under Setup->Networking.

When I change the MAC for eth0 (the 2.4ghz radio) from
04:A1:51:0E:7B:0F
to
04:A1:51:0E:7B:DF, and reboot,

The virtual interfaces 1, 2, and 3 (as seen by a client) change from:
06:A1:51:0E:7B:11, 06:A1:51:0E:7B:12, 06:A1:51:0E:7B:10
to:
06:A1:51:0E:7B:E1, 06:A1:51:0E:7B:E2, 06:A1:51:0E:7B:E0

(note only the last byte changes, and they are not in order).

Meanwhile, the same virtual interfaces as shown in the edit box under Setup->Networking, as well as in Wireless, and in the nvram change from:
06:A1:51:0E:7B:00, 06:A1:51:0E:7B:01, 06:A1:51:0E:7B:02
to:
06:A1:51:0E:7B:D0, 06:A1:51:0E:7B:D1, 06:A1:51:0E:7B:D2.

(Note that only the last byte changes, they differ in the last byte from what is broadcast, and they ARE in order by virtual interface number)

While it is possible to change the MAC address for wl0.* virtual interfaces in Setup->Networking, these changes do not have any effect and are reverted upon reboot.

Note also the mac addresses in for the 5ghz radio:
Physical interface: 04:A1:51:0E:7B:10
Virtual interfaces 1-3: 06:A1:51:0E:7B:11, 06:A1:51:0E:7B:12, 06:A1:51:0E:7B:13

(These ARE in order and internally DO match the BSSID as broadcast to clients).

I now strongly suspect that the problem is related to the misalignment in the MAC addresses between what is stored internally to dd-wrt and what is broadcast, and that the different order for the third virtual interface might be causing the problem (the third interface should probably be 06:A1:51:0E:7B:E3, not 06:A1:51:0E:7B:E0). Perhaps the addresses are related to the order the interfaces were added/removed?
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Wed Apr 27, 2022 12:26    Post subject: Reply with quote
OK!

Looks like I have found a workaround, thanks to your idea to change the MAC addresses.

If I change the eth0 mac address (corresponding to the 2.4ghz radio) to:
04:A1:51:0E:7B:D0
so that it ends in a 0, like the 5ghz radio,
then the virtual interfaces (1-3) become:
06:A1:51:0E:7B:D1, 06:A1:51:0E:7B:D2, 06:A1:51:0E:7B:D3

(so they are in order, and they also MATCH between the BSSID as broadcast, and as shown internally [e.g, under Wireless and in nvram]).

And after doing that, I can now connect/authenticate to all the virtual networks!!!

So, it appears that there is a problem/inconsistency with the math being used to compute the MAC addresses for virtual interfaces (based upon the physical interface address) for my router, and it fails when the physical interface address ends in 0xF (or maybe, when it doesn't end in 0). Maybe there should be a bug report about this?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Wed Apr 27, 2022 12:46    Post subject: Reply with quote
As far as I know the MAC address of all the VAPS should add 2 in the second digit so instead of 04:XXX it should be 06:XXX, that seems to work in your case.

Furthermore each VAP should increment the last digit so in your case from :0F it should go to :10 and the next to :11

In your case it shows :00 but your log mentions indeed :10 so there is a discrepancy

What does ifconfig show"


I will ask the higher authorities to have a look

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
AndyOxon
DD-WRT User


Joined: 16 Aug 2021
Posts: 81
Location: Oxford, UK.

PostPosted: Wed Apr 27, 2022 14:40    Post subject: Reply with quote
I’ve spent all day looking into 2G client connecting issues since I reset to default recently.

I will look into MAC assignments when I get a moment. Thanks @jtbr

_________________
Hardware (Device/Firmware/Roles):
Netgear RAX50 | Stock | Gateway, DHCP, AP, NAS.
Netgear WNDR4500v2 | FreshTomato | Router, WAP (2G), WDS-AP (5G), Samba, Torrent Client.
Netgear WNDR4500v2 | FreshTomato | Router, WAP (2G), WDS-AP (5G).
jtbr
DD-WRT User


Joined: 09 Mar 2017
Posts: 100

PostPosted: Wed Apr 27, 2022 14:47    Post subject: Reply with quote
I am attaching ifconfig results from before when it was broken (phy addr ends in F, which I reverted to with some hesitation Surprised ), and from after, when it worked (phy addr ends in 0).

Looks like ifconfig shows the same MAC addresses as the GUI and nvram (ends in 00, 01, 02). But I confirmed that the BSSID as advertised to clients remains different (ends in 11, 12, 10 for virtual interfaces 1-3 respectively).



wap_ifconfig-works.txt
 Description:

Download
 Filename:  wap_ifconfig-works.txt
 Filesize:  8.54 KB
 Downloaded:  100 Time(s)


wap_ifconfig-broken.txt
 Description:

Download
 Filename:  wap_ifconfig-broken.txt
 Filesize:  8.37 KB
 Downloaded:  141 Time(s)

AndyOxon
DD-WRT User


Joined: 16 Aug 2021
Posts: 81
Location: Oxford, UK.

PostPosted: Wed Apr 27, 2022 16:26    Post subject: Reply with quote
I don’t think I can change the MAC on my HW. Changing eth1 (wl0) MAC from xx:xx:xx:xx:xx:70 to xx:xx:xx:xx:xx:80 in ‘Networking’ had no effect (after reboot) anywhere, locally or on the broadcast.

I’ve disabled 2G on my dd-wrt because its causing havoc. I guess imma have to wait for a fix.

Thanks anyway, it was worth a shot!

_________________
Hardware (Device/Firmware/Roles):
Netgear RAX50 | Stock | Gateway, DHCP, AP, NAS.
Netgear WNDR4500v2 | FreshTomato | Router, WAP (2G), WDS-AP (5G), Samba, Torrent Client.
Netgear WNDR4500v2 | FreshTomato | Router, WAP (2G), WDS-AP (5G).
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum