Posted: Mon Jan 08, 2024 18:15 Post subject: WPA2 Enterprise Auth Server and Acct Server issues
Hi All:
Currently using DD-WRT v3.0-r51937 std (03/05/23).
I have two Windows Active Directory Servers with Network Policy Server (NPS) setup to do the Radius authentication.
I have the basics all working and can log in to the WiFi Access Point using a Windows Active Directory username and password.
My problem is that in the Wireless | Wireless Security settings, when you use WPA2 Enterprise and have Auth Server settings set and Auth Backup Server settings set, I don't understand why there is only one Acct Server settings.
Both of the NPS servers (Radius Servers) have accounting.
My Auth servers are both using default 1812 ports.
Acct Server uses the 1813 port and uses the primary Auth server (same IP).
I can authenticate and the connections details are shown in syslog on the DD-WRT and in the NPS accounting logs.
Works great.
But it I disable the primary Auth server (NPS server), I can't log in.
It does not seem to be failing to the seconard Auth server.
If I flip-flop the IP addresses and use the secondary (Radius/NPS) server's IP in the Auth Server and Acct Server, then put the primary (Radius/NPS) server's IP in the Backup Auth server setting, I can login and the logs show on the secondary (Radius/NPS) server.
So I know that both Windows NPS servers are working.
The problem seems to be something with the DD-WRT and not failing over and I don't understand why the account server is not paired up with the auth server.
There should be a second Acct Server.
You should be able to pair the Acct server with an Auth server and pair the second Acct server with the second Auth Server.
If it is not an issue in current release, there won't be much attention given to your issue, especially with no system logs or serial console logs attached. You were already advised to upgrade once already.
OK, so I upgraded to Firmware: DD-WRT v3.0-r54682 std (01/02/24) and see the same problem.
I managed to collect logs and screenshots for six test cases. I also have a quick diagram to help people understand.
All are attached.
I have a Windows Active Directory Domain with two Domain Controller running Netowrk Polic Server which is Microsoft's Radius server. It also has Account Server capabilities.
The DD-WRT router will connect and use a Windows Domain username and password and authenticate and it all gets logged and works great.
The basics work.
The problem is with the redundancy.
In the Wireless | Wireless Security tab of the DD-WRT, I have for the first Auth Server my first domain controller with Network Policy Server (NPS). I also have Accounting enabled and the Acct Server pointed at the same IP of the Auth Server.
The second domain controller with NPS is set with the Auth Backup Server address.
This is Test Case 1 (See "Test Case 1.zip").
This works fine.
The zip file has a screenshot showing the settings on the DD-WRT router.
The relevant part of the DD-WRT log file is there.
The first NPS server "AuthServer1" log file is there in .xml format.
The secont NPS server "AuthServer2" logged nothing.
In each test case, I rebooted the DD-WRT to get a clean log and likewise did the same with the NPS server service. Stopped it and renamed the log and allowed it to start a new long when restarting the NPS service.
All of this seems fine since the first NPS server is up and running and listening to handle RADIUS authentication requests.
Test Case 2 repeats this but I disabled the Acct Server Setting in DD-WRT.
The only difference in the logs is that in the DD-WRT log it doesn't show that I disconnected (DeAuth) like in Test Case 1. And the XML log in the NPS1 server is less verbose
For Test Case 3, I flipped which server was the Auth Server and Auth Backup Server and I also switch the Acc Server address. So my NPS2 server is listed first and as the Acct Server and my NPS2 server is now the Auth Backup server.
This likewise works. This just proves the second NPS server is working as well.
Test Case 4 same as Test Case 3 but with the Accounting disabled.
Still works. Less Verbose.
NOW COMES THE PROBLEM.
Back configured as Test Case 1 but in this Test Case 5, I have the NPS service on the Auth Server 1 shutdown. The Active Directory Domain Controller server is up and running, jsut the NPS server is turned off.
The NPS1 XML log has a little in it but that was before I shut it down.
When I try to connect from the notebook, the DD-WRT log is spitting out a bunch of errors:
an 9 18:58:05 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -52 (Accepted)
Jan 9 18:58:05 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:05 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -51 (Accepted)
Jan 9 18:58:05 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: associated (aid 1)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -54 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -53 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -54 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -53 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -55 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -53 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -54 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -53 (Accepted)
Jan 9 18:58:22 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: deauthenticated due to local deauth request
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -53 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -50 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -53 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -52 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -53 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -49 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -53 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -49 (Accepted)
Jan 9 18:58:26 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -55 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -55 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -55 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -55 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -56 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -55 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: auth request, signal -55 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: authenticated
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 MLME: assoc request, signal -50 (Accepted)
Jan 9 18:58:29 ASC-WRT30 daemon.info hostapd: wlan0: STA 14:75:5b:89:4c:f7 IEEE 802.11: Station tried to associate with unknown SSID ''
NOthing is getting logged on my second NPS server.
Test Case 6 is the same but with Accounting disabled.
I found someone else having an issue and they reduced the setting "Primary Server Retry Limit" from the default of 600 down to "1" and it still didn't work. But then he tried "10" and it started working.
I tried that and still no failover.
It seems like the point of having am "Auith Backup Server" is to support failver if the first Auth server is unavailable.
It basically looks like the "Auth Backup Server Address" cannot be contacted (failed-over to) when the "Auth Server Address" radius server is not accessible.
The error in in the DD-WRT syslog when I disable the primary Radius server is:
IEEE 802.11: Station tried to associate with unknown SSID ''
So those are two single quote marks with a space.
It looks like when the DD-WRT fails over to the backup auth server it is providing a null SSID.
