WPA2 Enterprise not working

Panja · February 25, 2022, 6:30pm

I've got 2 TP-Link Archer C7 v2's running OpenWrt.
1 is still running v19.07.8 and the other 1 has been reset and upgraded to v21.02.2

I'm using WPA2 Enterprise so I installed wpad instead of wpad-basic.
The Archer which is running v21.02.2 cannot connect to my Radius authentication server (which is running on a pfSense box). I have triple checked the settings and they should be alright!

Here is a part of the logs:

Fri Feb 25 19:27:03 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-STARTED 11:7e:f3:1a:4f:a3
Fri Feb 25 19:27:03 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Fri Feb 25 19:27:03 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-STARTED 11:7e:f3:1a:4f:a3
Fri Feb 25 19:27:03 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Fri Feb 25 19:27:21 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-STARTED 11:7e:f3:1a:4f:a3
Fri Feb 25 19:27:21 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Fri Feb 25 19:27:21 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-STARTED 11:7e:f3:1a:4f:a3
Fri Feb 25 19:27:21 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Fri Feb 25 19:27:22 2022 daemon.info hostapd: wlan0: STA 11:7e:f3:1a:4f:a3 IEEE 802.11: authenticated
Fri Feb 25 19:27:22 2022 daemon.info hostapd: wlan0: STA 11:7e:f3:1a:4f:a3 IEEE 802.11: associated (aid 1)
Fri Feb 25 19:27:22 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-STARTED 11:7e:f3:1a:4f:a3
Fri Feb 25 19:27:22 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Fri Feb 25 19:27:48 2022 daemon.notice hostapd: wlan0: RADIUS No response from Authentication server 192.168.10.1:1812 - failover
Fri Feb 25 19:27:48 2022 daemon.info hostapd: wlan0: RADIUS Authentication server 192.168.10.1:1812

The other Archer which still runs v19.07.8 does not have any problems and can connect to the Radius auth server without problems.
Any one have a clue what's going on?

(Update)
I have changed the IP and Mac addresses for privacy reasons.

_bernd · February 25, 2022, 9:29pm

Sure it's 192.10.10.1? That's not within rfc1918 192.168.0.0/16 and I doubt that's your assigned public IP space...
can you reach your radius from every AP via ip? have you checked that each radius client can connect and authenticate?

Panja · February 25, 2022, 9:44pm

Nah I replaced the actual IP with a fictional one.
And indeed I can see it does not meet the rfc1918. My bad!

The radius can be reached by all clients when they connect to the Archer C7 which is running v19.07.8

_bernd · February 25, 2022, 10:54pm

Ok. But are you able to connect to the radius server from die 21.02 AP? I mean the radius client /authenticator not the wifi client.
The wifi client does not connect to the radius. Only the AP. Maybe the IP of the AP has changed and is not configured in the clients.conf of freeradius?

I just had setup freeradius server and aps as clients on 21.02 just fine a few days ago so I doubt that there is an issue just because you now run 21.02....

Panja · February 26, 2022, 6:25am

Yes, I copy/paste the IP from the other Archer so I can not make any typing mistake.

Borromini · February 26, 2022, 9:47am

There's little point in redacting LAN IPs, it only makes sense for MAC addresses and WAN IPs. Better put 192.168.x.x if you'd still like to do it, instead of 192.10.10.1 or anything else that is not a valid private IPv4 range. As you noticed, it confuses people (which makes troubleshooting more difficult).

That aside, might be this is the issue at play? I assume you're using the .2 release no?

github.com/openwrt/openwrt

radius authentication stopped working after commit ce7a170414

opened 12:46PM - 23 Feb 22 UTC

closed 08:29AM - 26 Feb 22 UTC

protectivedad

packages release/21.02

Branch: 21.02 Device: RE6500 Problem: Does not authenticate with freeradius s…erver. Description: The commit ce7a170414 adds empty radius_auth_req_attr entries to hostapd-phy?.conf which stop radius authentication from working. There was a fix for this on the master branch (commit 96e9c81) and needs to be added to the 21.02 branch.

If so, check if rolling back to .1 'fixes' it. A fix just landed in the 21.02 branch but you'll need to compile yourself for the moment I think. Not sure if packages will get updated before another point release.

_bernd · February 26, 2022, 10:04am

Yes you are right. https://github.com/openwrt/openwrt/commit/abf8209d7f200fd9cd732a2d535699830d89f57c#diff-0524cbcb28eb9c9b7a08dd8c38f9b88ab8dab0af51bae8ca63e1124090008907 this change should be there. I have forgotten that I needed to change the file
Someone already on 21.02.2 could check if this change already landed at 21.02.2 or not ... I am still at 21.02.1.

Borromini · February 26, 2022, 10:25am

I can say for sure it didn't. Look at the 21.02.2 release tag, it's older than the RADIUS commit. Even if packages will be rebuilt (which happened at some point but I'm not sure they still do), I don't know if images will.

Panja · February 26, 2022, 10:52am

I have changed the IP’s.
Good point.

I did use 21.02.2 so maybe that’s the problem.
I will try 21.02.1 when I have some spare time and report back. Thanks for the heads up!

Panja · February 26, 2022, 10:38pm

I can confirm: WPA2 Enterprise with Radius is not working under v21.02.2 , at least not for me.
I have tested a few scenarios and once downgraded to 21.02.1 the problem is gone, Radius is working great, no problems.

Freeradius3 backend on pfSense CE v2.6.0

Borromini · February 27, 2022, 12:40pm

As soon as the WPA daemon packages get bumped to 40 you can use this page to generate a customised image BTW:

http://sysupgrade.openwrt.org/

Panja · February 28, 2022, 12:44pm

@Borromini
How can I check if the WPA daemon package has been bumped to 40?

Borromini · February 28, 2022, 12:53pm

You check the package list (see /etc/opkg/distfeeds.conf for the URL).

Panja · February 28, 2022, 1:41pm

Thanks!
Though I'm not quite sure where and what to look for.
Package url = https://downloads.openwrt.org/releases/21.02.1/packages/mips_24kc/packages
Can't find any WPA daemon...

Borromini · February 28, 2022, 1:51pm

They're under base, not under packages.

Panja · February 28, 2022, 1:57pm

Makes sense! Thx

Though the package is at 40 as far as I can see:
wpad_2020-06-08-5a8b3662-40_mips_24kc.ipk

Updated last Sunday (yesterday) but I just checked and 21.0.2.2 is still having problems for me with Radius and WPA Enterprise EAP.
I updated with the file:
openwrt-21.02.2-ath79-generic-tplink_archer-c7-v2-squashfs-sysupgrade.bin

Borromini · February 28, 2022, 2:04pm

Yes. Like explained, the packages might see updates but the firmare images probably do not. You need to generate a custom image using the link in post #11. That will use the updated packages you include.

Panja · February 28, 2022, 2:05pm

Ok, cool! Will give it a try and report back.

Panja · February 28, 2022, 2:16pm

@Borromini
You saved the day mate! Thx.

Installed 21.02.1, coming from stock/factory TP-Link firmware.
After that I did the sysupgrade through http://sysupgrade.openwrt.org/ and I'm now running 21.0.2.2 without the "WPA EAP/Enterprise bug".

Borromini · February 28, 2022, 2:26pm

Glad I could get you on your way.