After HM upgrade to 6.6 Radius test timing out on some of the Access Points

  • 1
  • Question
  • Updated 3 years ago
I have recently noticed that if I use the tool - radius test - it fails from some access points saying "The connection attempt to the server timed out". One access point is designed and radius proxy server and connects to the NPS server. In the NPS server we put /24 mask for all aerohive aps network. 

I tested each AP with 6.5.r1 and I know it worked. After 6.6 upgrade some APs are timing out. 
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Realistically, we could do with packet captures to help triage this both between the instigating AP and the AP that acts as a RADIUS proxy and between the proxy and NPS.

In any case, however... You should not be using an AP as a RADIUS proxy unless you have to. (The feature is primarily used as a workaround for the RADIUS client limits in the Standard edition of Windows Server 2008 and Windows Server 2008 R2. These do not exist in the Standard edition of Server 2012 and newer.)

You likely therefore should be pointing your APs at your NPS server(s) directly.

What edition of Windows Server are you using? Would it be possible for you to improve your configuration so that you are not using an AP as a RADIUS proxy?

You mention putting /24 on the RADIUS client entry in NPS. This is only possible on the editions that do not have a RADIUS client limit. This makes me think you are not running a constrained instance.

(Also bear in mind that the RADIUS test uses PAP, CHAP or CHAPv2 so never currently tests as a TLS-based EAP client does.)
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Thank You, I am using WIN SRV 2012, I setup debug and this is from access point that is timing out:

AP-105#2015-07-23 11:03:28 info amrp2: set proxy route: b034:95f2:eeba -> 9c5d:1214:f280 ifp N/A upid 90 flag 0x1402 monitor(0/0) pkt/sec ok

2015-07-23 11:03:28 info kernel: [mesh]: set proxy : b034:95f2:eeba 9c5d:1214:f280 n/a flag 0x1402
2015-07-23 11:03:33 err ah_auth: radclient: Failed to find IP address for host 10.2.101.10: No such file or directory
2015-07-23 11:03:33 info ah_auth: radclient: Error for Radius server 10.2.101.10
2015-07-23 11:03:33 info kernel: [mpi]: socket is closed, pid(1338), protocol(0)
2015-07-23 11:03:33 info capwap: receive event RADIUS/LDAP test response: eventid = 205: length = 69
2015-07-23 11:03:33 info capwap: CAPWAP: receive RADIUS/LDAP test response event!, length:69 That does not make sense - Failed to find IP address for host 10.2.101.10
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I agree that this does require more investigation based on the error message you have posted.

Prima facie, it appears that radclient in HiveOS may have attempted to perform a DNS lookup for an IP address, treating it as host name. This could well be a bug but it would need more investigation.

It does, however, seem likely that this will be limited in scope to just the test tool and will not be an issue for actual wireless clients.

(Friendly PLM prodding: Hopefully eapol_test can get built-in at some point here. :-)
(Edited)
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Looks like disabling the proxy helped a lot. Thank You Sir!