HiveOS Operating System Compatibility with Radius Server

  • 1
  • Question
  • Updated 2 years ago
I just recently upgraded all my devices to 6.6r1, and ever since Windows 7 and Windows XP machines no longer get a prompt when connecting to a 802.1x SSID.  Instead it either rejects the selection or assigns a fake IP without even asking for credentials.  I spoke to a rep who provided me a rather lengthy fix for the problem, however I do not see it as feasible with people who bring in their own devices going through 16 steps to get a Windows device online. 

Has anyone else had this issue?  Is there a HiveOS which is more compatible with older versions of Windows?
Photo of William OHanlon

William OHanlon

  • 6 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi William,

Where are you performing the EAP termination? On the APs themselves with the built-in RADIUS server or something third party such as Microsoft's Network Policy Server (NPS)?

So I can try and join the dots, can you explain what you've been asked to do to get clients working?

My hunch is that what you are talking about is certificate related and won't be an underlying HiveOS compatibility issue.

Nick
(Edited)
Photo of William OHanlon

William OHanlon

  • 6 Posts
  • 0 Reply Likes
On the APs themselves, however prior to updating the HiveOS at least I use to get a prompt to accept the certificate. Now I do not.  Short version of what I was asked to do is disable server certificate verification on every windows machine. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That is very much the wrong thing to do in the long term. It enforces a security vulnerability in to an environment. It is not a fix at all therefore. Was this recommended just for testing purposes to establish if the cause was a certificate related issue?

This does establish that my hunch was on the mark about it being certificate related.

Are you are using the default HiveManager/HiveOS supplied or generated certificate?

If so...

The existing default SHA-1 certificates should have been replaced with those that are SHA-2 based due to the deprecation industry wide of SHA-1 due to security concerns. That is very much the right thing to do. I suspect this may be where you're being tripped up. I would expect it just to apply to new installations though and not updates.

To solve your problem properly, I suggest follow the recommendations and guidance in...

https://wiki.geant.org/display/H2eduroam/EAP+Server+Certificate+considerations

... and get a fresh certificate that meets all the requirements listed there by either sourcing a commercial certificate or create your own CA. The latter is more secure in the case that you have clients that do not have the ability to constrain to server names (SANs/CN) in the certificate. *cough* Android

You do then need to consider how you on board your clients so that they trust the root certificate from which the server certificate you end up using derives.

There is not a problem in HiveOS in the newer versions. You just have an issue of needing appropriate configuration from both a client and server perspective.

Software such as CloudPath is used for 802.1X on-boarding purposes:
http://cloudpath.net/
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
William, do you have or could you get a packet capture of the 802.1X (EAPOL) exchange that I could review demonstrating the failure?
(Edited)
Photo of William OHanlon

William OHanlon

  • 6 Posts
  • 0 Reply Likes
Good evening, sorry for the delayed reply as I just got out of work.  In answer to your question, yes that is what an Aerohive tech told me to do and to quote "should have been done that way since the beginning of using the radius server". 

I am using a general certificate and have also used a commercial verisign and comodo one which meet all the requirements listed above and in the wiki. 

I sadly would be unable to provide packet capture information until possibly monday if I have time to find a test subject.  Today for example, I had 12 people in a room, 6 in a circle doing a meeting, 3 could connect, the other three could not.  I also had an iPhone user and macbook which continuously said the wrong credentials were being entered even after verification of multiple working credentials. 

Things are going quite random with this Radius server. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Ouch. It is a terrible idea to disable certificate validation.

So, if you're already using a commercial certificate and disabling validation seemingly gets clients connecting, this would typically point to an issue in the client's supplicant.

It would be interesting therefore to compare and contrast what you see with the older version of HiveOS and the newer version as you say there are differences in observed behaviour.

I would be very interested to see packet captures of the EAPOL exchange and subsequent chatter from the client's perspective in both cases.
(Edited)
Photo of William OHanlon

William OHanlon

  • 6 Posts
  • 0 Reply Likes
From the Radius server I can give you this:

01/03/1970 07:54:11 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (0)RADIUS: EAP start with type peap
01/03/1970 07:54:11 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (1)RADIUS: SSL negotiation, receive client hello message
01/03/1970 07:54:11 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (2)RADIUS: SSL negotiation, send server certificate and other message
01/03/1970 07:54:11 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (3)RADIUS:
01/03/1970 07:54:11 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (4)RADIUS: rejected user 'host/EHSWL13.ehs.eps' through the NAS at 10.101.20.60.
01/03/1970 07:54:11 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (5)RADIUS: EAP start with type peap
01/03/1970 07:54:12 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (6)RADIUS: SSL negotiation, receive client hello message
01/03/1970 07:54:17 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (7)RADIUS: EAP start with type peap
01/03/1970 07:54:17 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (8)RADIUS: SSL negotiation, receive client hello message
01/03/1970 07:54:17 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (9)RADIUS: SSL negotiation, send server certificate and other message
01/03/1970 07:54:17 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (10)RADIUS:
01/03/1970 07:54:17 AM  ACFDCEB769AC  E01C4115CA54  EHS-RADIUS   DETAIL  (11)RADIUS: rejected user 'EHS\admin' through the NAS at 10.101.20.66.
01/03/1970 07:54:25 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (12)RADIUS: EAP start with type peap
01/03/1970 07:54:25 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (13)RADIUS: Eap start with type leap and sent the AP challenge
01/03/1970 07:54:25 AM  ACFDCEB769AC  E01C4115CA14  EHS-RADIUS   DETAIL  (14)RADIUS: rejected user 'EHS\admin' through the NAS at 10.101.20.60.

From the Client I can give you this:

01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    INFO    (1144)IEEE802.1X auth is starting (at if=wifi0.1)
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1145)Send message to RADIUS Server(10.101.20.254): code=1 (Access-Request) identifier=101 length=178,  User-Name=host/EHSWL13.ehs.eps NAS-IP-Address=10.101.20.60 Called-Station-Id=E0-1C-41-15-CA-14:EPS-Teacher Calling-Station-Id=AC-FD-CE-B7-69-AC
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1146)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=101 length=64
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1147)Send message to RADIUS Server(10.101.20.254): code=1 (Access-Request) identifier=102 length=280,  User-Name=host/EHSWL13.ehs.eps NAS-IP-Address=10.101.20.60 Called-Station-Id=E0-1C-41-15-CA-14:EPS-Teacher Calling-Station-Id=AC-FD-CE-B7-69-AC
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1148)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=102 length=1090
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1149)Send message to RADIUS Server(10.101.20.254): code=1 (Access-Request) identifier=103 length=177,  User-Name=host/EHSWL13.ehs.eps NAS-IP-Address=10.101.20.60 Called-Station-Id=E0-1C-41-15-CA-14:EPS-Teacher Calling-Station-Id=AC-FD-CE-B7-69-AC
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1150)Receive message from RADIUS Server: code=11 (Access-Challenge) identifier=103 length=589
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1151)Send message to RADIUS Server(10.101.20.254): code=1 (Access-Request) identifier=104 length=188,  User-Name=host/EHSWL13.ehs.eps NAS-IP-Address=10.101.20.60 Called-Station-Id=E0-1C-41-15-CA-14:EPS-Teacher Calling-Station-Id=AC-FD-CE-B7-69-AC
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    BASIC   (1152)Authentication is terminated (at if=wifi0.1) because it is rejected by RADIUS server
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    INFO    (1153)Rx deauth (reason 1 <unspecified>, rssi 31dB)
01/04/1970 10:43:45 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    BASIC   (1154)Sta(at if=wifi0.1) is de-authenticated because of notification of driver

And further down after some more standard tx:

01/04/1970 10:43:59 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    INFO    (1198)IEEE802.1X auth is starting (at if=wifi0.1)
01/04/1970 10:43:59 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    INFO    (1199)Rx deauth (reason 1 <unspecified>, rssi 32dB)
01/04/1970 10:43:59 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    BASIC   (1200)Sta(at if=wifi0.1) is de-authenticated because of notification of driver
01/04/1970 10:43:59 AM  ACFDCEB769AC  E01C4115CA14  AH-15ca00    DETAIL  (1201)Rx <specific> probe req (rssi 30dB)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The system clock on the AP is incorrect. Can you sort things out so that NTP can complete successfully?

Incidentally, this is Client Monitor output and not a packet capture. If this issue continues after you correct the NTP fault, can I have sight of this?
(Edited)
Photo of William OHanlon

William OHanlon

  • 6 Posts
  • 0 Reply Likes
I would love to fix the NTP problem except aerohive was not of any help with that either.  All my settings are correct for NTP and they even set it to use their own servers and still nothing changed.  Time on the APs are all fine, it only comes up wrong for client monitor. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
On the AP that is acting as the RADIUS server, what's the CLI output of:

show clock

show ntp
(Edited)
Photo of William OHanlon

William OHanlon

  • 6 Posts
  • 0 Reply Likes
I hate to say it but with Wireshark I get absolutely no package capture at all when trying to use the SSID that uses the radius server. 
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Do you want to discuss this via text chat in Skype so that I can help you out?

I'm nick.lowe with the same picture as here.