Students unable to connect to our 802.1X-enabled BYOD network

  • 1
  • Question
  • Updated 4 years ago
  • (Edited)
Hi,

This one has been boggling our minds for several weeks now. It just started recently with no changes to our HiveManager Online (version 6.2r1a) or our NPS, or the network.

It appears that some students (not all) with laptops that have either Windows 8.1, or Mac OS X 10.10 (Yosemite) will see our "Crescent School BYOD" SSID, attempt to connect by entering in their Active Directory username and password, and then the connection will fail right away.
Each OS has a different behaviour though; on Yosemite they will get a simple "Authentication Failed" error. In Windows 8.1, they will be presented with a 'Network Security Alert' stating the following:


Our "Crescent School BYOD" SSID looks like this:
- Two AP330's acting as RADIUS authenticators. Both talk to our Active Directory to authenticate students.
- We use WPA2 Enterprise (802.1X) along with PEAP (MSCHAPv2) for security.
- Our certificate is fully Trusted and signed by Verisign.
- Our Windows DC is also a DHCP handing out IP and AD info.
- BYOD has one User Profile which puts authenticated students on a separate VLAN.

I managed to do a packet capture during this authentication process using Microsoft Message Analyzer, and cannot seem to find, or pinpoint the exact issue. We know this is not an authentication issue because we have double checked that everyone's credentials are in order.

Any help would be tremendously appreciated.

Thank you.
Photo of Ricardo Rodrigues

Ricardo Rodrigues

  • 3 Posts
  • 0 Reply Likes
  • frustrated

Posted 4 years ago

  • 1
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
Hi Ricardo,

Can you let us know what happens when you click 'connect' on the Windows 'error' screen?

Although the certificate is fully trusted and signed by third party: Is it still valid?
Do you configure the root certificate as 'root certificate' in your radius settings? or the intermediate?
Are you able to do Radius Authentication directly to Microsoft NPS? (i personally prefer this). or do you need to use Aerohive AP's as proxy anyway?
Have you already used the Radius test tools under 'tools' in HiveManager?
Have you tried to do a client monitor to see what happens if someone authenticates? what does it say?

Best regards,
Sjoerd
Photo of Ricardo Rodrigues

Ricardo Rodrigues

  • 3 Posts
  • 0 Reply Likes
Hi Sjoerd,

Thanks for your reply.

When we click Connect, Windows will immediately say that it 'cannot connect to the network.'

The certificate is indeed valid, since it expires in 2016.

Our Certificate PEM file uploaded to HiveManager looks like this: Root Cert -> Intermediate Cert -> Server Cert.

I suppose we can configure RADIUS authentication to be performed by the NPS, but the thing is, authentication on our corporate SSID works the same as our BYOD SSID, and there are no problems there.
I have used the RADIUS test tools, and the result is successful: "RADIUS server is reachable. Get attributes from RADIUS server: User-Attribute-ID:0=100; User-Attribute-ID:1=1; Session-Timeout=1800; User-Group=Staff_Group; Email-Address=xxxxxxxxx@crescentschoo...;"

When we used the client monitor, and had one of the affected machines try to connect to our BYOD SSID, we noticed that the 4 way handshake did not even happen!

Also, we've been noticing our AP121s with a very high CPU load, anywhere from 60% to 100%, which is unusual since there are typically not that many clients connected. Could there be a firmware update that we need?

Thanks again. 
(Edited)
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
If you use the certificates on a hiveap as radiusserver, select the intermediate certificate as root certificate in your config, since this is the issuer of your server cert, in stead of the root certificate authority.

Can you please test this?
Photo of Ricardo Rodrigues

Ricardo Rodrigues

  • 3 Posts
  • 0 Reply Likes
Hi Sjoerd,

This is what our hiveap radius config looks like: 


Like I said, almost all users are able to connect successfully, with the exception of a few Windows 8 and Yosemite clients.

Also, we have an aggressive band steering policy that favours the 5GHz band. Could that be a problem?
(Edited)
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
I am not sure if it has anything to do with your problem, but i tend to disable 'extra' features like band-steering when troubleshooting. So sure, you can try if the problem persists when disabling band-steering.