This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Radius and WLAN authentication - UTM 9.5/AP55/Win2012r2 Radius

Hi All,

I hope you can help me with this conundrum.

I have configured Radius to work as the VPN Authenticator (Radius on DC) - this works

I have been trying to configure EAP (PEAP) authentication for the WLAN, I have checked this article - https://community.sophos.com/kb/en-us/116144.

and all I get from the logs on the Win2012r2 Radius server is EventID 6273 Reason code 66 or 22

22 = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

66 = The user attempted to use an authentication method that is not enabled on the matching network policy.

I also get a few Reason code 65

the only reason I get these 2 is I change the processing order of the Network policies for the wifi - #1 I get reason code 22, and when it is #2 I get 66

I have not found any document on how to configure both under one policy, but I have tried it, and always get code 22.

 

I am really stuck, if anyone can help I would be really grateful

 

thanks



This thread was automatically locked due to age.
Parents
  • update here are the wireless.log entries

    2017:05:24-15:28:22 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: authenticated
    2017:05:24-15:28:22 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: associated (aid 1)
    2017:05:24-15:28:22 A4004818F34F60A awelogger[11424]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="ad-wifi" ssid_id="WLAN5.0" bssid="00:1a:8c:c1:50:9e" sta="20:68:9d:dd:92:f3" status_code="0"
    2017:05:24-15:28:22 A4004818F34F60A awelogger[11424]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="ad-wifi" ssid_id="WLAN5.0" bssid="00:1a:8c:c1:50:9e" sta="20:68:9d:dd:92:f3" status_code="0"
    2017:05:24-15:28:22 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.1X: STA identity '<computername>'
    2017:05:24-15:28:22 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
    2017:05:24-15:28:22 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)
    2017:05:24-15:28:22 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: disassociated
    2017:05:24-15:28:23 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: authenticated
    2017:05:24-15:28:23 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: associated (aid 1)
    2017:05:24-15:28:23 A4004818F34F60A awelogger[11424]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="ad-wifi" ssid_id="WLAN5.0" bssid="00:1a:8c:c1:50:9e" sta="20:68:9d:dd:92:f3" status_code="0"
    2017:05:24-15:28:23 A4004818F34F60A awelogger[11424]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="ad-wifi" ssid_id="WLAN5.0" bssid="00:1a:8c:c1:50:9e" sta="20:68:9d:dd:92:f3" status_code="0"
    2017:05:24-15:28:25 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.1X: STA identity '<ad user name>'
    2017:05:24-15:28:25 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.1X: authentication failed - EAP type: 26 (unknown)
    2017:05:24-15:28:25 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.1X: Supplicant used different EAP type: 3 (unknown)
    2017:05:24-15:28:25 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: disassociated
    2017:05:24-15:28:30 A4004818F34F60A hostapd: wlan5: STA 20:68:9d:dd:92:f3 IEEE 802.11: deauthenticated due to local deauth request

     

    hope this helps

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • Hi Jason,

    I can see that the client is sending the EAP request type as 26. The type of PEAP is 25. Since the Windows2012 is configured with PEAP(25), it is throwing error 66.

    Did you select PEAP in the client while connecting to WLAN? May I know which client is used?

    Regards,

    -Sathwik

  • I am using Windows 10, nothing special, just standard (even after so many years i am starting to realise standards may not e so standard)

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • I found out the reason I was not able to connect (I was not seeing the wood for the trees!) d'oh

    within Network Policies --> Contraints

    where EAP (PEAP) is added, I forgot to select EAP (PEAP), then edit, and check what certificate was being used.

    It had selected the Wildcard certificate.

    I selected another from the list and it all worked as expected.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Reply
  • I found out the reason I was not able to connect (I was not seeing the wood for the trees!) d'oh

    within Network Policies --> Contraints

    where EAP (PEAP) is added, I forgot to select EAP (PEAP), then edit, and check what certificate was being used.

    It had selected the Wildcard certificate.

    I selected another from the list and it all worked as expected.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

Children
No Data