This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WLAN Radius (NPS) authentication fails (since upgrade to UTM 9)

Hi,

since the upgrade to UTM 9 (9.004-34) (HA Mode) we are experincing some problems with our WLAN authentication.
There is a RADIUS server set up (Windows Server 2008R2, NPS Server, configured as described in the Sophos KB), which worked fine with our devices running V8.***. Since the upgrade to UTM none of the clients is able to connect to the wireless network using WPA2 Enterprise (WPA2 PSK works fine). Nothing was changed on the RADIUS server side and the configuration/shared key, etc was double checked. There are no errors in the NPS log, but the Sophos wireless log shows the authentication process.

The error showing up is the following:
802.1X: authentication failed - EAP type: 0 ((null))
802.1X: Supplicant used different EAP type: 1 (Identity)

The part of the logfile showing the error message is attached.

Any ideas?

Thanks.

This thread was automatically locked due to age.

0 hschaa over 11 years ago

Can you please add a larger context of an authentication attempt?
Any more information in the RADIUS server logs?
Helmut
Cancel
Vote Up 0 Vote Down

Cancel

0 ngruetter over 11 years ago in reply to hschaa

Hi

Do you have an update? I get the same error now. But it worked before and we changed nothing at the radius/firewall configuration.

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: Sending EAP Packet (identifier 51)

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: received EAP packet (code=2 id=99 len=37) from STA: EAP Response-Identity (1)

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: received EAP packet (code=2 id=51 len=37) from STA: EAP Response-Identity (1)

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: STA identity 'host/PCZOFI02.intern-zofingen.ch'

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: RADIUS Sending RADIUS message to authentication server

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: RADIUS Next RADIUS client retransmit in 3 seconds

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: RADIUS Received 44 bytes from RADIUS server

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: RADIUS Received RADIUS message

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.10 sec

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: decapsulated EAP packet (code=4 id=51 len=4) from RADIUS server: EAP Failure

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: Sending EAP Packet (identifier 51)

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: unauthorizing port

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: authentication failed - EAP type: 0 ((null))

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a WPA: event 3 notification

2013:02:15-13:57:52 172.16.15.40 awelogger[17394]: id="4102" severity="info" sys="System" sub="WiFi" name="STA disconnected" ssid="Zofingen" ssid_id="WLAN1.0" bssid="00:1a:8c:2a:fa:c1" sta="60:67:20:b2:44:1a"

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a IEEE 802.11: deauthenticated

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a MLME: MLME-DEAUTHENTICATE.indication(60:67:20:b2:44:1a, 1)

2013:02:15-13:57:52 172.16.15.40 hostapd: wlan1: STA 60:67:20:b2:44:1a MLME: MLME-DELETEKEYS.request(60:67:20:b2:44:1a)

2013:02:15-14:00:40 172.16.16.121 hostapd: wlan0: STA 74:45:8a:72:e9:fe WPA: event 3 notification

2013:02:15-14:00:40 172.16.16.121 awelogger[25818]: id="4102" severity="info" sys="System" sub="WiFi" name="STA disconnected" ssid="Zofingen_Guest" ssid_id="WLAN0.0" bssid="00:1a:8c:0b:ae:c0" sta="74:45:8a:72:e9:fe"

2013:02:15-14:00:40 172.16.16.121 hostapd: wlan0: STA 74:45:8a:72:e9:fe IEEE 802.1X: unauthorizing port

2013:02:15-14:00:40 172.16.16.121 hostapd: wlan0: STA 74:45:8a:72:e9:fe IEEE 802.11: deauthenticated

See the whole log attached.

Thank you!

0 fundinfo over 11 years ago in reply to ngruetter

Hi and sorry for my late reply. First I was on holiday and then I totally forgot about the issue, because we changed back to WPA authentication. Nevertheless the issue still exists. I tried it a few minutes ago and the error still is the same. I attached a complete log showing the connection request.
The Radius Server shows no error messages in the logs.
Thanks
- log.txt
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 lucaguttadauro over 11 years ago

Hi,
I had a similar issue for webadmin users via radius authentication (also for me upgrade from v8 to v9) and I hope this can help you. Instead of setting "MS-CHAP and 'MS-CHAP-v2" (as described in KB 116144) I have to use PAP authentication (it is not the best solution, but at least it works).

Luca
Cancel
Vote Up 0 Vote Down

Cancel
0 fundinfo over 11 years ago in reply to lucaguttadauro

Thanks for the suggestion, but for me this doesn't work either.
Cheers
Cancel
Vote Up 0 Vote Down

Cancel
0 Bratwurstengineer over 11 years ago

Hey Guys,

one of our clients is currently experiencing the same phenomenon. Authentication sometimes fails for some devices. Actually, it's better to say that authentication sometimes works for some devices. Mostly it doesn't work at all using RADIUS Auth.

We already analyzed the issue to the point where we saw that the Win2k8 server involved didn't send the final ACK for DHCP negotiation; however, intermittently this works too. If key negotiation works, that is.

I'll be contacting Sophos anyway, but maybe someone over here found something...?
Cancel
Vote Up 0 Vote Down

Cancel
0 Bratwurstengineer over 11 years ago

Well, drat. Just received feedback from Sophos, telling me this is a known bug.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 11 years ago

Hey, Bratwurstengineer, I don't see that in the KIL - did they tell you what the ID# is or when this will be fixed?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 11 years ago in reply to BAlfson

I've not seen this anywhere as of yet (no problems here or at our customer sites) -- is this bug limited to certain client devices, etc. or is this a RADIUS issue? All sites that we have with NPS and WLAN are running 2008R2 w/ latest patches -- 9.005 on the UTM.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 POC over 11 years ago

We were on 9.005-16.1 and radius worked fine. I applied the recent up2date to 9.006-5 and now our Windows 7 clients fail authentication while our XP clients work using the same credentials.
Cancel
Vote Up 0 Vote Down

Cancel