Community discussions

MikroTik App
 
Ravayen
just joined
Topic Author
Posts: 1
Joined: Mon Sep 12, 2022 2:11 pm

Mikrotik/freeRADIUS - Client DC after Access-Accept

Mon Sep 12, 2022 3:28 pm

Hello,

Let me start by giving some information on working setup. Currently we are using FreeRADIUS for authorization of WPA2E wireless network clients using EAP-TLS, and that works perfectly fine when it is combined with currently deployed TP-Link APs managed with OMADA Controller. Users can access wireless network and all of that works well, but now due to some unforeseen circumstances we need to also utilize some of our mikrotik hardware to allow wireless access through EAP-TLS channel in places where there are no TP-Links present.

For that reason, before we go any further with our deployment, we are performing some local lab tests of setup to be used (namely, we are working on RB951Ui-2HnD, v6.45.6).

With all of that out of the way, one may wonder - what is the issue? Configuration of authentication with external RADIUS is documented well and can be found by quick google search, it also is pretty similiar to how RADIUS is configured on OMADA, just bit more detailed/advanced in options. So, being all optimistic, we did configure RADIUS EAP-TLS authentication for wireless network designed for test purposes and tried to gain access to it just as we do with our standard WPA2E network. And we were rewarded with looong time of thinking on client side (Windows 11) that ended with "No internet, secured" status, and that isn't obviously desired result.

Now, as with every troubleshooting, first thing we did refer to were logs - both on freeradius and on mikrotik side. And we were surprised with what freeradius told us
Mon Sep 12 11:00:51 2022 : Auth: (202) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:03:55 2022 : Auth: (208) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:14:50 2022 : Auth: (214) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:17:05 2022 : Auth: (220) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:22:15 2022 : Auth: (226) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:27:57 2022 : Auth: (232) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:28:24 2022 : Auth: (238) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:28:48 2022 : Auth: (244) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:30:22 2022 : Auth: (250) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:33:36 2022 : Auth: (256) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:34:39 2022 : Auth: (262) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:41:38 2022 : Auth: (268) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)
Mon Sep 12 11:48:25 2022 : Auth: (274) Login OK: [host/username@domain.com] (from client office1 port 0 cli <client-mac>)

So, according to what radius tells us, there is valid back-and-forth of Access-Request / Access-Challenge finishing in Access-Accept, which should be transmitted to mikrotik (well, if whole exchange works, why it should not be?)

That leaves us with mikrotik logs, we enabled some more logging options and came to rather... perplexing issue? Apparently, mikrotik receives Access-Accept perfectly fine, it also oversees whole authentication exchange between client and radius server, according to these logs:
13:37:15 wireless,info <client-mac>@<wireless-network-interface>: connected, signal strength -69 
13:37:15 radius,debug new request 58:31e code=Access-Request service=wireless called-id=<mikrotik-mac>:<ssid>
13:37:15 radius,debug sending 58:31e to <radius-ip:1812>
...
...
Access-Request / Access-Challenge exchange without anomalies
...
...
13:37:15 radius,debug,packet received Access-Accept with id 177 from <radius-ip:1812>
...
Access-Accept data
...
13:37:15 radius,debug received reply for 58:323 
13:37:16 route,debug,event Interface change 
13:37:16 route,debug,event     interface=<wireless-network-interface> 
13:37:16 route,debug,event     status=UP,RUNNING 
13:37:16 route,debug,event     mtu=1500 
13:37:16 route,debug,event Link up 
13:37:16 route,debug,event     interface=<wireless-network-interface>
13:37:16 route,debug,event Update 
13:37:16 route,debug,event     interface=<wireless-network-interface>
13:37:43 system,info,account <getting kicked out of winbox here>
13:38:07 wireless,info <client-mac>@<wireless-network-interface>: disconnected, received deauth: unspecified (1)
13:38:10 route,debug,event Interface change 
13:38:10 route,debug,event     interface=<wireless-network-interface>
13:38:10 route,debug,event     status=UP 
13:38:10 route,debug,event     mtu=1500 
13:38:10 route,debug,event Link down 
13:38:10 route,debug,event     interface=<wireless-network-interface> 
13:38:10 route,debug,event Update 
13:38:10 route,debug,event     interface=<wireless-network-interface>

By the look of it, and if we understand it correctly, mikrotik allows client to perform authentication against radius server, receives access-accept from radius but then for some reason there is this line:
13:38:07 wireless,info <client-mac>@<wireless-network-interface>: disconnected, received deauth: unspecified (1) 

And it doesn't tell much beside that client was disconnected for "some" reason. At this point, we really don't know why it happens that way (especially when tp-links do it fine). We had our suspicions, but unfortunately we weren't able to pinpoint what goes wrong so we kindly ask you for your input/help in this matter

Little bit of relevant configuration that is used (can provide more if you let me know what to post):
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=<mikrotik-mac> \
    master-interface=wlan1 multicast-buffering=disabled name=<wireless-network-interface> \
    security-profile=<wpa2e-profile> ssid=<ssid> wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
    
/interface wireless security-profiles
add authentication-types=wpa2-eap mode=dynamic-keys name=<wpa2e-profile> \
    supplicant-identity=""
    
/radius
add address=<radius-ip> secret=<radius-secret> service=wireless timeout=30s

Who is online

Users browsing this forum: No registered users and 32 guests