Radius feedback from AP to WiFi client

We have the following setup at our company: a gateway PC with CentOS (gw), running Radius and some traffic filtering programs. All of our employees connect wirelessly, and we have a WPA2 Enterprise encryption in place. The users are in a MySQL database on the gw, and they have their user roles defined there - deciding which user has access to which SSID. We have 4 SSIDs (thus, 4 VLANs), and thus 4 user groups for now - each has its own rules about QoS, bandwidth limits etc.

The network works great, save for one issue - when the user mis-authenticates, he gets no feedback. The WiFi client (everyone is using iMacs and Macbooks, there's only a couple Windows/Linux boxes here in IT) gets stuck in some kind of limbo where he says he's connected, but has no valid IP and thus no internet access. Since MacOS remembers passwords by default, he concluded he was successfully connected and never asks for a password again. Which means anyone who made an invalid login gets stuck with it until they erase the remembered password from the archive. This, as you can imagine, is incredibly tedious for a rapidly growing company of 80+ people.

Our APs are WRT54GL with DD-WRT installed as firmware.

It seems as if the radius client on the AP doesn't send any proper feedback to the WiFi client on the employees' computers. Does anyone have any experience with this sort of setup? How would one fix this no-feedback issue? Would better APs be the answer? I've been looking at Cisco's WAP2000. The cost is not an issue.

This is the comment above mschapv2 in our eap.conf file:

  #
                #  This takes no configuration.
                #
                #  Note that it is the EAP MS-CHAPv2 sub-module, not
                #  the main 'mschap' module.
                #
                #  Note also that in order for this sub-module to work,
                #  the main 'mschap' module MUST ALSO be configured.
                #
                #  This module is the *Microsoft* implementation of MS-CHAPv2
                #  in EAP.  There is another (incompatible) implementation
                #  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
                #  currently support.
                #

Solution 1:

  1. Acquire a wireless card that supports "Monitoring" or "rfmon" mode and use it in conjunction with Wireshark to view the 802.11 headers in your network traffic. This is wildly chipset, operating system and driver dependent but Wireshark has some nice documentation to point you in the right direction. What you are after is the actual 802.11 management headers and not just "translated" Ethernet layer-2 information (again, see the Wireshark documentation). It sounds like your network is primarily over 802.11 so the time spent getting this figured out will probably be worth it later - you'll need to look at the actual 802.11 headers eventually for troubleshooting purposes.

  2. Confirm that this actually is an issue with your access points (it probably is). Start Wireshark using '802.11' as your link layer type and then authenicate against an access point and purposely mistype the password. See what happens. You might need to also need to see what happens between the Radius server and the access point side of things as well. If you're having trouble interpreting the resulting data, you can always save it as a pcap and provide it here. You probably just want to confirm that it is an issue with the radius client before you spend a bunch of money on access points.

  3. Once you've confirmed that it is an issue with the access points, go purchase some nice "enterprise-y" ones. We use D-Link DWL3200s which are a pretty middle of the road access point as far as access points go. My only real complaint is that their command line interface sucks but on the other hand they are only about $300 each so I can't really expect too much.

Bottom line: Before you start throwing money at the problem (even if you have lots of money to throw) figure out what's actually wrong first.

Solution 2:

You didn't mention which authentication protocol you are using. "WPA2 Enterprise" is an umbrella term. Are you using EAP-TLS? Or PEAP-MSCHAPv2? Do you have client certificates in place or just the CA certificate + username/password? Depending on the actual protocol, the authentication error happens at a different protocol stack level.

If you are using PEAP-MSCHAPv2 (most likely given your hint at passwords), make sure the Radius server is configured to send the MS-CHAP-Error message back to the client. I think it's disabled by default in some versions of freeradius. Look for this in eap.conf:

           mschapv2 {
                    #  Prior to version 2.1.11, the module never
                    #  sent the MS-CHAP-Error message to the
                    #  client.  This worked, but it had issues
                    #  when the cached password was wrong.  The
                    #  server *should* send "E=691 R=0" to the
                    #  client, which tells it to prompt the user
                    #  for a new password.
                    #
                    #  The default is to behave as in 2.1.10 and
                    #  earlier, which is known to work.  If you
                    #  set "send_error = yes", then the error
                    #  message will be sent back to the client.
                    #  This *may* help some clients work better,
                    #  but *may* also cause other clients to stop
                    #  working.
                    #
                    #send_error = no
            }

and change it to yes.

Solution 3:

If you are sure about that cost is not an issue then get a real Cisco access point (like cisco aironet) avoid linksys if you can.

http://www.cisco.com/en/US/products/hw/wireless/index.html

Linksys is ok for home and small offices. It is not recommended for anything bigger however.

You can even get a WLC (wireless lan controller). It's a bigger investment, but it worth it. You can manage your aps from a central place and the wireless clients can also benefit as it manages your channel settings, antenna power levels and client roaming.

Update (reply to comment): I use wrt54gl at home it works great in general, but if I download with high speed the wireless part can die (which is fixable with a reboot). The switch fuction is implemented in CPU. If you copy a large file from one machine to another cpu usage goes up significantly. With high cpu usage it is not that stable.

update2: No WLC is not strictly necessary. I do not even have one at work, but I would like to because it just makes things easier. To test if your AP is causing the trouble get a Cisco (standalone) Aironet AP (just one) and test it with the same setup to see if it solves your problem. I am sure you can get a test drive from a decent vendor.