RADIUS issues

If you use WPA-Enterprise or WPA2-Enterprise, your clients must be authenticated via a RADIUS server. Even if you don’t use either of these standards and therefore don’t have to use a RADIUS server, you might consider using one because RADIUS provides an effective way of providing centralized authentication. Troubleshooting RADIUS is essentially a two-fold process. You need to ensure that the access point and/or router can connect to the RADIUS server, and you must also ensure that the client can log in to the RADIUS server.

You should first verify that the RADIUS server has a secret configured and that it is ready to accept connections from the access point and/or router. You should also verify connectivity between the RADIUS server and the access point and/or router. There are different ways of accomplishing this although using the ping utility is an easy and effective way.

What should you do if you find that the RADIUS server is online, but the client’s login attempts are being rejected? In such a case, you should make sure that the client is using the Extensible Authentication Protocol to log in and also that it matches the type that the RADIUS server requires. The following are some of the more common options you may encounter:

  • EAP Transport Layer Security (EAP-TLS): The original wireless LAN EAP authentication protocol, this was defined in RFC 5216.
  • Protected Extensible Authentication Protocol (PEAP): This type encapsulates an EAP session within an encrypted TLS tunnel for added security.
  • EAP Tunneled Transport Layer Security (EAP-TTLS): Authentication takes place within an encrypted tunnel. Supported by Windows, starting with Windows 8.
  • EAP Flexible Authentication via Secure Tunneling (EAP-FAST): This is another variant of EAP which creates an encrypted tunnel. This version uses a Protected Access Credential (PAC) to establish a tunnel. Within the tunnel, client credentials are checked.

If your RADIUS server uses either EAP-TTLS or EAP-FAST, then you will need to install an 802.11X supplicant program on the client. You should also check to make sure that the other EAP-specific settings match on both the RADIUS server and the client. If you still have issues, then you likely want to refer to your RADIUS server’s documentation for help. In such cases, a LAN analyzer or packet sniffer (for example, Wireshark) can be useful, as they can be used to debug protocol issues.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.8.110