Scheduled maintenance: Community will be offline Monday June 17th, 1:00 AM - 6:00 AM (PT)
Reply
New Member
Posts: 2
Registered: ‎12-07-2017
Kudos: 1

UAP-AC-LR does not set vlan id when using radius authentication with MS NPS

[ Edited ]

Hello,

 

we are right now in the process of setting up a new wireless network using the UAP-AC-LR access-points and Radius Authentication with Vlan assignment using MS NPS. Radius authentication generally works fine but the vlan will not be assigned. Sniffing the network traffic shows however that the NPS returns the correct vlan id (here: 60) - see attached screen shot.

 

ms_nps.png

 

Looking deeper into the logfile of the AP, I found the following line:

 

Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.190581]  ieee80211_ioctl_setparam: VLANID32 = 0

This matches the bahaviour since the test client simply gets the same vlan as the AP has for management purposes which is an untagged vlan.

 

Here is the complete logfile output from during the authentication process:

 

Wed Jun 12 17:27:06 2019 daemon.info hostapd: ath8: STA 28:16:ad:a2:45:e0 IEEE 802.11: sta_stats
Wed Jun 12 17:27:06 2019 daemon.info hostapd: ath8: STA 28:16:ad:a2:45:e0 IEEE 802.11: disassociated
Wed Jun 12 17:27:06 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_custom_event(): EVENT_STA_LEAVE ath8: 28:16:ad:a2:45:e0 / 1
Wed Jun 12 17:27:07 2019 daemon.info hostapd: ath5: STA fc:ec:da:e7:3c:13 DRIVER: Sead AUTH addr=28:16:ad:a2:45:e0 status_code=0
Wed Jun 12 17:27:07 2019 daemon.info hostapd: ath5: STA 28:16:ad:a2:45:e0 IEEE 802.11: associated
Wed Jun 12 17:27:07 2019 daemon.info hostapd: ath5: STA 28:16:ad:a2:45:e0 WPA: pairwise key handshake completed (RSN)
Wed Jun 12 17:27:07 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_custom_event(): EVENT_STA_JOIN ath5: 28:16:ad:a2:45:e0 / 1
Wed Jun 12 17:27:07 2019 kern.warn kernel: [548212.784113] ieee80211_ioctl_set_ratelimit: node with aid 1 and mac 28:16:ad:a2:45:e0 has been tagged non rate-limiting
Wed Jun 12 17:27:07 2019 kern.warn kernel: [548212.800315] [wifi1] FWLOG: [24511149] RATE: ChainMask 3, phymode 1044489, ni_flags 0x0223b006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x17602b9
Wed Jun 12 17:27:07 2019 kern.warn kernel: [548212.800351] [wifi1] FWLOG: [24511161] WAL_DBGID_SECURITY_ALLOW_DATA ( 0x435e54 )
Wed Jun 12 17:27:09 2019 daemon.info hostapd: ath5: STA 28:16:ad:a2:45:e0 IEEE 802.11: sta_stats
Wed Jun 12 17:27:09 2019 daemon.info hostapd: ath5: STA 28:16:ad:a2:45:e0 IEEE 802.11: disassociated
Wed Jun 12 17:27:09 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_custom_event(): EVENT_STA_LEAVE ath5: 28:16:ad:a2:45:e0 / 1
Wed Jun 12 17:27:10 2019 daemon.info hostapd: ath8: STA 1e:ec:da:e7:3c:13 DRIVER: Sead AUTH addr=28:16:ad:a2:45:e0 status_code=0
Wed Jun 12 17:27:10 2019 daemon.info hostapd: ath8: STA 28:16:ad:a2:45:e0 IEEE 802.11: associated
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.190581]  ieee80211_ioctl_setparam: VLANID32 = 0
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.190609] 28:16:ad:a2:45:e0: node vid=0 rsn_authmode=0x00000040, ni_authmode=0x00
Wed Jun 12 17:27:10 2019 daemon.info hostapd: ath8: STA 28:16:ad:a2:45:e0 WPA: pairwise key handshake completed (RSN)
Wed Jun 12 17:27:10 2019 daemon.info hostapd: ath8: STA 28:16:ad:a2:45:e0 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Wed Jun 12 17:27:10 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_custom_event(): EVENT_STA_JOIN ath8: 28:16:ad:a2:45:e0 / 1
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.208543] ieee80211_ioctl_set_ratelimit: node with aid 1 and mac 28:16:ad:a2:45:e0 has been tagged non rate-limiting
Wed Jun 12 17:27:10 2019 daemon.notice stamgr: kick-sta-on 28:16:ad:a2:45:e0 ath5 (reason:On other VAP)
Wed Jun 12 17:27:10 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_custom_event(): EVENT_STA_IP ath8: 28:16:ad:a2:45:e0 / 192.168.110.11
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.396246]  ieee80211_ioctl_kickmac[14989]
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.800514] [wifi1] FWLOG: [24513617] RATE: ChainMask 3, phymode 1044489, ni_flags 0x0223b006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x1760cb0
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.800549] [wifi1] FWLOG: [24513712] WAL_DBGID_SECURITY_ALLOW_DATA ( 0x435f3c )
Wed Jun 12 17:27:10 2019 kern.warn kernel: [548215.800565] [wifi1] FWLOG: [24513778] RATE: ChainMask 3, phymode 1044490, ni_flags 0x0223b006, vht_mcs_set 0xfffa, ht_mcs_set 0xffff, legacy_rate_set 0x0401
Wed Jun 12 17:27:17 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_handle_custom_alert_sta_assoc(): EVT_AP_STA_ASSOC_TRACKER_DBG: event_id: 1 vap: ath5 sta_mac: 28:16:ad:a2:45:e0 auth_ts: 548212.673772 auth_delta: 0 assoc_delta: 0 wpa_auth_delta: 20000 radius_auth_delta: -1 radius_auth_status: N/A ip_delta: 20000 ip_assign_type: roamed disassoc_count: 0 auth_failures: 0 assoc_failures: 0 wpa_auth_failures: 0 ip_failures: 0 assoc_status: 0 arp_status: N/A dns_status: N/A event_type: soft failure
Wed Jun 12 17:27:20 2019 user.info libubnt[7516]: wevent[7516]: wevent.ubnt_handle_custom_alert_sta_assoc(): EVT_AP_STA_ASSOC_TRACKER_DBG: event_id: 8 vap: ath8 sta_mac: 28:16:ad:a2:45:e0 auth_ts: 548215.80803 auth_delta: 0 assoc_delta: 0 wpa_auth_delta: 100000 radius_auth_delta: 90000 radius_auth_status: success ip_delta: 180000 ip_assign_type: dhcp disassoc_count: 0 auth_failures: 0 assoc_failures: 0 wpa_auth_failures: 0 ip_failures: 0 assoc_status: 0 arp_status: yes dns_status: yes event_type: success
Wed Jun 12 17:27:20 2019 daemon.info hostapd: ath8: STA 28:16:ad:a2:45:e0 RADIUS: starting accounting session 2915C340ABB87E33

I'm thankful for any hints!

 

 

Best

Nicolaj

Highlighted
Senior Member
Posts: 2,815
Registered: ‎04-21-2015
Kudos: 421
Solutions: 112

Re: UAP-AC-LR does not set vlan id when using radius authentication with MS NPS

Where is your "Tunnel-Private-Group-Id" RADIUS attribute? 

Thanks,
Myky
CWSP
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 2
Registered: ‎12-07-2017
Kudos: 1

Re: UAP-AC-LR does not set vlan id when using radius authentication with MS NPS

Hi,

my colleague - the windows guy - checked again and assigned the "tunnel-assignment-ID" instead of the "tunnel-pvt-group-ID". Fixing this fixed the issue!
Reply