Stupid bug in access connections

[pohl3339]

Hello,

I am suffering from a stupid bug in access connections (4.12 and older). Before I start my setup:

1. Thinkpad R50 (1829-7RG) with upgraded internal wireless (IBM/Lenovo Mini PCI 802.11a/b/g FRU 93P4262) (before upgrade Intel PRO/Wireless LAN 2100 3B Mini PCI Adapter) WINXP SP2 as client. Latest hotfixes from microsoft and latest software tools from IBM/Lenovo.

2. Thinkpad X23 (2662-EBG) with Cisco Aironet 802.11a/b/g CardBus Wireless LAN Client Adapter (CB21AG). Debian 3.1 Sarge as access point.
Software: hostapd 0.5.3-1, freeradius 1.1.2-0

The problem:
Access connections tries to authenticate with the access point and for about 20 seconds the connection is working, and then disconnects. Although successful authentication and assignment of the IP address has already taken place, access connections still waits for it and finally disconnects with authentication failed.

Operation modes affected:
all 802.1x eg EAP-PEAP, EAP-TLS (TKIP and AES ciphers)
WPA-PSK and WPA2-PSK

Not affected:
WEP (turning off hostapd on AP)

Caveats:
Before the internal wireless was upgraded the same setup was working in all described modes. After upgrade WinXP zero configuration is working with WEP and EAP-TLS and wpa_supplicant (win32 version) works successfully with EAP-PEAP and EAP-TLS, so I can assume it is not a hardware, driver or AP configuration problem.

Question:
Has anybody had similar experiences with access connections using the 11a/b/g II adapter?

[Legionnaire]

Same here. No luck

I have to note that I had such problems when using a Linksys WRT54G as an Access Point but NOT when using a DLink DWL900+.

Also, tried upgrading to the latest version but although it fixes this one, another "bug" comes forward: when using dhcp, the gateway is set by default to the first pc of your subject (e.g. 192.168.1.1) despite the fact that you have overwritten that setting with your gateway of choice (e.g. 192.168.1.50).

[Wiz]

I currently use AC 4.12 with the IBM 11a/b/g II. Since i work a lot with wireless installations and connect to wireless network a lot of places i been using almost any combination of authentication, encryption and key management like EAP-FAST, LEAP, PEAP-GTC, PEAP-MSChap, EAP-TLS, WPA, WPA2, CCKM, AES, TKIP and so on. I never had any problems like this, but i only used Cisco AP's so don't know how it would work with other APs like linksys and dlink though.

Also in all of this cases i got an external radius server (In most cases the Cisco ACS radius server) which is required for 802.1x. I know that some APs got the option to run a simple radius function on the AP as a substitute to an external radius server. Cisco got that option, but it's pretty limited compared to a real radius server. Radius servers can return serveral radius attributes though that could affect how the wireless network is working or make it not work at all.

What kind of accesspoint do you use and do you have an external radius server or is it a built-in radius function on the AP? Is it possible to customize the radius attributes? And if you got an external radius server is it used for other things or just wireless. Using access point like cisco you got the ability to debug to see exactly what is going on. Not sure if your AP got such functions?

I had a Intel 2200BG, but got the nic replaced with the IBM 11a/b/g II since i had a lot of disconnects using the Intel nic, but neither using the Intel 2200BG i had issues like you descibe here.

At home i use EAP-FAST with WPA2 connected to a Cisco Access Point without any problems at all. I also used EAP-TLS for a while without any problems.

[pohl3339]

What kind of accesspoint do you use and do you have an external radius server or is it a built-in radius function on the AP?

I am using freeradius 1.1.2 and hostapd 0.5.3 on a Thinkpad X23 (Debian Sarge) as my AP.
With EAP-TLS/WPA-2/AES hostapd log says:

Code: Select all

ath0: STA 00:0e:9b:ba:1e:ea IEEE 802.1X: authenticated
RSN: added PMKSA cache entry for 00:0e:9b:ba:1e:ea
RSN: added PMKID - hexdump(len=16): e9 ed e4 77 1b 75 66 a4 a1 5d 31 26 d4 49 4d a6
ath0: STA 00:0e:9b:ba:1e:ea WPA: Added PMKSA cache entry (IEEE 802.1X)
ath0: RADIUS Received 20 bytes from RADIUS server
ath0: RADIUS Received RADIUS message
ath0: STA 00:0e:9b:ba:1e:ea RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
IEEE 802.1X: 00:0e:9b:ba:1e:ea - aWhile --> 0

After approx. 20 seconds the client disconnects.

[Wiz]

Thank you for your reply. I am using an Thinkpad X23 + Cisco Cardbus adapter + Linux as my access point. I have hostapd and freeradius installed (see first post).
It seems that the authentication process is too fast for AC and it misses the successful authentication. It could also be a bug in hostap, but I had the same setup running for quite a while with the INTEL 2100 11b adapter, which had a significantly longer latency.

Sorry i obviously missed some parts of your first post.

I'm not familiar with the hostpad or freeradius, but as far as i know from the hostapd website version 4.9 is the last stable version and 5.x is a development release. Mayb upgrade to the lastest 5.x or use the last stable version 4.9 could work better? There is also a newer version of freeradius available.

Anyway is seems like we have the same hardware (IBM 11a/b/g II) and same version of the driver and AC, but i never had the same problem. The difference is the accesspoint and radius server since i use a Cisco AP 1232abg and Cisco ACS as radius server. Also i have no problems using Microsoft IAS as a radius server, but still with some kind of cisco AP.

Not sure if there is a bug in the software you use or AC, but seems like i'm not affected with my setup if it's a bug in AC. Neither have i heard that any of my colleagues or customers had that problem and they mainly use cisco as well. My guess would be a bug in hostapd, but cannot really say anything for sure. I think you got pretty good logging possibilities using hostapd so maybe you could do some detailed logging and see if there is something strange. Also using a sniffer on your PC (if you got a sniffer) you might see what happen during the connection to your wireless network.

I have noticed that the IBM/Atheros wlan card is faster then all of the Intel wlan cards. Connect and search for wireless networks is much faster and also seems to connect faster, but i never seen the problem you descibe using cisco AP and cisco or microsoft radius server. Since i work with wireless installations i have seen many thinkpads with different versions of AC and wlan cards. So i don't think this is a very common problem.

Sorry i couldn't be more help, but i would have tried upgradring hostapd (or downgrade to 4.9) to see if that help. Maybe also upgrade the freeradius.

[pohl3339]

Thank you again for sharing your experiences. I guess I will have to try some other router. The computers are both next to each other (and sometimes further apart in the kitchen). The connect takes less than 3 secs with IBM/Atheros. The INTEL card needed about 10 secs, which gave AC enought time to catch the signals. Maybe "hardware" routers have some delay builtin to avoid this problem.

[pohl3339]

Hello,

here is an update to my first post. I finally got it working with my IBM 11a/b/g II adapter. What I did was to set hostapd and Access Connections only to WPA and TKIP cipher and not using WPA2 and AES cipher (CCMP) at all. I don't know whether hostapd or AC is behaving not as it should. All I know is that I used exactly the same settings with my previous adapter INTEL 2100B as it doesn't support AES and hence WPA2.

That explains all the mysteries and leaves me with a working setup - WPA, TKIP and EAP-PEAP.

Hope that will help someone else out as well,
Alexander