Radius: Authentication issues against Active Directory

Currently reading
Radius: Authentication issues against Active Directory

102
17
NAS
DS918+, DS916+, DS214+, DS211j
Last edited:
Hi,

since package Radius server does not have any dedicated forum I'm posting this here, because it may be related to Synology Directory Server, too.

I'm running some Ubiquiti/Unifi access points that are authenticating against Radius server on Synology NAS. Radius server itself authenticates against my Active Directory on Synology, too. This is fairly straightforward and works almost all the time.

For fallback reasons, I'm running a Radius server on my DS916+ as well as on my DS918+, both diskstations are member of my AD of course and both Radius servers are configured in all Unifi AP.

From time to time, however, I'm facing some login issues with my Wifi. The client (Android devices) that use the EAP protocol in their settings, take long time until they fully authenticate. This can take up to 30 seconds and more. Most of the time I'm switching off Wifi int the meantime and turn it on again. Most of the time the clients get immediate access to Wifi after this action.

The Radius protocol at that time, shows many lines similar to those below:
(78) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x8c4b9ee68d7187e3
(78) Login incorrect (eap: rlm_eap (EAP): No EAP session matching state 0x8c4b9ee68d7187e3): [ourhome\Michael] (from client Ubiquiti_AP port 0 cli D0-16-B4-AA-AA-AA)
(79) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x77219bc5708082e7
(79) Login incorrect (eap: rlm_eap (EAP): No EAP session matching state 0x77219bc5708082e7): [ourhome\Michael] (from client Ubiquiti_AP port 0 cli D0-16-B4-AA-AA-AA)
(80) eap: ERROR: rlm_eap (EAP): No EAP session matching state 0x8c4b9ee68d7187e3
(80) Login incorrect (eap: rlm_eap (EAP): No EAP session matching state 0x8c4b9ee68d7187e3): [ourhome\Michael] (from client Ubiquiti_AP port 0 cli D0-16-B4-AA-AA-AA)

I've already Googled for this error messages and came across this page, however this does not apply since my home LAN is certainly not affected by a high load.

Any idea how to get this solved or how to find the cause of this issue?

Michael
 
102
17
NAS
DS918+, DS916+, DS214+, DS211j
So anyone with an idea how to fix this? Still facing this issue on various (Android) devices from time to time.

Michael
 

fredbert

Moderator
NAS Support
Subscriber
2,218
890
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I considered using RADIUS authentication on my SRM WiFi and did set it up:
  • DSM RADIUS Server linked to local and LDAP users
  • DSM LDAP Server to to provide user accounts for DSM Mail Server (long story told elsewhere) and in place of local SRM accounts for VPN Plus

I didn't test WPA2 Enterprise authentication long enough to run into your problems. I was able to have per user authenticated access but then decided it was too much hassle to update all my devices' logins and then get the family to update their's too.

Reverted to WPA2 Personal. Haven't tried WPA2/3 since the initial problems that caused with iOS devices not authenticating.
 
102
17
NAS
DS918+, DS916+, DS214+, DS211j
It works perfectly most of the time until a device tries to re-authenticate after being offline for some hours, mostly over night, connecting in the morning.

Since I've read in various sources in internet this may be due to any Radius caching mechanism. I've already tried enabling a cache in the appropriate conf file, assuming I've found the correct on. Nevertheless it did not change the game.

Someone mentioned enabling/using Winbind to be the fix of my issue, but honestly I don't know how to do that, even don't know if this works with Active Directory or Synology at all.

Michael
 

fredbert

Moderator
NAS Support
Subscriber
2,218
890
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
If I get time over the weekend I'll see if I can find an old Airport Extreme and set it up as an access point. Will make it use the DSM RADIUS for authentication and connect my phone.

Update: that was easier than I thought, it was just next to the desk under some stuff. Have set up the airport and connected the phone and MacBook. Probably need to forget my other networks to keep it forced on the test network ... will try without doing that first.
 

fredbert

Moderator
NAS Support
Subscriber
2,218
890
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
So far no issues reconnecting. Stopped using the iPhone and 6-7 hours later picked it up and it had the WiFi connection working.

Haven't seen any errors in syslog just notices and a couple of warnings. Set Airport's NTP to use the DSM NTP service which cleated out those warnings. Noticed some ntp time drift corrections.

Is there a WPA key regeneration that's causing any issue? Mine is set to 1 day on the Airport.

Update:

The MacBook was hibernating for much longer. After waking it, it took longer to re-authentcate, but wouldn't say 30 seconds more like 10-15s.

Haven't used WPA2 Enterprise authentication before from the MacBook. There's more info shown in the Network setup stating '802.1X: Default' which I'm assuming is 'any device can connect' and authenticated via EAP-PEAP (MSCHAPv2).

When I first connected to this SSID I had to add trust for the certificate from the NAS. Same on the iPhone. But the MacBook needed two goes at adding the network (forgetting the first try) before it worked. The certificate from the NAS is said to be untrusted (both devices said this) even though it's from LE. That would imply that there's an expected Subject Alternateive Name that I haven't added to the certificate, but I haven't checked what needs to be added ... maybe because connections between Airport and NAS are using IP address?


One could assume that the iPhone doesn't stop communicating during the night long enough for the re-authentication to happen.
 

fredbert

Moderator
NAS Support
Subscriber
2,218
890
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This morning the MacBook was straight away connected to WiFi after coming out of hibernation. Was on power supply over night unlike yday.

Right I'm connecting back to SRM WiFi as it's a much better signal. iPhone's been ok all the time.
 
102
17
NAS
DS918+, DS916+, DS214+, DS211j
Thanks for your investigations so far!

Today, I did no see any failure in my side so far, however, I did not change anything so I guess it's purely coincidence. Wait, I've removed that setting on my Andoird tablet to not use certificates. OTH, I never set up to use one nor do I have a valid certificate anyway.

I do not know for sure if Android nevertheless tries to use a certificate which may be the cause of the failure.

MIchael
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top