UniFi native RADIUS auth issue over WiFi

[CntrlAltDel]

Hi there,

I'm having an issue authing to one of my SSID's that is using WPA2-Enterprise with the native UniFi RADIUS configured on the default ports 1813/1814.
I have another SSID that is just authing with a WPA2-PSK which just works fine.

Network looks like this:
Management VLAN 1 10.86.10.0/25
UCG Max - 10.86.10.1
USW - 10.86.10.2
AP1 - 10.86.10.3 (Native VLAN = Management VLAN and all VLANs associated with SSIDs are set as Tagged VLANs)

Users-Wireless VLAN 30 / 10.86.30.0/25 (THIS ONE WORKS)
SSID#1 (WPA2-PSK/Non-RADIUS)

BYOD-Wireless VLAN 35 / 10.86.35.0/25 (THIS ONE DOESN'T)
SSID#2 (WPA-Enterprise/With-RADIUS)

And for the local account (RADIUS credentials) I have it set to VLAN ID: 35, Tunnel Type: 13 (VLANs) & Tunnel Medium Type: 802.

There is no log event for when connecting fails. It just fails on the device, tried with MacBook *2 and iPhone. Exact same issue.

Hoping someone can provide some deeper insight.

 

[Tech9]

Is your AP an UniFi device as well or something else? Your network setup description suggests something else. If you followed this document exactly when setting up the RADIUS server - focus on the AP. True BYOD won't work since the server needs to authenticate the credentials, but perhaps you already know and BYOD in the SSID name means something else.

 

[CntrlAltDel]

Is your AP an UniFi device as well or something else? Your network setup description suggests something else.

All APs are UniFi UAP-NanoHD's.

If you followed this document exactly when setting up the RADIUS server - focus on the AP.

Yes, in fact RADIUS auth worked before. It's just now that I've split SSID's into separate VLANs that there's an issue. There's no firewall related blocks. Nothing happens when I try to auth from client device, even an event isn't logged.

True BYOD won't work since the server needs to authenticate the credentials, but perhaps you already know and BYOD in the SSID name means something else.

Yes, I just named it this way as an example scenario to explain my point.

 

[Tech9]

Are both wireless networks in the same Firewall Zone? I would attempt setting up the server again after the VLAN/SSID change. This will re-create the necessary access rules. Zone Matrix looks as easy representation on what's happening, but some things are hard to spot.

 

[CntrlAltDel]

Are both wireless networks in the same firewall zone? I would attempt setting up the server again after the SSID change.

No they're not.
Management VLAN 1 = APs themselves
BYOD-Wireless VLAN 35 = VLAN associated with SSID (This one auths WPA2-Enterprise -> RADIUS and fails)
Users-Wireless VLAN 30 = VLAN associated with SSID (This one auths WPA2-PSK successfully)

All the VLANs associated with the SSIDs are tagged on the eth port on the switch connecting to the APs, where they themselves (APs) are using native Management VLAN (1).

Honestly if there were some form of logging that could account for this, I would've been able to determine exactly where the issue is immediately.
But the logging isn't all that great when it comes to the RADIUS server interactions.
This issue had to even get escalated twice through UniFi support.

 

[Tech9]

All the VLANs associated with the SSIDs are tagged on the eth port on the switch connecting to the APs, where they themselves (APs) are using native Management VLAN (1).

I have 2x switches and 4x APs on my main UniFi setup serving 3x SSIDs on different networks... and I don't understand this configuration description.

 

[CntrlAltDel]

I have 2x switches and 4x APs on my main UniFi setup serving 3x SSIDs on different networks... and I don't understand this configuration description.

The APs are connected to the UniFi Switch, the ports that they are connected to are configured native VLAN=Management and tagged VLANs=All of the VLANs associated with SSID's that I mentioned i.e BYOD-Wireless VLAN 35, Users-Wireless VLAN 30 etc.
I am communicating that the APs should be able to reach Management VLAN where the RADIUS server sits without any issues.
I also have super liberal firewall rules setup for this this testing to ensure the firewall isn't the cause of any issues i.e Allow Management > Gateway (ALL). Allow Users-Wireless VLAN 30 > Gateway (ALL). etc.

 

[CntrlAltDel]

Interesting, just checking RADIUS dump over SSH and it looks like there's only Access-Request retries with no responses.

ps aux | egrep -i 'freeradius|radiusd|unifi.*radius' | grep -v egrep

<user>    <pid>  0.0  0.0   4952  2120 pts/0    S+   22:37   0:00 grep -E -i freeradius|radiusd|unifi.*radius

$ ss -lunp | egrep ':(1812|1813)\s'   # (or: netstat -lunp | egrep '1812|1813')

$ tcpdump -ni any '(udp port 1812 or udp port 1813) and (host 10.86.10.3 or host 10.86.10.4 or host 10.86.10.5)'

tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
22:38:18.904206 switch0   In  IP bad-hlen 16
22:38:18.904206 switch0.1 In  IP 10.86.10.4.51774 > 10.86.10.1.1812: RADIUS, Access-Request (1), id: 0x04 length: 232
22:38:18.904206 br0       In  IP 10.86.10.4.51774 > 10.86.10.1.1812: RADIUS, Access-Request (1), id: 0x04 length: 232
22:38:20.912205 switch0   In  IP bad-hlen 16
22:38:20.912205 switch0.1 In  IP 10.86.10.4.51774 > 10.86.10.1.1812: RADIUS, Access-Request (1), id: 0x04 length: 232
22:38:20.912205 br0       In  IP 10.86.10.4.51774 > 10.86.10.1.1812: RADIUS, Access-Request (1), id: 0x04 length: 232
22:38:23.916106 switch0   In  IP bad-hlen 16
22:38:23.916106 switch0.1 In  IP 10.86.10.4.51774 > 10.86.10.1.1812: RADIUS, Access-Request (1), id: 0x05 length: 232
22:38:23.916106 br0       In  IP 10.86.10.4.51774 > 10.86.10.1.1812: RADIUS, Access-Request (1), id: 0x05 length: 232