Cannot connect with WPA2 (AES) encryption + EAP-TTLS PAP with FreeRADIUS auth

0

I successfully set up an enterprise Wi-Fi connection with LDAP authentication by way of FreeRADIUS. I used EAP-TTLS PAP because I have hashed passwords in my OpenLDAP directory.

When I use TKIP wireless encryption for that WPA2 access point, everything goes very well and my Android phone clients connect just normally (until now all clients have just been Android phones).

BUT when I use AES, the clients cannot connect any more, and I don't know why. The log seems very good, and I tried and searched a lot with unfortunately no success.

Here is my FreeRADIUS log: http://pastebin.com/gF1tBGkM

You may ask why I want AES. That is because Microsoft Windows does NOT allow the TKIP algorithm for enterprise WPA2 connections (maybe just to annoy us and make the matter harder).

I tried all the open source free third party software to be able to use the unsupported protocols, but they where all very old and they didn't work, and I am trying to do everything natively without any third party software.

Could anybody help me please to find any solution for that (to get my client connects successfully with AES)?

Mohammed Noureldin

Posted 2016-01-22T23:22:45.363

Reputation: 1 123

What AP are you using? – user1686 – 2016-01-23T00:02:12.143

@grawity TP-LINK router, dd-wrt firmware – Mohammed Noureldin – 2016-01-23T00:18:00.417

Which version of Windows? – Ramhound – 2016-01-23T00:40:51.193

@Ramhound Windows 10,

The problem is not just with windows when I switch to AES, android cannot connect with AES as well – Mohammed Noureldin – 2016-01-23T00:45:03.353

By the way, I think you just exposed your LDAP password, and possibly Alice's password. – Spiff – 2016-01-23T03:31:23.097

1Also, WPA2 basically is AES-CCMP. The major reason original WPA was created was to replace WEP encryption with TKIP, and the major reason WPA2 was created was to replace TKIP encryption with AES-CCMP. Microsoft is absolutely doing the right thing by requiring AES-CCMP with WPA2. – Spiff – 2016-01-23T03:38:52.860

@Spiff It is just a test server, I use it to learn. – Mohammed Noureldin – 2016-01-23T10:12:51.443

Answers

0

OK, I was not considering that the problem might be from my DD-WRT itselt, and it was!!

I googled for "TP-LINK AES DD-WRT problem". The posts in this page helped me to solve the problem: http://www.dd-wrt.com/phpBB2/viewtopic.php?p=762001 one guy said, that when he upgraded his firmware, his problem (as my problem, he couldn't connect when using AES) was solved.

--------
  maniootek wrote: Hi guys.  Can someone guide me how to update my
TL-WR741ND V4 to get rid of the WPA/WPA2 AES issue?  Your help will be
much appreciated.
---------

I have the same problem few days ago when I started to use DD WRT.

I fixed by downloading latest version (05-27-2014-r24160) from here http://dd-wrt.com/site/support/other-downloads?path=others%2Feko%2FBrainSlayer-V24-preSP2%2F

So I upgraded my router firmware, and it worked again like a charm! and my android clients were able to connect just perfectly!

Unfortuanately windows clients not, apparently I am missing something while setting the connection in windows up.

Mohammed Noureldin

Posted 2016-01-22T23:22:45.363

Reputation: 1 123

0

Your FreeRADIUS log seems to show a successful authentication, culminating with sending an Access-Accept message that contains the required MPPE-Key attributes that the AP should be able to use as the PMK (Pairwise Master Key) for this connection.

Your problem likely lies elsewhere. You might want to look at things like:

  • A packet trace of the RADIUS session between the AP and the FreeRADIUS box (preferably, for the sake of debugging, do this without using a RADIUS shared secret).
  • DD-WRT debug logs, especially from hostapd, which I believe acts as both the 802.1X Authenticator as well as the RADIUS client (a.k.a. "Network Access Server" or NAS) process.
  • Review your hostapd.conf on your DD-WRT box. Consider sanitizing it and posting it here if you want us to help you further.
  • An 802.11 monitor-mode packet trace of the 802.1X session between the Windows or Android wireless client and the AP.
  • Debug logs from the wireless client's 802.1X supplicant process. Android may use wpa_supplicant as its 802.1X supplicant. I'm not sure what the Windows 802.1X supplicant's process name is.

Spiff

Posted 2016-01-22T23:22:45.363

Reputation: 84 656

Thank you very much, I was not considering that the problem might be in dd-wrt itself. and it was!! I changed the software and my android clients can connect like a charm! but unfortunately windows not, I don't know why, apparently I don't know how to set it up correctly. May I ask you to give me some quick steps to set it up correctly like in android phone? so I just want to use eap-ttls, pap, and to use the a user and passwrod from ldap directory, nothing more (so no certificates, just as simple as possible to get it work) – Mohammed Noureldin – 2016-01-23T10:15:52.407

Asked: 2016-01-22T23:22:45.363

Viewed: 1 131 times

Active: 2016-01-23T10:28:02.927