troubleshooting hotspot authentications

This section is a subset of mbox HSG troubleshooting guide. Many times we know that mbox is properly configured and hotspot service is running fine, but somehow users are experiencing login issues, so it’s faster to jump straight to focus on authentication issues.

This guide focuses on concept of troubleshooting authentication issues is applicable to other scenarios, eg. private portal with private user database, self-registered database, social media integrations, or external API etc.

mbox HSG has build in RADIUS server that provides user/client authentication for both local hotspot services or external Wireless LAN Controllers (WLC). Sometimes it’s also called User Access Manager (UAM). Details.

For mbox UAM server to successfully authenticate user access, there’re a few prerequisites:

    1. mbox RADIUS client must be added (local and WLC)
    2. mbox RADIUS proxy must be configured
    3. use mbox swiss-knife - tcpdump

TESTING & TROUBLESHOOTING STEPS

1. mbox RADIUS clients must be added

Wireless@SG services includes both Wireless@SG (WSG) SSID and Wireless@SGx (WSGx) SSID. These two are essentially two different type of services.

WSG is an open SSID, where clients are immediately associated to wireless SSID, WLC relays client DHCP requests to mboxx and clients are assigned with IP addresses immediately. Only when clients try to browse Internet, their browser is redirected/prompted with WSG login portal, asking for login credentials. Once the correntials is entered, it’s passed to mbox access controller, which forwards authentication requests to mbox RADIUS server. Checkout this concept here.

In this scenario, mbox localhost must be configured as its own RADIUS Server’s RADIUS client (local access controller “talks” to local RADIUS).

User ---- AP ----WLC ---- [ mbox access controller (RADIUS client) ----mbox RADIUS (RADIUS server)]

WSGx is using WPA-EAP for wireless authentication, where clients are first prompted by WLC to authenticate via 801x protocol, and only if authentication is successful, WLC will relay client DHCp requests to mbox for address assignment. When WLC prompts user for authentication, WLC does not validate client credentials instead it forwards to mbox and it’s processed by mbox RADIUS server. Once user is authenticated and assigned with IP address, they can access Internet directly without being redirected to login portal again (therefore no mbox access controller involved). NOTE: In the case of EAP-SIM, the concept is the same, except user credentials are automatically forwarded by phone using SIM card IMEI details.

User ---- AP ----WLC (RADIUS client)---- [mbox RADIUS (RADIUS server)]

To add a RADIUS client config, three parameters are needed:

    • IP address of RADIUS client
    • Pre-shared key
    • Name of client

Below are the checking/troubleshooting we need to take to validate if RADIUS clients are added:

mbox# show running-config……!firewall-input 1 permit all udp src 192.168.0.0/16 dport 1812firewall-input 2 permit all udp src 192.168.0.0/16 dport 1813!security radius-serverclient 127.0.0.1 key testing123 name mbox-HSGclient 192.168.16.26 key testing123 name WLC-1client 192.168.16.27 key testing123 name WLC-2client 192.168.16.28 key testing123 name WLC-3client 192.168.16.29 key testing123 name WLC-4start!……mbox# show security radius-clientNAS Name NAS IP -------------------------------------------mbox-HSG 127.0.0.1 WLC-1 192.168.16.26 WLC-2 192.168.16.27 WLC-3 192.168.16.28 WLC-4 192.168.16.29OK mbox# show firewall input-listChain INPUT (policy DROP 152K packets, 28M bytes)pkts bytes target prot opt in out source destination 677 228K ACCEPT udp -- * * 192.168.0.0/16 0.0.0.0/0 state NEW udp dpt:1812 822 270K ACCEPT udp -- * * 192.168.0.0/16 0.0.0.0/0 state NEW udp dpt:1813mbox#

NOTE:

    • “testing123” is the pre-shared key configured between RADIUS server and RADIUS client and must be configured the same on all WLC
    • “192.168.16.” are the WLC ip addresses, they must be able to reach mbox LAN interface IP via those address
    • “firewall-input” rules open local port access for external hosts/WLC to communicate with mbox using RADIUS protocols. We can potentially restrict to individual WLC host IP for tighter security.

2. mbox RADIUS proxy must be configured

mbox RADIUS appears to be a RADIUS server to both its own access controller (eg. WSG) and WLC (eg. WSGx), however for Wireless@SG services, mbox RADIUS does not host any real user accounts, instead it “proxies” all user authentication requests to external ISP RADIUS server.

In this case, mbox is added as a RADIUS client on ISP RADIUS server, and ISP RADIUS server is added as a RADIUS proxy on mbox.

[ mbox RADIUS (RADIUS server)] ------- ISP RADIUS (RADIUS proxy)

To add a RADIUS proxy config, three parameters are needed:

    • IP address of remote ISP RADIUS server
    • Pre-shared key
    • Realm

NOTE: mbox needs to be configured as a RADIUS client on ISP RADIUS server so it must have a static WAN IP address. “Realm” defines which user accounts need to be proxied to external RADIUS server. Because by default, mbox RADIUS always use it’s local RADIUS user database for authentication and if user accounts non-exists, authentication will fail unless explicitly defined by “realm” to proxy to external ISP RADIUS server.

Below are the checking/troubleshooting we need to take to validate if RADIUS proxy are added:

mbox# show running-config……!firewall-input 1 permit all udp src 192.168.0.0/16 dport 1812firewall-input 2 permit all udp src 192.168.0.0/16 dport 1813!security radius-serverclient 127.0.0.1 key testing123 name mbox-HSGclient 192.168.16.26 key testing123 name WLC-1realm isp2 @ suffix nostrip x.x.x.x testing123realm isp2 @ suffix nostrip x.x.x.x testing123realm wlan.mnc001.mcc525.3gppnetwork.org @ suffix nostrip x.x.x.x testing123start!……mbox# show security radius-proxyRealm Name Delimiter/Format/Extra Proxy Server Auth/Acct Port------------------------------------------------------------------------------------------------------------- isp1 @/suffix/nostrip x.x.x.x 1812/1813 isp2 @/suffix/nostrip x.x.x.x 1812/1813 wlan.mnc001.mcc525.3gppnetwork.org @/suffix/nostrip x.x.x.x 1812/1813

To check if above proxy config is correct and also verify if ISP RADIUS has added mbox as a RADIUS client with the correct IP and pre-shared key, do a local test on mbox.

mbox# test authentication radius-server localhost radius-key testing123 username 92746928@stm password 92746928Sending Access-Request of id 231 to 127.0.0.1 port 1812 User-Name = "92746928@stm" User-Password = "92746928" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=231, length=111 Vendor-12902-Attr-1 = 0x5749314d Class = 0x5749314d Vendor-25053-Attr-24 = 0x0007d0 Vendor-25053-Attr-25 = 0x001f40 Session-Timeout = 10800 Idle-Timeout = 1800 Airespace-QOS-Level = Silver Colubris-AVPair = "max-input-rate=2048"mbox#mbox# show security radius-logSat Jan 24 23:19:59 2015 : Auth: Login OK: [92746928@stm] (from client mbox-HSG port 1812)

NOTE:

    • In the test command we used “localhost”, which is the local mbox RADIUS server, and the user name 92746928@stm has a suffix of “stm”, so it should match the config of “realm stm @ suffix nostrip x.x.x.x testing123”, and the authetnication would have been proxied to and validated by “x.x.x.x
    • The realm of “wlan.mncxxxx” refers to EAP-SIM accounts.
    • always use “show security radius-log” to check the authentication results and status

3. Use tcpdump

Sometimes all configurations seem working and testing worked fine, users still complain about authentication problem. For WSG, when there’s authentication problem, users keep getting back to the login portal with error show “wrong username or password”; for WSGx, client device simply shows “trying to get IP address” and will fail after a long wait.

There can be many causes for authentication failure, eg. WLC not correctly configured or configured with wrong pre-shared key, ISP RADIUS has not added mbox as a RADIUS client or is not responding to authentication requests (maybe too busy etc).

To isolate, use tcpdump. First, run tcmpdump on the LAN interface, where the WLC communicates with mbox, filter to port 1812

mbox# tcpdump interface vlan901 port 1812……..tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on vlan901, link-type EN10MB (Ethernet), capture size 65535 bytes00:51:14.240746 IP 192.168.16.26.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x26 length: 31700:51:14.611047 IP 192.168.16.1.1812 > 192.168.16.26.32770: RADIUS, Access Challenge (11), id: 0x26 length: 8300:51:14.952079 IP 192.168.16.26.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x27 length: 31700:51:15.346808 IP 192.168.16.1.1812 > 192.168.16.26.32770: RADIUS, Access Accept (2), id: 0x27 length: 33800:51:15.605441 IP 192.168.16.34.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x5c length: 32500:51:15.633861 IP 192.168.16.1.1812 > 192.168.16.34.32770: RADIUS, Access Challenge (11), id: 0x5c length: 7100:51:15.638934 IP 192.168.16.34.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x5d length: 31500:51:15.662813 IP 192.168.16.1.1812 > 192.168.16.34.32770: RADIUS, Access Challenge (11), id: 0x5d length: 19100:51:15.908985 IP 192.168.16.26.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x28 length: 32500:51:15.931951 IP 192.168.16.1.1812 > 192.168.16.26.32770: RADIUS, Access Challenge (11), id: 0x28 length: 7100:51:15.938194 IP 192.168.16.26.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x29 length: 31500:51:15.962742 IP 192.168.16.1.1812 > 192.168.16.26.32770: RADIUS, Access Challenge (11), id: 0x29 length: 19100:51:16.221918 IP 192.168.16.26.32770 > 192.168.16.1.1812: RADIUS, Access Request (1), id: 0x2a length: 31100:51:16.250048 IP 192.168.16.1.1812 > 192.168.16.26.32770: RADIUS, Access Accept (2), id: 0x2a length: 274…….

NOTE:

  • vlan901 is the LAN interface
    • if we do not see any “Access Request” at all, the WLC is not correctly configured to use mbox as RADIUS server, either wrong IP address or wrong VLAN.
    • Observe for longer time, if we see “Access Request” but do not see any “Access Accept” at all, it could be because mbox is not correctly proxying the request to external RADIUS, or it could be RADIUS is not responding to requests. Then move to next step to perform tcpdump on mbox WAN interface.
mbox# tcpdump interface eth0 port 1812tcpdump: WARNING: eth0: no IPv4 address assignedtcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes00:55:01.822523 IP 172.16.1.1.1814 > x.x.x.x.1812: RADIUS, Access Request (1), id: 0xd2 length: 31600:55:01.848676 IP x.x.x.x.1812 > 172.16.1.1.1814: RADIUS, Access Accept (2), id: 0xd2 length: 27900:55:01.963315 IP x.x.x.x.1812 > 172.16.1.1.1814: RADIUS, Access Challenge (11), id: 0x52 length: 105700:55:01.976717 IP 172.16.1.1.1814 > x.x.x.x.1812: RADIUS, Access Request (1), id: 0x0d length: 24700:55:02.040379 IP x.x.x.x.1812 > 172.16.1.1.1814: RADIUS, Access Challenge (11), id: 0xc3 length: 106100:55:02.048393 IP 172.16.1.1.1814 > x.x.x.x.1812: RADIUS, Access Request (1), id: 0x07 length: 32800:55:02.054123 IP 172.16.1.1.1814 > x.x.x.x.1812: RADIUS, Access Request (1), id: 0x73 length: 25000:55:02.069966 IP x.x.x.x.1812 > 172.16.1.1.1814: RADIUS, Access Challenge (11), id: 0x07 length: 6700:55:02.089909 IP 172.16.1.1.1814 > x.x.x.x.1812: RADIUS, Access Request (1), id: 0x66 length: 304….

NOTE:

  • eth0 is the WAN interface
    • if we do not see any “Access Request” at all, that means mbox is not proxying requests to external ISP RADIUS, check our proxy realm configurations.
    • Observe for longer time, if we see “Access Request” but do not see any “Access Accept” at all, that means ISP RADIUS is not responding to requests. It could be because it has not added mbox as a RADIUS client or is too busy to respond. Contact ISP support.