UniFi - Troubleshooting RADIUS Authentication


Overview


In this article, readers should expect to gain key troubleshooting skills for debugging 802.1X authentication on UniFi devices.

NOTES & REQUIREMENTS: Before proceeding with this article please make sure you are familiar with the contents of the Related Articles for USG, USW, and UAP. It will be helpful in understanding what each section of configuration entails and requires.

Table of Contents


  1. Network Diagram
  2. Common Issues
  3. Troubleshooting Wired 802.1X on the USW
    1. Useful Commands from Debugging Terminal or SSH Client
  4. Troubleshooting Wireless 802.1X on the UAP
  5. Troubleshooting RADIUS authentication on the USG
  6. Related Articles

Network Diagram


Back to Top

Authentication Process

USW-RADIUS.png


Common Issues


Back to Top

This is a short list of common issues that can occur with RADIUS authentication.

The client device isn't put on the correct VLAN

1. Verify that the account on the authentication server has a VLAN ID specified.

2. Verify that Enabled RADIUS assigned VLAN is enabled on the RADIUS profile.

3. Verify with tcpdump on the device that the server is sending the correct VLAN in the RADIUS accept message. 

    3.1. Use the following command in an SSH session on a UniFi device:

sudo tcpdump -npi eth0 port 1812 -vvv
NOTE: You can also issue IP addresses the local subnet (192.168.1.0/24 in this case).

An attribute named "vlan-id" will have the VLAN specified if the RADIUS server is sending it correctly.

4. Verify that "use_tunneled-reply" is enabled on a freeradius based authentication server.

Sample FreeRADIUS EAP configuration (/etc/freeradius/3.0/mods-enabled/eap):

use_tunneled_reply = yes 
NOTE: use_tunneled_reply is enabled by default on the USG settings.

The client device has an authentication timeout

1. Verify with tcpdump on the UniFi device whether the RADIUS server is responding to the RADIUS request. 

    1.1. Use the following command in an SSH session on a UniFi device:

sudo tcpdump -npi eth0 port 1812 

The transaction listed in the network diagram above should take place. If the radius-accept is returned move on in the steps below.


Troubleshooting Wired 802.1X on the USW


Back to Top

This process will allow a UniFi admin to see the packet-by-packet interaction between the authenticator (switch) and the RADIUS server.

Authentication

1. Use the following command in the Debugging Terminal or SSH Client

sudo tcpdump -npi eth0 port 1812 -vv

2. Plug in an 802.1X compliant client device.

3. View the output.

  1. If the RADIUS process ends in an accept message from the RADIUS server the client will be authorized to send traffic on the network.
  2. If the RADIUS messages timeout, check to see if there is connectivity between the USW and the RADIUS server. Check for firewalls blocking port 1812, and basic connectivity between the USW and RADIUS server.
  3. If the RADIUS process ends in a reject message from the RADIUS server, ensure that the client device is using the correct credentials.

Accounting

Accounting only happens after authentication is successful.

ATTENTION: When using the USG as the RADIUS server accounting is not enabled.
sudo tcpdump -npi eth0 port 1813 -vv

1. Use the following command in the Debugging Terminal or SSH Client

Useful Commands from Debugging Terminal or SSH Client

ATTENTION: To input these commands you must first type telnet localhost proceeded by enable in the CLI. Example below. 
USW-24P-US.v4.0.14# telnet localhost

Entering character mode
Escape character is '^]'.

Warning!
The changes may break controller settings and only be effective until reboot.

(UBNT) >enable

(UBNT) #

Key Commands

show radius

Click Here to Expand the Output Definitions
Term Definition
Number of Configured Authentication Servers The number of RADIUS Authentication servers that have been configured.
Number of Configured Accounting Servers The number of RADIUS Accounting servers that have been configured.
Number of Named Authentication Server Groups The number of configured named RADIUS server groups.
Number of Named Accounting Server Groups The number of configured named RADIUS server groups.
Number of Retransmits The configured value of the maximum number of times a request packet is retransmitted.
Time Duration The configured timeout value, in seconds, for request retransmissions.
RADIUS Accounting Mode A global parameter to indicate whether the accounting mode for all the servers is enabled or not.
RADIUS Attribute 4 Mode  A global parameter to indicate whether the NAS-IP-Address attribute has been enabled to use in RADIUS requests.
 RADIUS Attribute 4 Value  A global parameter that specifies the IP address to be used in the NAS-IP-Address attribute to be used in RADIUS requests.

show radius servers

Click Here to Expand the Output Definitions
Term Definition
Host Address The configured IP address of the RADIUS server.
Server Name The configured name of the RADIUS server.
Port The port used for RADIUS authentication.
Type Specifies whether this server is a primary or secondary type.

show radius statistics <server IP or name>

Click Here to Expand the Output Definitions
Term Definition
RADIUS Server Name The name of the authenticating server.
Server Host Address The IP address of the host.
Round Trip Time Time in hundredths of a second that it takes for a request to be answered.
Access Requests The number of RADIUS Access-Request packets sent to this server. This number does not include retransmissions.
Access Retransmissions The number of RADIUS Access-Request packets retransmitted to this RADIUS authentication server.
Access Accepts The number of RADIUS Access-Accept packets, including both valid and invalid packets, that were
received from this server. 
Access Rejects The number of RADIUS Access-Reject packets, including both valid and invalid packets, that were
received from this server. 
Access Challenges The number of RADIUS Access-Challenge packets, including both valid and invalid packets, that were
received from this server.
Malformed Access Responses The number of malformed RADIUS Access-Response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators or signature attributes or unknown types are not included as malformed access responses.
Bad Authenticators The number of RADIUS Access-Response packets containing invalid authenticators or signature
attributes received from this server.
Pending Requests The number of RADIUS Access-Request packets destined for this server that have not yet timed out or received a response. 
Timeouts The number of authentication timeouts to this server.

Unknown Types

 The number of packets of unknown type that were received from this server on the authentication
port.
Packets Dropped  The number of RADIUS packets received from this server on the authentication port and dropped for
some other reason.

show dot1x authentication-history <slot/port number> [detail]

Click Here to Expand the Output Definitions
Term Definition
Time Stamp The exact time at which the event occurs.
Interface Physical Port on which the event occurs.
MAC-Address The supplicant/client MAC address.
VLAN Assigned The VLAN assigned to the client/port on authentication.
VLAN Assigned Reason  The type of VLAN ID assigned, which can be Guest VLAN, Unauth, Default, RADIUS Assigned, or Montior Mode VLAN ID.
Auth Status  The authentication status
Reason The actual reason behind the successful or failed authentication

show dot1x clients {slot/port | all} 

Click Here to Expand the Output Definitions
Term Definition
Clients Authenticated using Monitor Mode Indicates the number of 802.1X clients authenticated using Monitor mode.
Clients Authenticated using Dot1x  Indicates the number of 802.1X clients authenticated using 802.1x authentication process. 
Logical Interface The logical port number associated with a client. 
Interface The physical port to which the supplicant is associated. 
Username  The user name used by the client to authenticate to the server.
Supplicant MAC Address  The supplicant device MAC address.
Session Time The time since the supplicant is logged on.
VLAN ID  The VLAN assigned to the port. 
VLAN Assigned  The reason the VLAN identified in the VLAN ID field has been assigned to the port. Possible values are RADIUS, Unauthenticated VLAN, Monitor Mode, or Default. When the VLAN Assigned reason is Default, it means that the VLAN was assigned to the port because the P-VID of the port was that VLAN ID. 
Session Timeout This value indicates the time for which the given session is valid. The time period in seconds is returned by the RADIUS server on authentication of the port. This value is valid for the port only when the port-control mode is not MAC-based.
Session Termination Action This value indicates the action to be taken once the session timeout expires. Possible values are Default and Radius-Request. If the value is Default, the session is terminated and client details are cleared. If the value is Radius-Request, then a reauthentication of the client is performed.

Troubleshooting Wireless 802.1X on the UAP


Back to Top

Authentication

1. Use the following command in the Debugging Terminal or SSH Client

sudo tcpdump -npi eth0 port 1812 -vv

2. Connect an 802.1X compliant client device.

3. View the output.

  1. If the RADIUS process ends in an accept message from the RADIUS server the client will be authorized to send traffic on the network.
  2. If the RADIUS messages timeout, check to see if there is connectivity between the UAP and the RADIUS server. Check for firewalls blocking port 1812, and basic connectivity between the UAP and RADIUS server.
  3. If the RADIUS process ends in a reject message from the RADIUS server, ensure that the client device is using the correct credentials.

Accounting

Accounting only happens after authentication is successful.

ATTENTION: When using the USG as the RADIUS server accounting is not enabled. 

1. Use the following command in the Debugging Terminal or SSH Client

sudo tcpdump -npi eth0 port 1813 -vv

Logging

Setting the device logging level to debug can help diagnose issues with the UAP outside of packet captures. Navigate to Settings > Maintenance > Log Level if you would like to change that setting. 


Troubleshooting RADIUS authentication on the USG


Back to Top

CLI: Access the command line interface (CLI). You can do this using by using an SSH client program.

This section will cover methods of troubleshooting RADIUS authentication on the UniFi Security Gateway. 

USG as RADIUS Server

Viewing the FreeRADIUS logs

sudo cat /var/log/freeradius/radius.log

This command will show logs from the process starting, authentication attempts along with failures, and any associated problems with the service.

Running in the foreground

This command in SSH will start FreeRADIUS in the foreground on the USG. It will allow viewing of events printed to the console in real-time. 

NOTE: The radtest command used below will not work with mschapv2.
#Usage
sudo service freeradius restart
sudo service freeradius stop
sudo freeradius -fX

#For less verbosity use -fxx instead of -fX
sudo freeradius -fxx

#to stop freeradius running in the foreground and return to normal operation.
ctrl+c
sudo service freeradius start

#Sample output using radtest
rad_recv: Access-Request packet from host 172.20.1.1 port 57380, id=57, length=78
User-Name = "ubnttest"
User-Password = "test1234"
NAS-IP-Address = 172.20.1.1
NAS-Port = 0
Message-Authenticator = 0x8af0fec45c575d375c1c6ba366253feb
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "ubnttest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
[files] users: Matched entry ubnttest at line 5
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test1234"
[pap] Using clear text password "test1234"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [ubnttest] (from client client-5c2650e21876930ceb43007e port 0)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 57 to 172.20.1.1 port 57380
Acct-Interim-Interval = 3600
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 57 with timestamp +5
Ready to process requests.

USG as Authenticator to Third-party Authentication Server

Use "radtest" to send a test authentication message to a third-party RADIUS server.

#Options
sudo radtest -h

#Usage (brackets denote optional parameters)
sudo radtest username password radius-server:[port] NAS-port secret [ppphint] [nasname]

#Example command (192.168.1.2 as auth. server)
sudo radtest ubnttest testpw12! 192.168.1.2 0 thisisasecret

#Sample Output
>sudo radtest ubnttest test1234 172.20.1.1 0 JustW0rkingH3r3$
Sending Access-Request of id 100 to 172.20.1.1 port 1812
User-Name = "ubnttest"
User-Password = "test1234"
NAS-IP-Address = 172.20.1.1
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.20.1.1 port 1812, id=100, length=41
Acct-Interim-Interval = 3600
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"

If a response comes back from the authentication server it proves that authentication is working properly. If no response is received, ensure that the authentication server is online and can process access request messages from the authenticator IP. 


Related Articles


Back to Top

UniFi - USG: Configuring RADIUS Server

UniFi - USW: Configuring Access Policies (802.1X) for Wired Clients

UniFi - UAP: Configuring Access Policies for Wireless Clients


We're sorry to hear that!