WPA Authentication Timeout/Failure after last firmware 1.1.1 upgrade TL-R605 V1.0
We are currently experiencing problems with realizing a WiFi connection.
The authentication for a WiFi connection is done via WPA-Enterprise and the RADIUS profile server is Windows NPS.
This is the list of devices EAP245(EU) v3.0 5.0.3, TL-SG2008 v3.0 3.0.1 and TL-R605 v1.0 1.1.1.
And the controller software is windows server running 4.4.4
The authentication problems started after the upgrade to the latest firmware versions done on all devices.
Nothing has changed in the configuration and nor have there been changes on the Windows servers.
The NPS Radius server log shows no authentication errors.
In fact it report that the authentication was successful.
But the mobile device most of the time is unable to connect and report authentication failure.
And some times after many retries gets connected.
Reboot of the TL-R605 shows a short time normal connections but after a few minutes we are back to the problem state.
Wat can i do to fix this problem, can i rollback to previous versions of firmware?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hey,
Sometimes authentication failure is related to network environment. Is there any new interference in your network environment?
You can split 2.4G and 5G signal, giving each a separate SSID, and connect to them to check which band has the issue. Also, you can try Wi-Fi analysis tool to detect if there is overlap with your Wi-Fi channels. Narrowing down the channel width can also reduce the interference. You can have a try.
- Copy Link
- Report Inappropriate Content
Sometimes authentication failure is related to network environment. Is there any new interference in your network environment?
There is no new interference possible because I am experiencing the problem also at a location where there are no other wifi signals.
When I look at the Radius Log file I notice that it respons 2 or up to 7 times within a timeframe of one or two minutes
And it is each time a succes response so not an authentication falure
Packet-Type: Accept-Request
Reason-Code: Success
Followed by:
Authentication-Type: 5
NP-Policy-Name: Secure Wireless Connections
Packet-Type: Access-Challenge
Reason-Code: Success
When I use WPA-Personal instead of WPA-Enterprise then there is no failure.
Also I tested with a different NPS radius server the results are some wat better but stil no fast connecting and Timeout/Failure in the Omada log.
And I also tested with a different certificate on the radius server for PEAP but this had also no effect.
I also did a rollback of the firmware of the R605 router but that had also no effect.
Next step is that I wil try to capture the network traffic between EAP 245 and NPS Radius server via a portmirror on the switch.
And maybe a rollback of the EAP firmware.
Any suggestions how to troubleshoot this?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi, I have captured the traffic from EAP to the Radius server.
The result is that there is a problem with the firmware of the switch TL-SG2008 V3.0 build 20210407
When the communication between EAP and Radius server fails to finish the authentication sequence, I see "Fragmented IP protocol 1514" packages.
It's the Radius server that reports the fragmented package.
After that the EAP start sending again the first package from the authentication sequence.
And this repeats a few times after which the EAP gives up and reports a timeout.
Also switching to a different, the backup server, radius server I see the same happening.
When there is no timeout then there is also no "Fragmented IP protocol 1514" reported.
So I did a rollback first of the EAP firmware, without a result.
Then I did a rollback of the Switch TL-SG2008 V3.0 firmware to build 20200730.
And now the problem is solved.
And in the captured traffic I see no fragmented coming from the radius server.
I can still see some "Fragmented IP protocol" packages but the are from the EAP to the syslog server.
What is the next step, report this to the developers?
Has the next firmware release solved this issue?
Since the switch was the last device on which a did the rollback, I going toe upgrade again all devices firmware except the switch firmware.
This has cost me a lot of time, so I am not happy having to do this.
- Copy Link
- Report Inappropriate Content
Dear @cmcouwenb,
cmcouwenb wrote
Hi, I have captured the traffic from EAP to the Radius server.
The result is that there is a problem with the firmware of the switch TL-SG2008 V3.0 build 20210407
When the communication between EAP and Radius server fails to finish the authentication sequence, I see "Fragmented IP protocol 1514" packages.
It's the Radius server that reports the fragmented package.
After that the EAP start sending again the first package from the authentication sequence.
And this repeats a few times after which the EAP gives up and reports a timeout.
Also switching to a different, the backup server, radius server I see the same happening.
When there is no timeout then there is also no "Fragmented IP protocol 1514" reported.
So I did a rollback first of the EAP firmware, without a result.
Then I did a rollback of the Switch TL-SG2008 V3.0 firmware to build 20200730.
And now the problem is solved.
And in the captured traffic I see no fragmented coming from the radius server.
I can still see some "Fragmented IP protocol" packages but the are from the EAP to the syslog server.
What is the next step, report this to the developers?
Has the next firmware release solved this issue?
Since the switch was the last device on which a did the rollback, I going toe upgrade again all devices firmware except the switch firmware.
This has cost me a lot of time, so I am not happy having to do this.
Sorry to hear that you have some trouble with the Omada devices.
There is a new firmware released for TL-SG2008 V3 last week, could you please install the latest firmware for checking?
TL-SG2008(UN)_V3_3.0.2_20210806
If it makes no difference, I'd escalate you to the TP-Link support team for further investigation.
Please feel free to reply back for further assistance.
- Copy Link
- Report Inappropriate Content
I have tried the upgrade to the new firmware, but I got an error in which it says upgrade failed incompatible file.
It could be that I first have to upgrade to build 20210407 and then to 20210806.
I will try that later.
- Copy Link
- Report Inappropriate Content
Upgrade to latest version of TL-SG2008 firmware was successful after first upgrade to 20210407 release.
Authentication problem is solved with this release!
And in the captured traffic I see no fragmented coming from the radius server.
I can still see "Fragmented IP protocol" packages but the are from the EAP to the syslog server.
So in my opinion not all problems are fixed in this release.
- Copy Link
- Report Inappropriate Content
Dear @cmcouwenb,
cmcouwenb wrote
Upgrade to latest version of TL-SG2008 firmware was successful after first upgrade to 20210407 release.
Authentication problem is solved with this release!
And in the captured traffic I see no fragmented coming from the radius server.
Thank you for your valued feedback! Glad to hear that the WPA Authentication problem is solved.
cmcouwenb wrote
I can still see "Fragmented IP protocol" packages but the are from the EAP to the syslog server.
So in my opinion not all problems are fixed in this release.
What devices are connected between the EAP and Syslog server? Is the Syslog server installed on the Windows NPS?
According to Wikipedia, https://en.wikipedia.org/wiki/IP_fragmentation
IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.
I think you may need to check the MTU on the receiving hosts and adjust it to avoid IP fragmentation.
- Copy Link
- Report Inappropriate Content
I am not en expert on MTU size settings, but changing these settings from standard is not a good idea.
I have done some tests, and this is not a problem of the syslog or radius servers, it has to do with the TP-Link software.
But for now everything works even with fragmented IP packages.
- Copy Link
- Report Inappropriate Content
i have same related problem, but im using TL-SG2428P V1 20210806 (latest firmware). My oc200 is up to date and all my eap260hn is up to date.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2464
Replies: 10
Voters 0
No one has voted for it yet.