Radius feedback from AP to WiFi client

Question 1

获取支持“监控”或“rfmon”模式的无线网卡，并将其与 Wireshark 结合使用，以查看网络流量中的 802.11 标头。这在很大程度上取决于芯片组、操作系统和驱动程序，但 Wireshark 有一些不错的文档为您指明正确的方向。您正在寻找的是实际的 802.11 管理标头，而不仅仅是“翻译的”以太网第 2 层信息（再次参见 Wireshark 文档）。听起来您的网络主要通过 802.11，因此花在弄清楚这一点上的时间以后可能是值得的 - 您需要查看实际的 802.11 标头最终以进行故障排除。
确认这实际上是您的接入点的问题（很可能是）。使用“802.11”作为链路层类型启动 Wireshark，然后针对接入点进行身份验证并故意输入错误的密码。看看会发生什么。您可能还需要查看 Radius 服务器和接入点之间发生了什么。如果您在解释结果数据时遇到问题，您可以随时将其保存为 pcap 并在此处提供。您可能只是想在花费大量资金购买接入点之前确认这是 radius 客户端的问题。
一旦你确认这是接入点的问题，就去购买一些不错的“企业级”接入点。我们使用 D-Link DWL3200，就接入点而言，这是一个相当中庸的接入点。我唯一真正的抱怨是他们的命令行界面糟透了但另一方面，它们每个只需 300 美元左右，所以我不能期望太多。

底线：在你开始花钱解决问题之前（即使你有很多钱可以花），先弄清楚什么是实际上错了先。

Answer

获取支持“监控”或“rfmon”模式的无线网卡，并将其与 Wireshark 结合使用，以查看网络流量中的 802.11 标头。这在很大程度上取决于芯片组、操作系统和驱动程序，但 Wireshark 有一些不错的文档为您指明正确的方向。您正在寻找的是实际的 802.11 管理标头，而不仅仅是“翻译的”以太网第 2 层信息（再次参见 Wireshark 文档）。听起来您的网络主要通过 802.11，因此花在弄清楚这一点上的时间以后可能是值得的 - 您需要查看实际的 802.11 标头最终以进行故障排除。
确认这实际上是您的接入点的问题（很可能是）。使用“802.11”作为链路层类型启动 Wireshark，然后针对接入点进行身份验证并故意输入错误的密码。看看会发生什么。您可能还需要查看 Radius 服务器和接入点之间发生了什么。如果您在解释结果数据时遇到问题，您可以随时将其保存为 pcap 并在此处提供。您可能只是想在花费大量资金购买接入点之前确认这是 radius 客户端的问题。
一旦你确认这是接入点的问题，就去购买一些不错的“企业级”接入点。我们使用 D-Link DWL3200，就接入点而言，这是一个相当中庸的接入点。我唯一真正的抱怨是他们的命令行界面糟透了但另一方面，它们每个只需 300 美元左右，所以我不能期望太多。

底线：在你开始花钱解决问题之前（即使你有很多钱可以花），先弄清楚什么是实际上错了先。

Question 2

You didn't mention which authentication protocol you are using. "WPA2 Enterprise" is an umbrella term. Are you using EAP-TLS? Or PEAP-MSCHAPv2? Do you have client certificates in place or just the CA certificate + username/password? Depending on the actual protocol, the authentication error happens at a different protocol stack level.

If you are using PEAP-MSCHAPv2 (most likely given your hint at passwords), make sure the Radius server is configured to send the MS-CHAP-Error message back to the client. I think it's disabled by default in some versions of freeradius. Look for this in eap.conf:

           mschapv2 {
                    #  Prior to version 2.1.11, the module never
                    #  sent the MS-CHAP-Error message to the
                    #  client.  This worked, but it had issues
                    #  when the cached password was wrong.  The
                    #  server *should* send "E=691 R=0" to the
                    #  client, which tells it to prompt the user
                    #  for a new password.
                    #
                    #  The default is to behave as in 2.1.10 and
                    #  earlier, which is known to work.  If you
                    #  set "send_error = yes", then the error
                    #  message will be sent back to the client.
                    #  This *may* help some clients work better,
                    #  but *may* also cause other clients to stop
                    #  working.
                    #
                    #send_error = no
            }

and change it to yes.

Answer

You didn't mention which authentication protocol you are using. "WPA2 Enterprise" is an umbrella term. Are you using EAP-TLS? Or PEAP-MSCHAPv2? Do you have client certificates in place or just the CA certificate + username/password? Depending on the actual protocol, the authentication error happens at a different protocol stack level.

If you are using PEAP-MSCHAPv2 (most likely given your hint at passwords), make sure the Radius server is configured to send the MS-CHAP-Error message back to the client. I think it's disabled by default in some versions of freeradius. Look for this in eap.conf:

           mschapv2 {
                    #  Prior to version 2.1.11, the module never
                    #  sent the MS-CHAP-Error message to the
                    #  client.  This worked, but it had issues
                    #  when the cached password was wrong.  The
                    #  server *should* send "E=691 R=0" to the
                    #  client, which tells it to prompt the user
                    #  for a new password.
                    #
                    #  The default is to behave as in 2.1.10 and
                    #  earlier, which is known to work.  If you
                    #  set "send_error = yes", then the error
                    #  message will be sent back to the client.
                    #  This *may* help some clients work better,
                    #  but *may* also cause other clients to stop
                    #  working.
                    #
                    #send_error = no
            }

and change it to yes.

Question 3

If you are sure about that cost is not an issue then get a real Cisco access point (like cisco aironet) avoid linksys if you can.

http://www.cisco.com/en/US/products/hw/wireless/index.html

Linksys is ok for home and small offices. It is not recommended for anything bigger however.

You can even get a WLC (wireless lan controller). It's a bigger investment, but it worth it. You can manage your aps from a central place and the wireless clients can also benefit as it manages your channel settings, antenna power levels and client roaming.

Update (reply to comment): I use wrt54gl at home it works great in general, but if I download with high speed the wireless part can die (which is fixable with a reboot). The switch fuction is implemented in CPU. If you copy a large file from one machine to another cpu usage goes up significantly. With high cpu usage it is not that stable.

update2: No WLC is not strictly necessary. I do not even have one at work, but I would like to because it just makes things easier. To test if your AP is causing the trouble get a Cisco (standalone) Aironet AP (just one) and test it with the same setup to see if it solves your problem. I am sure you can get a test drive from a decent vendor.

Answer