Question:

Wireless/radius server question - I have 5 WAPs and users can only authenticate to one or two...?

by | earlier

I have 5 Netgear WG102 WAPs. They are spread throughout the office, so people can connect their laptops around the office using their domain logins to authenticate. They use WPA Enterprise with a radius server. There's also a guest ssid that users can connect to using WPA personal, with a key. This also shares the same problem. Users can connect to one or two of the WAPs, but when they try a third, it won't give out an IP or authenticate them. It's not the same 1 or 2 that they can connect to either. For example: User A can connect to access point 1 and 2, but User B can connect to access point 4 and 5. However, User A cannot connect to access points 3,4 nor 5, and User B cannot access 1,2, or 3.

I have plenty of IP space on the dhcp server, so I am uncertain why I am unable to get this to work. Is there some kind of MAC filtering involved in radius that I need to know about that's preventing users from connecting the same machine to the same LAN more that two times?

Tags:

Report

Answer The Question I've Same Question Too

Follow Question

2 ANSWERS

Sort By: Date | Rating

Wifi Roaming seems to always have some issues. Here are a few things to check.

All AP's should be connected to the exact same switch/router if at all possible! This means a direct wired connection.

All AP's should have the exact same SSID (you can use different channels but the same SSID is needed - otherwise the client will have to switch profiles and that will drop them.)

The normal setting for Radius is to prevent multiple logins so if the client is authorized and they attempt to reauthorize Radius will refuse them!  You can modify the Server to allow multiple logins (bad idea) BUT once that client is issued an IP that IP should stick with them when roaming.. (unless the MAC address of the client changes) thus the same SSID and Switch as mentioned above! (and yes with Radius it generally issues an IP to the MAC address of the client)

All AP's should be set to the same Radius IP's and ports and have "reauthenticate" set as needed. This varies greatly AP to AP so if you check the manuals for the Access Points you should find what needs to be set for that specific AP!

Try your same setup without encryption (I know you do want to turn it back on BUT try it without to get it all setup and working!) I have seen SOME WPA cause roaming issues! The WPA key should be issued ONLY by the Radius not by any other source. WPA personnal is NOT the best choice for this. But the SERVER should control this not the AP's.

Basically - you want the AP to just "bridge" to the Radius for all validation and IP issuance! So changing AP's should not cause a need for any new IP!  If you are using DHCP on the AP's DONT!

Here is a couple of good articles on Radius validation..

http://www.interlinknetworks.com/whitepa...

http://www.wi-fiplanet.com/tutorials/art...
Report (0) (0) |   earlier
Baby, if it doesn't fit, you can't force it.

Ooooh, yeah.
Report (0) (0) | earlier