Issue with WLAN 802.1x AD authentication

Options
Rösti
Rösti Posts: 6 image  Freshman Member
First Comment Friend Collector
in Wireless

Having USG 700H and trying to setup 802.1x authentication of wifi clients on managed APs, but something doesn't work.

  • AD server is setup under User Authentication and working (user lookup is ok)
  • New user of type ext-group-user is created using AD definition and it also works fine using required group membership identifier.
  • SSID is setup for WPA2(3)-Enterprise set as "WPA Enterprise with = Internal Authentication server" and "Authentication server = AD configured above".

When I try to login on SSID and put known credentials it doesn't work. I checked FW and there are no rules trigger/no traffic is observed on AD interface. Logs says almost nothing:

AP log: User test (MAC: <OUI>) 802.1X auth failed on interface wlan-2-2.(Server: 10.50.200.1:1812)

Debug level: kernel [193934.502729] Can't find user (mac-users) profile in KUser_head

Not sure if debug log is related, but it is generated at the time I try to authenticate and reading message and observing no traffic to AD server it looks like the entire config doesn't work.

I'm aware that purely AD server is not enough to use .1x authentication, but my understanding is AP controller acts as internal RADIUS component interacting with external AD.

I've checked FAQ here and an example how to setup the config in subject is very similar to what I've done with some differences related to old GUI.

Not sure though if any specific configuration of AD is required.

Any ideas?

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,134 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Rösti

    I did a local lab with the latest firmware version and get the same result as yours. I'm checking on this and will update you once I get further information.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 4,134 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    edited November 21

    Hi @Rösti

    Please help to check if you have done the join af domain process. Please navigate to the user & authentication > user authentication page to select you AD server and click the join domain button.

    Zyxel Melen


  • Rösti
    Rösti Posts: 6 image  Freshman Member
    First Comment Friend Collector

    Hello @Zyxel_Melen,

    The AD host is within an external trusted network, I have no rights to onboard the firewall there. Is it required?

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,134 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Rösti

    If you use WPA Enterprise with internal Authentication server with AD server, you have to finish the join domain process, or the firewall can't help your AP to check the user with AD server.

    image.png
    Zyxel Melen


Categories

Wireless Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)