Draytek 2800vn does not appear to support EAP-TTLS (for WPA/WPA2)

Scenario

You want wireless clients to connect to your network using their own individual/unique login credentials (as opposed to a shared secret, which is shared amongst your wireless clients and is the case in WPA-PSK/WPA2-PSK).

You have a RADIUS server that authenticates users against some backend (e.g. LDAP) and you have a Draytek 2800vn wireless router that is setup in WPA/WPA2 Enterprise mode to use the RADIUS server for authentication and authorization.

The issue

You attempt to connect to the wireless router from a wireless client (such as a laptop or mobile phone) using EPA-TTLS but you are unsuccessful.

Using Wireshark you see the following state of events play out when a client attempts to connect to the wireless router:

  1. The initial “Request, Identity” header is sent from the Draytek, and a response is received from the client
  2. The “Request, EAP-TTLS” is sent from the Draytek and a SSL “Hello” is sent from the client, but it’s stopped at the Draytek.

It appears that the initiation of the SSL session is failing. An SSL session needs to be established (between the client and the RADIUS server) before any authentication occurs.

On inspection of the Draytek logs, you may find that this is appearing:

WLAN_DBG – 802.1x frame error from d4:9a:20:5a:5c:e8
WLAN_DBG – Wrong EAP data type

The solution

I found that there was nothing that I could do to overcome this issue using the Draytek 2800vn. Using a different wireless router fixed the issue for me, the SSL session was initialised properly and the wireless client was authenticated.