Skip to main content

Implementing AP Escape Solutions for Wireless Network Authentication Failures

1 Asterfusion OpenWiFi AP Escape Solution

The Asterfusion OpenWiFi AP escape solution aims to ensure that when authentication servers (Portal or Radius) experience failures, anomalies, or become unreachable, terminal users can still access critical network resources within controlled scope. This solution configures escape VLANs on the network controller side and automatically switches to escape mode when APs detect authentication anomalies, then automatically returns to normal working mode after failure recovery, achieving a balance of high availability, business continuity, and security isolation.
ap-escape-and-recovery-flow-chart-intro

1.1 Authentication Service Detection

Portal and Radius Service Detection

The system uses the nc command to detect whether portal servers are working normally and simulated user authentication methods to detect whether radius servers are working normally. When 3 consecutive unreachable detections are identified, wireless traffic switches from normal authentication pass-through mode to escape mode.
periodic-detection-of-portal-and-radius-service-availability-intro

Radius Service Detection Logic Code 

function radius_probe(server, port, secret, user, pass)
{
    let f = fs.open('/tmp/radius.conf', 'w');
    if (f) {
        f.write(sprintf('authserver %s:%d\n', server, port));
        f.write('servers /tmp/radius.servers\n');
        f.write('dictionary /etc/radcli/dictionary\n');
        f.write('radius_timeout 3\n');
        f.write('radius_retries 1\n');
        f.write('bindaddr *\n');
        f.close();
    }
    let f = fs.open('/tmp/radius.servers', 'w');
    if (f) {
        f.write(sprintf('%s %s\n', server, secret));
        f.close();
    }
    let cmd = sprintf("/usr/sbin/radiusprobe %s %s > /dev/null 2>&1", user, pass);
    let exit_code = system(cmd);
    if (exit_code == 0) {
        return 0;
    } else {
        return 1;
    }
}

Portal Service Detection Logic Code 

function probe_portal(host, port, timeout) {
    let cmd = sprintf("nc -z -w %d %s %d", timeout, host, port);
    let exit_code = system(cmd);
    if (exit_code == 0) {
        return 0;
    } else {
        return 1;
    }
}

1.2 Escape Logic Configuration

Configuration Steps

1. Navigate to Organization → Site → Configuration → Wireless Configuration Templates → Add Wireless Configuration

escape-logic-configuration-intro-1

2. Configure template name, corresponding AP model, configuration tags, system timezone, and LED settings

escape-logic-configuration-intro-2

3. Switch to Network Activation tab and configure the normal business SSID

escape-logic-configuration-intro-3
  • When enabling a normal business SSID, the Captive switch must be turned on
  • Normal business VLAN is 401, defaulting to 192.168.17.xx IP addresses

4. Select “+” to continue adding escape SSID

escape-logic-configuration-intro-4
escape-logic-configuration-intro-5
  • When enabling escape SSID, the Bypass switch must be turned on
  • Escape business VLAN is 403, defaulting to 192.168.20.xx IP addresses

Note: The condition for enabling escape SSID is single frequency band. Only one escape SSID can be configured.

5. Switch to Security Service tab and configure forced portal authentication method as External-UAM

escape-logic-configuration-intro-6

6. Under External UAM, configure: Domain whitelist (Portal server domain or IP), External-UAM server, External-UAM key, External UAM port, Probe port, NAS ID

Escape-Logic-Configuration-7

7. Continue configuring under External UAM: Authentication server, Authentication key, Authentication port, Audit fields (if audit requirements exist), Other non-required fields as needed

escape-logic-configuration-intro-8

8. Click the Save button in the upper left corner to complete the wireless configuration template saving

escape-logic-configuration-intro-9

2. Test Results

Normal Operation Scenario
When both Portal and Radius services are normal:

  • By default, AP only releases the normal 401 VLAN SSID
  • Terminals can only scan one “Escape” SSID
ap-escape-test-result-1-intro
ap-escape-test-result-2-intro
Terminal connection to normal business SSID:
  • The portal page appears after connection

ap-escape-test-result-3-intro
  • Click “Accept” to prompt for username and password input
ap-escape-test-result-4-intro
  • Enter username and password for Radius authentication
ap-escape-test-result-5-intro
  • The success page returns after successful authentication
ap-escape-test-result-6-intro
  • The terminal gets normal internet access with 192.168.17.xx network address
ap-escape-test-result-7-intro
ap-escape-test-result-8-intro

Escape Mode Scenario

When the Portal service is shut down, triggering AP escape mode:

  • AP closes the current 401 VLAN SSID and opens the 403 VLAN SSID
  • AP logs show (3 consecutive NC command detections of Portal service anomaly):

2025-08-19T12:00:26.421781+08:00 60eb5a0051ce auth_probe.uc[6669]: Server Check Result NC: 0, RD: 1
2025-08-19T12:01:32.498876+08:00 60eb5a0051ce auth_probe.uc[6669]: Server Check Result NC: 0, RD: 1
2025-08-19T12:02:38.580530+08:00 60eb5a0051ce auth_probe.uc[6669]: Server Check Result NC: 0, RD: 1
2025-08-19T12:02:38.580590+08:00 60eb5a0051ce auth_probe.uc[6669]: Wireless up2v403_0_0_0 Enabled
2025-08-19T12:02:38.580776+08:00 60eb5a0051ce auth_probe.uc[6669]: Wireless up1v401_0_0_0 Disabled
2025-08-19T12:03:45.017059+08:00 60eb5a0051ce auth_probe.uc[6669]: Auth server is down, enable bypass mode [AP-EVENT]Server Check Result NC: 0, RD: 1

Terminal reconnection in escape mode:
  • After disconnection and reconnection to the Escape SSID
  • Terminal obtains the VLAN 403 network IP address 192.168.20.xx
  • Controlled network access is maintained during authentication server downtime
ap-escape-test-result-9-intro
ap-escape-test-result-10-intro

Glossary of Abbreviations

APAccess Point
VLANVirtual Local Area Network
DHCPDynamic Host Configuration Protocol
PSKPre-Shared Key
STAStation
SSIDService Set Identifier
UAMUniversal Access Method