Campus Network NAC Solution Troubleshooting

Publication Date:  2015-06-15 Views:  469 Downloads:  0
Issue Description
This topic describes an efficient troubleshooting method for the scenario where the TSMPolicy CenterPolicy Center, ESAP platform, and WLAN component are deployed.

Overall Service Exchange Process:




Alarm Information


Handling Process
Customer Troubleshooting Procedure:




Troubleshooting Procedure of Huawei Technical Support Engineer:




TSMPolicy CenterPolicy Center Fault Location:

1, Open the tomcat.log file in the TSMPolicy CenterPolicy Center installation directory\PolicyCenter\radius\logs, analyze exceptions that occur when the RADIUS server processes authentication requests, and check packet statistics related to authentication and accounting on the RADIUS server.


 The conclusions are as follows according to statistics in the command output:

         recvRadiusPacketCount = sendRadiusPacketCount + pakcetDropVerifyFail

         When pakcetDropVerifyFail is displayed, analyze why packets are dropped.

         sendRadiusChallenge < sendRadiusPacketCount

         When sendRadiusChallenge is smaller than sendRadiusPacketCount, analyze why the client does not reply to the RADIUS Challenge packets from the RADIUS server. RADIUS packets sent by the client pass through the terminal host, AP, AC, and TSMPolicy CenterPolicy Center in turn.

2, Enter https://TSMPolicy CenterPolicy Center IP address:8443 in the web browser to log in to the TSMPolicy CenterPolicy Center. Choose Users and Terminals > Department User > RADIUS Log > RADIUS Authentication Log and click Search to query all the logs in which the RADIUS authentication result is failed.



3, Click OK to filter out the records. Move the mouse onto Cause to view the failure causes and handling suggestions.


ESAP Fault Location:

View information about user online failures on the AC.



If wireless authentication fail is displayed, the WLAN component sends cut requests. In this case, you need to diagnose the WLAN component.

If Authentication fail is displayed, the RADIUS server replies with reject packets. In this case, you need to check the user name and password.

If the user name and password are correct, obtain packet headers on the RADIUS server to check whether it replies with reject packets. If so, diagnose the RADIUS server.

In PEAP authentication, the client directly exchanges authentication packets with the RADIUS server and the ESAP platform transparently transmits the packets. Therefore, the fault can easily be located through analysis on obtained packets.

The packets sent by the RADIUS server include EAP packets.


The EAP packets should match the packets obtained between the AP and AC.


When a fault occurs, collect packets sent by the RADIUS server and received by the AP and AC and compare the packets to locate the fault.

If the packets match, but the RADIUS server does not receive response packets, check whether the AP sends the packets. If request packets but not response packets are obtained between the AP and AC, check the AP to see whether the client does not reply packets or the packets are dropped by the AP or AC's air interface.

If the packets do not match, the packets sent by the RADIUS server are not obtained between the AP and AC or the packets received by the AP and AC are not obtained on the RADIUS server. In either case, diagnose the ESAP platform for further analysis.

If clients are successfully authenticated, the number of EAP-Request and EAP-Response packets obtained between the AP and AC should be the same. If the number of EAP-Request packets is larger than the number of EAP-Response packets, diagnose the AP.

WLAN Fault Location:

Common reasons for user online failures are as follows:

      Association fails.

      Authentication fails.

      Generally, authentication failures occur in the following cases:

           The domain name is not bound with a valid authentication server.

           The IP address of the AC that functions as the AAA client is not configured on the RADIUS server.

           The shared key on the RADIUS server and that on the device are different.

           In Portal authentication, the IP addresses of clients are not added to the client authentication list on the Portal server.

     Terminals fail to obtain IP addresses.

You can run the following commands to check authentication failure information:

    display aaa abnormal-offline-record xxx

    display aaa online-fail-record

    display aaa offline-record

Whole process tracing can be used to further locate the faulty WLAN module.

Run the following commands to trace the entire client authentication process:

trace enable brief

trace object mac-address xxx

Run the following commands to trace the client association process:

station-trace probe station xxx

station-trace assoc station xxx

When clients cannot go online, run the following commands:

debugging wlan wsta all

debugging wlan wsec all





Root Cause
If the RADIUS server does not reply with a packet, the TSMPolicy CenterPolicy Center is faulty.

If the RADIUS server replies with a packet, but the AC/AP does not receive the packet, the fault occurs on the ESAP platform or WLAN component.

If the AC/AP receives the packet sent by the RADIUS server, but the RADIUS server does not receive a response from the AC/AP, the fault occurs on the ESAP platform or WLAN component.

If the packet sent by the RADIUS server matches the packet received by the AC but does not match the packet sent by the terminal host, the fault occurs on the WLAN component (Wi-Fi/AP).
Solution
Obtain and analyze packets transmitted between the RADIUS server and AC and between the AP and AC to find the causes of authentication failures.

Authentication timeout (without default authentication rule)

Choose Users and Terminals > Department User > RADIUS Log > RADIUS Authentication Log and click Search to query RADIUS authentication logs that record authentication timeout. Obtain the user's MAC address from the records.

The packet filtering condition is radius.Called_Station_Id == ’11-11-11-11-11-11’ || radius.State == 01:46:38:32:86:af:00:00:01:46:38:32:86:af.

A request packet is obtained based on the user's MAC address 01:46:38:32:86:af:00:00:01:46:38:32:86:af and the RADIUS attribute value t=State(24) : 01:46:38:32:86:af:00:00:01:46:38:32:86:af.

The following figure shows the complete exchange process of the packet.

The authentication times out because the client does not receive a response packet.


Obtain and analyze packets transmitted between the AP and AC. The analysis result shows that the client does not receive a response packet.

The packet filtering criteria is eapol && eth.addr == 00:00:52:e4:50:2e.

This criteria filters EAP protocol packets exchanged between the AP and AC based on the user's MAC address.



According to the figure, the AC sends a packet to the client and transmits the packet twice, but it does not receive a response packet from the client. In this case, you need to diagnose the AP.

Authentication timeout (with a default authentication rule)

After the RADIUS server sends an Access-Challenge packet, the authentication process stops. As a default authentication rule exists, the packet filtering criteria is as follows:



Obtain and analyze packets transmitted between the AP and AC. The analysis result shows that the fault occurs on the client or AP.

RADIUS server reachable

After the client sends Access-Request packets, the RADIUS server does not respond.



Obtain and analyze packets transmitted between the AP and AC. The analysis result shows that the response from the client contains a fatal error (unknown protocol version).





















END