No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The user failed to authenticate with 802.1x when access in wlan network with AC6605 of V2R6C10SPC200 version

Publication Date:  2016-06-03 Views:  307 Downloads:  17
Issue Description

All networks have 1 AC6605 with V2R6 version and 10 AP5030. The forward mode is tunnel. The authentication mode is dot1x, and windows 2012 as radius server. There are a DHCP server which distribute IP address for users.

All APs will have one SSID for all users. But customers want to manage all users who has different roles, so they set different IP segment and different vlan for different users: staff, students, guests and so on. In the radius server which has all the account will set vlan and IP address for every terminal.

All terminals can access wlan with right IP address, but there are some windows 10 terminals can’t access wlan and can’t get IP address.

Handling Process

1:  Check which model of terminal can’t access wlan.

The terminal 1 is windows 10 system, and wireless device is Intel(R) Dual Band Wireless-AC 7265. Our wlan support this kind of wireless device. And make test at another terminal which is same mode with terminal 1, it works well. it means is not hardware problem.

2: Check the configuration of 802.1x authentication at terminal

In our product document, it shows how to configure at windows 7 system, but it didn’t show how to configure windows10. So I create a guide about configuration of windows10, the detail you can get form attachment.

After configure 802.1x on PC, it still not access wifi. Strangely all terminals can works well just except some terminal, and all the configuration is same.

When we

By the way, windows10 is different windows7. In normal time, it didn’t need to configure and just connect wifi, windows 10 will configure by himself, but when you have problem, you must configure manually in order to troubleshooting.

3: trace mac-address, and find which step we lost packet.

[falcon]trace enable

[falcon]trace object mac-address 4c34-8878-59ce

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Parse STA associate request message (ApName:a858-4059-e160 RadioId:1 WlanId:1 EssId:0).

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Begin to process STA associate request message.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Begin to process STA associate add request.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] End to process STA associate add request.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] End to process STA associate request message.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Parse STA associate response message.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Process add STA request message.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Process add STA response message.

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSEC] Initiate eapol start message.

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:Eapol received wlan associate request, trigger dot1x authentication.(MAC=,IfIndex=186,Vlan=1).

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:Eapol send authentication to ucm module successfully.(MAC=)

[BTRACE][2016/05/06 17:36:23][WLAN_AC][4c34-8878-59ce]:[WSTA] Process associate authentication successfully.

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:EAPOL Dot1x User Associate Start, Received Wlan Timer Message.(MAC=,Index=4294967295,CMIndex=4294967295)

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:Send a EAPoL request identity packet to user.

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:

  EAPOL packet: OUT

      4c 34 88 78 59 ce 70 54 f5 e1 d8 56 81 00 00 01

      88 8e 01 00 00 05 01 77 00 05 01

 

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:Send EAP_request packet to user successfully.(Index=399)

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:Receive start packet from user.

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:User is exist status, receive a eap start packet.

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:Receive a eap packet from user.

[BTRACE][2016/05/06 17:36:23][EAPoL][4c34-8878-59ce]:

  EAPOL packet: IN

      01 80 c2 00 00 03 4c 34 88 78 59 ce 81 00 00 01

      88 8e 01 01 00 00 00

This trace message mean AC will always sent EAPoL request to terminal and will not pass this process. At terminal it always need to input username and password.

4: Check the configuration at AC6605.

We find they built some different vlan for different users:

#

interface Vlanif52

 description AP's

 ip address 10.4.0.248 255.255.255.0

 dhcp select global

#

interface Vlanif603

 description eduroam-aveiro-roamers

 ip address 193.136.169.248 255.255.255.0

 dhcp select relay

 dhcp relay server-select dhcp-UA

#

interface Vlanif604

 description eduroam-visitantes

 ip address 192.168.15.248 255.255.252.0

 dhcp select relay

 dhcp relay server-select dhcp-UA

#

interface Vlanif605

 description eduroam-staff

 ip address 192.168.31.248 255.255.240.0

 dhcp select relay

 dhcp relay server-select dhcp-UA

#

interface Vlanif606

 description eduroam-alunos

 ip address 192.168.63.248 255.255.224.0

 dhcp select relay

 dhcp relay server-select dhcp-UA

#

But we still find customers configure vlan pool, because customer want to different user can get different IP and vlan.

#

vlan pool ua-vlan-pool

 vlan 1 52 603 to 606 609

#

From vlan pool, we can get that this pool includes vlan 1 52 603 604 605 606 609. But for vlan 1 and vlan 609, they didn’t configure IP address and dhcp.

So we delete vlan 1 and vlan 609 in vlan pool, then we make test, all terminals work well.

Root Cause

The customers make a mistake about vlan pool function.

Since WLANs provide flexible access modes, STAs may connect to the same WLAN at the office entrance or stadium entrance, and then roam to different APs. If each SSID has only one service VLAN to deliver wireless access to STAs, IP address resources may become insufficient in areas where many STAs access the WLAN, and IP addresses in the other areas are wasted.

After a VLAN pool is created, add multiple VLANs to the VLAN pool and configure the VLANs as service VLANs. In this way, an SSID can use multiple service VLANs to provide wireless access services. STAs are dynamically assigned to VLANs in the VLAN pool, which reduces the number of STAs in each VLAN and also the size of the broadcast domain. Additionally, IP addresses are evenly allocated, preventing IP address waste.

For vlan pool: one terminal access wifi, he will be arranged one vlan depending on MAC address by hash algorithm. So if this terminal access wifi at first time, and be arranged at vlan 609 which didn’t configure IP address and DHCP, this terminal will not get IP address. Because AC will remember this terminal MAC address for some times, so next time this terminal access, it will still be arranged at vlan 609, so this terminal will not access wifi always.

Solution

Because customers make a mistake about vlan pool function, in this situation, we will not need to configure vlan pool, so just delete vlan pool.

Suggestions

1: When all networks use dot1x authentication, we have different configuration on terminals depending on different terminal. For the Windows 10 configuration, you can follow the attachment.

2: Clear about vlan pool function. It radius server decide what vlan and IP address the terminal used instead of vlan pool. For vlan pool scene, you can get the detail at Root Cause.

END