Customer Troubleshooting Procedure:
Troubleshooting Procedure of Huawei Technical Support Engineer:
TSMPolicy CenterPolicy Center Fault Location:
1, Open the tomcat.log file in the TSMPolicy CenterPolicy Center installation directory\PolicyCenter\radius\logs, analyze exceptions that occur when the RADIUS server processes authentication requests, and check packet statistics related to authentication and accounting on the RADIUS server.
The conclusions are as follows according to statistics in the command output:
recvRadiusPacketCount = sendRadiusPacketCount + pakcetDropVerifyFail
When pakcetDropVerifyFail is displayed, analyze why packets are dropped.
sendRadiusChallenge < sendRadiusPacketCount
When sendRadiusChallenge is smaller than sendRadiusPacketCount, analyze why the client does not reply to the RADIUS Challenge packets from the RADIUS server. RADIUS packets sent by the client pass through the terminal host, AP, AC, and TSMPolicy CenterPolicy Center in turn.
2, Enter https://TSMPolicy CenterPolicy Center IP address:8443 in the web browser to log in to the TSMPolicy CenterPolicy Center. Choose Users and Terminals > Department User > RADIUS Log > RADIUS Authentication Log and click Search to query all the logs in which the RADIUS authentication result is failed.
3, Click OK to filter out the records. Move the mouse onto Cause to view the failure causes and handling suggestions.
ESAP Fault Location:
View information about user online failures on the AC.
If wireless authentication fail is displayed, the WLAN component sends cut requests. In this case, you need to diagnose the WLAN component.
If Authentication fail is displayed, the RADIUS server replies with reject packets. In this case, you need to check the user name and password.
If the user name and password are correct, obtain packet headers on the RADIUS server to check whether it replies with reject packets. If so, diagnose the RADIUS server.
In PEAP authentication, the client directly exchanges authentication packets with the RADIUS server and the ESAP platform transparently transmits the packets. Therefore, the fault can easily be located through analysis on obtained packets.
The packets sent by the RADIUS server include EAP packets.
The EAP packets should match the packets obtained between the AP and AC.
When a fault occurs, collect packets sent by the RADIUS server and received by the AP and AC and compare the packets to locate the fault.
If the packets match, but the RADIUS server does not receive response packets, check whether the AP sends the packets. If request packets but not response packets are obtained between the AP and AC, check the AP to see whether the client does not reply packets or the packets are dropped by the AP or AC's air interface.
If the packets do not match, the packets sent by the RADIUS server are not obtained between the AP and AC or the packets received by the AP and AC are not obtained on the RADIUS server. In either case, diagnose the ESAP platform for further analysis.
If clients are successfully authenticated, the number of EAP-Request and EAP-Response packets obtained between the AP and AC should be the same. If the number of EAP-Request packets is larger than the number of EAP-Response packets, diagnose the AP.
WLAN Fault Location:
Common reasons for user online failures are as follows:
Generally, authentication failures occur in the following cases:
The domain name is not bound with a valid authentication server.
The IP address of the AC that functions as the AAA client is not configured on the RADIUS server.
The shared key on the RADIUS server and that on the device are different.
In Portal authentication, the IP addresses of clients are not added to the client authentication list on the Portal server.
Terminals fail to obtain IP addresses.
You can run the following commands to check authentication failure information:
display aaa abnormal-offline-record xxx
display aaa online-fail-record
display aaa offline-record
Whole process tracing can be used to further locate the faulty WLAN module.
Run the following commands to trace the entire client authentication process:
trace enable brief
trace object mac-address xxx
Run the following commands to trace the client association process:
station-trace probe station xxx
station-trace assoc station xxx
When clients cannot go online, run the following commands:
debugging wlan wsta all
debugging wlan wsec all