No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Case Study: STA 802.1X Authentication Fails Because the Response Packet from the RADIUS Server Does Not Carry the Message-Authenticator Attribute

Case Study: STA 802.1X Authentication Fails Because the Response Packet from the RADIUS Server Does Not Carry the Message-Authenticator Attribute

Symptom

802.1X authentication and RADIUS authentication are configured on an AC. STAs fail to be authenticated after connecting to APs.

Relevant Alarms and Logs

None

Cause Analysis

The response packet sent by the RADIUS server does not carry the Message-Authenticator attribute.

Message-Authenticator is the No. 80 RADIUS attribute. It is used to authenticate and verify authentication packets to prevent spoofing of invalid packets. This attribute is mandatory for 802.1X+RADIUS authentication packets.

Procedure

  1. Reproduce the fault and use the trace function to check the authentication packet exchange process.

    [AC] trace object mac-address sta-mac
[AC] trace enable

    The command output shows that the STA does not receive the response packet from the RADIUS server.

    [BTRACE][2021/03/24 17:43:27][8448][RADIUS][xxxx-xxxx-xxxx]:
Server Template: 5
[User-Name                          ] [9 ] [1201958]
[Message-Authenticator              ] [18] [cc 5b 11 e3 b2 ec a8 2a 5b 09 09 c1 10 ee 6c 79 ]
[Called-Station-Id                  ] [26] [yy-yy-yy-yy-yy-yy:LY-NAC]
[BTRACE][2021/03/24 17:43:27][8448][RADIUS][xxxx-xxxx-xxxx]:
[BTRACE][2021/03/24 17:43:27][8448][RADIUS][xxxx-xxxx-xxxx]:Receive a illegal packet(Eap Authenticator error).
[BTRACE][2021/03/24 17:43:29][8448][AAA][xxxx-xxxx-xxxx]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2021/03/24 17:43:29][8448][AAA][xxxx-xxxx-xxxx]:Radius authentication has no response.
[BTRACE][2021/03/24 17:43:29][8448][AAA][xxxx-xxxx-xxxx]:
[AAA ERROR]authen finish,the authen fail code is:7,reason is:Radius authentication has no response.

  2. Obtain and analyze packets using the packet obtaining tool. It is found that the response packets sent by the RADIUS server do not contain the Message-Authenticator attribute.

    The attribute carried in packets sent by the AC is displayed as follows:

  3. Modify the configuration on the RADIUS server to ensure that authentication packets carry the Message-Authenticator attribute.
Translation
简体中文
Download
Updated: 2023-06-02

Document ID: EDOC1000060368

Views: 1836173

Downloads: 5822

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :