Case Study: STA 802.1X Authentication Fails Because the dot1x-access-profile Configuration Is Lost in the Authentication Profile

Symptom

A STA fails 802.1X authentication. After the account is entered on the PC, the authentication times out.

Relevant Alarms and Logs

None

Cause Analysis

The dot1x-access-profile configuration does not exist in the authentication profile.

Procedure

1. Reproduce the fault and use the trace function to check the authentication packet exchange process. It is found that the EAP request packet is sent successfully, but the AC does not receive the EAP-Response/Identity packet.

   [AC] trace object mac-address sta-mac
   [AC] trace enable

2. Use the station trace function to check the STA online process. The result shows that the Wi-Fi module of the AP receives the EAP-Response/Identity packet and forwards it to the AC.

3. Configure packet obtaining through bidirectional mirroring on the AC interface connected to the PoE switch and use the packet obtaining tool to obtain packets.

   According to the packet analysis, the AC does not exchange packets with the STA after the STA responds with an EAP Response packet.

4. Check the forwarding process of EAP response packets through debugging on the AC.

   [AC-diagnose] debug cap print condition inner eap response  //Add the inner command word when EAP packets are sent to the AC throu gh the tunnel.
   [AC-diagnose] debug cap print condition inner src-mac sta-mac

   The detailed information is as follows:

   After the eap response is sent to the CP, no other forwarding process is recorded.

   According to the preceding information, packet forwarding on the AC side is abnormal.

5. Check the 802.1X authentication configuration on the AC. It is found that dot1x-access-profile is not bound to the authentication profile.
6. Add the dot1x-access-profile configuration to the authentication profile.