No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Case Study: STA 802.1X Authentication Fails Because the RADIUS Server Does Not Support WPA3-related Attributes

Case Study: STA 802.1X Authentication Fails Because the RADIUS Server Does Not Support WPA3-related Attributes

Symptom

An AC is connected to a third-party RADIUS server and 802.1X authentication is configured on the AC. After the AC is upgraded from V200R010C00SPC700 to V200R019C00SPC500, STA 802.1X authentication fails.

Relevant Alarms and Logs

None

Cause Analysis

The RADIUS server does not support WPA3-related attributes.

Procedure

  1. Reproduce the fault and use the trace function to check the authentication packet exchange process.

    [AC] trace object mac-address sta-mac
[AC] trace enable

    The command output shows that the RADIUS server returns E63161: xxx_INVALID_WPA3_AUTH_CIPHERSUITE_SELECTOR. Check the error information on the third-party RADIUS server. E63161 indicates that the cipher suite selector attribute in WPA3 authentication is invalid. Therefore, the third-party RADIUS server does not support WPA3-related attributes.

    [BTRACE][2020/09/15 00:45:13][1024][RADIUS][x-x-x]:
Send a authentication request packet to radius server( server ip = x.x.x.x).
[WLAN-Pairwise-Cipher          ] [6 ] [0]
[WLAN-Group-Cipher             ] [6 ] [0]
[WLAN-AKM-Suite                ] [6 ] [0]
[WLAN-Group-Mgmt-Cipher        ] [6 ] [0]
[BTRACE][2020/09/15 00:45:13][1024][RADIUS][x-x-x]:
Received a authentication reject packet from radius server(server ip = x.x.x.x).
[Reply-Message                      ] [53] [E63161: H3C_INVALID_WPA3_AUTH_CIPHERSUITE_SELECTOR.]
[WLAN-Reason-Code                   ] [6 ] [23]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/09/15 00:45:13][1024][AAA][e0cc-f876-4590]:Radius authentication is rejected.

  2. Configure the AC not to send the WPA3 attribute to the RADIUS server.

    <AC> system-view 
[AC] radius-server template test1 
[AC-radius-test1] radius-server attribute translate 
[AC-radius-test1] radius-attribute disable WLAN-Group-Cipher send
[AC-radius-test1] radius-attribute disable WLAN-AKM-Suite send
[AC-radius-test1] radius-attribute disable WLAN-Pairwise-Cipher send
[AC-radius-test1] radius-attribute disable WLAN-Group-Mgmt-Cipher send

Translation
简体中文
Download
Updated: 2023-06-02

Document ID: EDOC1000060368

Views: 1833452

Downloads: 5821

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :