Common 802.1X Authentication Failures

WLAN Troubleshooting Guide (V200)

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Common 802.1X Authentication Failures

The RADIUS Server Returns an Access-Reject Packet
The RADIUS Server Does Not Respond
Authorization Data Check on the RADIUS Server Fails
The User Account Is Locked Out
The MAC Address of the STA Is Added to the Quiet Table
The STA Does Not Respond to EAP Packets
- The STA Does Not Respond to the Request Identity Packet
- The STA Does Not Respond to the Request Challenge Packet
Four-Way Handshake Fails
Periodic Reauthentication After Successful Authentication

The RADIUS Server Returns an Access-Reject Packet

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. In the command output, the User online fail reason field displays Radius authentication reject.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32846
User login time         : 2020/10/19 14:53:22
User online fail reason : Radius authentication reject
Authen reply message    : ErrorReason is Incorrect user na...
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

Based on the service diagnosis function, trace the authentication process of the STA. It is found that the RADIUS server responds with an Access-Reject packet.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication reject packet from radius server(server ip = 10.10.10.1).
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 10.10.10.1
Server Port : 1812
Protocol: Standard
Code    : 3
Len     : 176
ID      : 80
[EAP-Message                        ] [6 ] [04 22 00 04 ]
[State                              ] [16] [\001u?\237\372O]
[Reply-Message                      ] [116] [ErrorReason is Incorrect user name or password or Incorrect dataSource or Incorrect access device key.ErrCode:4101]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:Send authentication reject message to AAA.
[BTRACE][2020/10/19 14:53:23][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENREJECT message(51) from RADIUS module(235).

There are various causes for this problem, for example, the user name or password is incorrect, or the authorization policy fails to be matched. You can locate the root cause by checking server logs and adjust the server, terminal, or device configuration.

The RADIUS Server Does Not Respond

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. In the command output, User online fail reason displays The radius server is up but has no reply or The radius server is not reachable.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32861
User login time         : 2020/10/19 17:01:02
User online fail reason : The radius server is up but has no reply
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32865
User login time         : 2020/10/19 20:43:21
User online fail reason : The radius server is not reachable
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

Based on the service diagnosis function, trace the authentication process of the STA. It is found that the RADIUS server does not respond.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
CID:51  TemplateNo:4  SerialNo:62
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.10.10.1 Vrf:0
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:Radius server is up but no response.
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:8,reason is:Radius server is up but no response.
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
CID:55  TemplateNo:4  SerialNo:69
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.10.10.1 Vrf:0
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:Radius authentication has no response.
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:7,reason is:Radius authentication has no response.

Troubleshoot the fault as follows:

Check whether the IP address of the device is correctly added to the RADIUS server.
If not, add the correct IP address of the device to the RADIUS server.
If the IP address of the device is correctly added to the RADIUS server, check whether the IP address of the device is the same as the source IP address of RADIUS authentication request packets sent by the device.
You can run the corresponding command to configure the source IP address of RADIUS authentication request packets sent by the device. If the source IP address is not configured using the command, the IP address of the outbound interface in the route is used. If the IP address of the device added to the RADIUS server is the same as the IP address of the outbound interface in the route, you do not need to configure the source IP address for communicating with the RADIUS server on the device. If they are not the same, run the corresponding command to configure the source IP address.
1. Search the routing table for the outbound interface based on the IP address of the RADIUS server, and then determine the IP address based on the outbound interface. If the IP address of the device added to the RADIUS server is the same as the IP address of the outbound interface in the route, you do not need to run the command to configure the source IP address for communicating with the RADIUS server.
```
[HUAWEI] display ip routing-table 10.10.10.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto  Pre Cost Flags NextHop     Interface
10.10.10.0/24     Direct 0   0     D     10.10.10.76   Vlanif12
[HUAWEI] interface Vlanif 12
[HUAWEI-Vlanif12] display this
#
interface Vlanif12
 ip address 10.10.10.76 255.255.255.0
#
```
2. If the IP address of the device added to the RADIUS server is different from the IP address of the outbound interface in the route, configure the source IP address for communicating with the RADIUS server on the device. The source IP address can be configured globally or in a RADIUS server template. The source IP address configured in a RADIUS server template takes precedence over that configured globally.
  If wireless configuration synchronization is enabled in a VRRP HSB scenario, you can configure the source IP address for communicating with the RADIUS server only in the system view. In a single-device scenario, you are advised to configure the source IP address in the RADIUS server template.
  
  Query the source IP address configured on the device for communicating with the RADIUS server.
  1. Check whether the source IP address for communicating with the RADIUS server is configured globally.
```
[HUAWEI] display radius-server configuration
------------------------------------------------------
Global:
 Radius Server Source IP Address           : -
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
------------------------------------------------------
[HUAWEI] display radius-server configuration
------------------------------------------------------
Global:
 Radius Server Source IP Address           : 100.1.1.1
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
------------------------------------------------------
```
    If Radius Server Source IP Address displays -, no source IP address is configured globally. If a specific IP address is displayed, the source IP address is configured globally.
  2. Check whether the source IP address for communicating with the RADIUS server is configured in the RADIUS server template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] display this
#
radius-server template radius_test
 radius-server shared-key cipher %^%#x\[y<Fe^2Dee<5/L>B5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 10.10.10.1 1812 source ip-address 100.1.1.1 weight 80
 radius-server accounting 10.10.10.1 1813 source ip-address 100.1.1.1 weight 80
#
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] display this
#
radius-server template radius_test
 radius-server shared-key cipher %^%#x\[y<Fe^2Dee<5/L>B5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 10.10.10.1 1812 source Vlanif 100 weight 80
 radius-server accounting 10.10.10.1 1813 source Vlanif 100 weight 80
```
    If source ip-address or source Vlanif is displayed next to the authentication or accounting server in the RADIUS server template, the source IP address is configured in the RADIUS server template.
  Configure the source IP address for communicating with the RADIUS server.
  1. Configure the source address for communicating with the RADIUS server in the system view.
```
[HUAWEI] radius-server source ip-address 100.1.1.1
```
  2. Configure the source IP address for communicating with the RADIUS server in the RADIUS template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server authentication 10.10.10.1 1812 source ip-address 100.1.1.1
```
Check whether the link between the device and RADIUS server is normal.
1. Ping the server from the specified source IP address on the device to check whether the route is reachable.
```
[HUAWEI] ping -a 10.10.10.76 10.10.10.1
```
2. Obtain packets on the device and server to check whether authentication packets are sent and received normally. The common problem is that a firewall on the intermediate network does not permit RADIUS packets (default authentication port: 1812).

Check whether the RADIUS server status is normal. If STState does not display STState-up, the RADIUS server status is abnormal.

[HUAWEI] display radius-server item template radius_test
---------------------------------------------------------------
  STState    = STState-up
  STChgTime  = -
  Type       = auth-server
  State      = state-up
  AlarmFlag  = false
  STUseNum   = 1
  IPAddress  = 10.10.10.76
  AlarmTimer = 0xffffffff
  Head       = 10274
  Tail       = 10273
  ProbeID    = 255
 --------------------------------------------------------------

Check whether the shared key configured on the device is the same as that on the RADIUS server. You can run the test-aaa command and enable RADIUS debugging. If Authenticator error is displayed in the debugging information, the shared keys configured on the device and RADIUS server are inconsistent. In this case, change the shared keys on the device and RADIUS server to be the same.
```
[HUAWEI] test-aaa test test radius-template radius_test
[HUAWEI]
Oct 24 2020 15:57:49.591.1+08:00 AC6605_129_76 RDS/7/DEBUG:
RADIUS packet: IN (TotalLen=20)
Len 1 ~ 20:
02 08 00 14 F6 DA 06 57 40 25 32 2A A9 70 6E FD
46 F6 B1 25
[HUAWEI]
Oct 24 2020 15:57:49.591.2+08:00 AC6605_129_76 RDS/7/DEBUG:
[RDS(Err):] Receive a illegal packet(Authenticator error), please check share key config.(ip:10.10.10.1 port:1812)
```
You can configure a shared key for a specified RADIUS server in the system view or in the RADIUS server template view. The shared key configured in the system view takes precedence over that configured in the RADIUS server template view.

You are advised to configure the shared key in the RADIUS server template. If the shared key is configured in both the system and template, you are advised to delete the global configuration and retain only the configuration in the template.

Configure a shared key in the RADIUS server template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server shared-key cipher huawei@123
```
Configure a shared key of the RADIUS server globally.
```
[HUAWEI] radius-server ip-address 10.10.10.1 shared-key cipher huawei@123
```

Authorization Data Check on the RADIUS Server Fails

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domaintest
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32873
User login time         : 2020/10/24 16:32:34
User online fail reason : Authorization data error
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

The RADIUS server grants related permission (such as VLAN or ACL) but the corresponding authorization content is not configured on the device. For example, the authorization VLAN or authorization ACL is not created on the device.

Based on the service diagnosis function, trace the authentication process of the STA and check authorization data delivered by the RADIUS server.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable

Authorization VLAN check failure

[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication accept packet from radius server(server ip = 12.12.12.1).
[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 12.12.12.1
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 194
ID      : 194
[Tunnel-Type                        ] [6 ] [13]
[Tunnel-Medium-Type                 ] [6 ] [6]
[Tunnel-Private-Group-ID            ] [6 ] [201]
[EAP-Message                        ] [6 ] [03 4a 00 04 ]
[State                              ] [16] [\001uY\311\025N]
[MS-MPPE-Send-Key                   ] [52] [fb a1 e9 55 16 62 a3 e5 da 35 fc ce 3e 8f ae 7d ac 0a d6 0b 20 59 ad 82 a8 66 88 06 6a 81 10 82 61 95 2e cf 44 50 c0 79 e5 3f a4 32 43 45 a5 9e 2b c4 ]
[MS-MPPE-Recv-Key                   ] [52] [fb a1 e9 65 b1 18 6d 60 8f 0a ed af 53 1e 26 8a e6 18 9d 26 8c 21 c8 4f c2 8a 6a d5 a8 85 8a 9d ba d8 be 8d 97 b8 b8 d3 24 04 21 23 90 71 33 35 f4 6b ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
CID:57  TemplateNo:4  SerialNo:73
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:12.12.12.1 Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[0.0.0.0, 0.0.0.0]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:13 MediumType:6 PrivateGroupID:201
WlanReasonCode:0
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check authen ack, check VLANID error!
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.

Precautions for authorization VLANs:

For the authorization VLAN, several RADIUS attributes need to be delivered. The RADIUS No. 64 attribute (Tunnel-Type) needs to be delivered f. The value is fixed at 13, indicating the VLAN protocol. The RADIUS No. 65 attribute Tunnel-Medium-Type has a fixed value of 6, indicating the Ethernet type. The RADIUS No. 81 attribute is Tunnel-Private-Group-ID. Authorization can be performed based on the VLAN ID, VLAN description, VLAN name, and VLAN pool. The order in which authorization takes effect is as follows: VLAN ID > VLAN description > VLAN name > VLAN pool.

Authorization ACL check failure

Received a authentication accept packet from radius server(server ip = 12.12.12.1).
[BTRACE][2020/10/24 16:52:19][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 12.12.12.1
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 182
ID      : 205
[Filter-Id                          ] [6 ] [3000]
[EAP-Message                        ] [6 ] [03 4c 00 04 ]
[State                              ] [16] [\001uY\314\321\003]
[MS-MPPE-Send-Key                   ] [52] [bd ce 7f 1d bf 78 33 d4 6c 45 d8 d0 1b f7 ee d2 02 16 7a ac fd 62 25 88 f7 84 7a 22 44 d8 01 8a 99 a3 33 66 7d 47 e9 a7 ed 88 d5 01 f8 62 4f 9d cd 56 ]
[MS-MPPE-Recv-Key                   ] [52] [bd ce 7f 54 6f 27 35 d1 01 5c f1 5e aa e8 27 91 c7 8b 89 2f 06 8f ac 46 13 5c 92 78 ec cf 39 aa dc bb f8 ff b1 b8 5c 42 6b f8 ca 80 76 b1 e8 35 c9 ed ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 16:52:19][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
CID:58  TemplateNo:4  SerialNo:75
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:12.12.12.1 Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[0.0.0.0, 0.0.0.0]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:0 MediumType:0 PrivateGroupID:
ACLID:3000
WlanReasonCode:0
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check radius authen ack, check acl error!
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.

Precautions for authorization ACL: In wireless scenarios, the authorization ACL ID ranges from 3000 to 3031, and the maximum value of rule id in the ACL is 64.

Troubleshoot the fault as follows:

Check whether the corresponding authorization is required.
- If authorization is required, you need to create authorization contents on the device. For example, you need to create the corresponding VLAN on the device for authorization VLAN and create the corresponding ACL for authorization ACL and configure the corresponding rules in the ACL.
- If authorization is not required, you can modify the authorization policy on the RADIUS server to delete the corresponding authorization content. You can also run the following command to configure the device to ignore the corresponding authorization content:
  Ignore the authorization VLAN.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Tunnel-Private-Group-ID receive
```
  Ignore the authorization ACL.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Filter-Id receive
```

The User Account Is Locked Out

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domaintest
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 16450
User login time         : 2020/11/03 19:15:15
User online fail reason : Remote user is blocked
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

If a user enters incorrect accounts or passwords more than the maximum number of consecutive authentication failures within the given period, the user account is locked out. Troubleshoot this fault on the RADIUS server.

In a scenario where all terminals use the same account for authentication, if one terminal uses an incorrect password, the account is locked and all terminals cannot access the network. In this case, you need to disable the remote account locking function.

The account locking function upon a remote authentication failure is enabled by default.

Check whether the remote account is locked.

[HUAWEI] display remote-user authen-fail blocked
Interval: Retry Interval(Mins)
TimeLeft: Retry Time Left
BlockDuration: Block Duration(Mins)
----------------------------------------------------------------
Username  Interval  TimeLeft  BlockDuration  BlockTime
----------------------------------------------------------------
test       0         0         5              2020-11-03 19:11:14+08:00
----------------------------------------------------------------
Total 1, 1 printed

Unlock a specific remote account.

[HUAWEI] aaa
[HUAWEI-aaa] remote-user authen-fail unblock username test

Disable the account locking function for access users who fail remote authentication.

[HUAWEI] aaa
[HUAWEI-aaa] undo access-user remote authen-fail

The MAC Address of the STA Is Added to the Quiet Table

Run the trace object mac-address mac-address command in the system view. If the message "User is still in quiet status" is displayed, the STA is in quiet state.

[BTRACE][2020/11/21 15:25:01][7177][EAPoL][000c-291a-4b03]:User is still in quiet status.(MAC:000c-291a-4b03)    //The STA is in quiet state and its packets are discarded.
[BTRACE][2020/11/21 15:25:01][7177][EAPoL][000c-291a-4b03]:Quiet table check failure,drop the packet.

Run the display dot1x quiet-user all command to check the remaining quiet time of the MAC address.

[HUAWEI] display dot1x quiet-user all
---------------------------------------------------------------
MacAddress                      Quiet Remain Time(Sec)
---------------------------------------------------------------
000c-291a-4b03                  49
---------------------------------------------------------------
1 silent mac address(es) found, 1 printed.

If the number of consecutive 802.1X authentication failures of the STA within 60s reaches a specified value, check the reasons for the authentication failures. Then wait until the STA's MAC address exits the quiet state, and try again. You can also run the dot1x timer quiet-period quiet-period-times command in the system view to set a smaller quiet period for 802.1X authentication users.

[HUAWEI] dot1x timer quiet-period 60

The STA Does Not Respond to EAP Packets

The STA Does Not Respond to the Request Identity Packet

Use the service diagnosis function to trace the authentication process of the STA. It is found that the device does not receive any response after sending a Request Identity packet. After the timeout period expires, the device retransmits the packet.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/11/02 14:22:45][6144][EAPoL][64e5-99f3-18f6]:Send a EAPoL request identity packet to user.
[BTRACE][2020/11/02 14:22:45][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/02 14:22:45][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 05 01 60 00 05 01
[BTRACE][2020/11/02 14:22:45][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:5
EAPOL packet:
Code:Request(1); Id:96; Length:5; Type:Identity(1)
[BTRACE][2020/11/02 14:22:45][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=120)
[BTRACE][2020/11/02 14:22:45][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WSTA] Process eapol start message up sucessfully.
[BTRACE][2020/11/02 14:22:45][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WADP] Receive EAP authentication ack message from EAPOL(Value:0, Code:0, Current SN:159, Response SN:159).
[BTRACE][2020/11/02 14:22:45][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WSTA] Sta table aging.
[BTRACE][2020/11/02 14:22:47][6144][EAPoL][64e5-99f3-18f6]:No response of request identity from user.
[BTRACE][2020/11/02 14:22:47][6144][EAPoL][64e5-99f3-18f6]:Resend a EAPoL request identity packet to user.
[BTRACE][2020/11/02 14:22:47][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/02 14:22:47][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 05 01 60 00 05 01
[BTRACE][2020/11/02 14:22:47][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:5
EAPOL packet:
Code:Request(1); Id:96; Length:5; Type:Identity(1)
[BTRACE][2020/11/02 14:22:47][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=120)

If this problem occurs on all STAs, there is a high probability that no service VLAN is created. You need to create a service VLAN even if the AC works on Layer 2 networking but does not function as a user gateway. Check whether a service VLAN is created. If not, create a service VLAN.

Check whether the service VLAN (VLAN 200 as an example) is created.

[HUAWEI] display vlan summary
static vlan:
Total 12 static vlan exist(s).
1 10 12 100 111 to 112 999 1110 to 1114
dynamic vlan:
Total 0 dynamic vlan exist(s).

Create a service VLAN (VLAN 200 as an example).

[HUAWEI] vlan 200

The STA Does Not Respond to the Request Challenge Packet

Use the service diagnosis function to trace the authentication process of the STA. It is found that the device does not receive any response after sending a Request Challenge packet. After the timeout period expires, the device retransmits the packet. After the number of retransmission times exceeds the upper limit, the device sends a Failure packet.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/11/03 14:41:00][6144][EAPoL][64e5-99f3-18f6]:Eapol send authentication request challenge packet to user.
[BTRACE][2020/11/03 14:41:00][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 14:41:00][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 41 01 6c 00 41 19 00 14 03 01 00
01 01 16 03 01 00 30 85 17 ee 90 6c 84 62 9f 66
28 bb d7 29 2c e4 3f 44 dd 79 aa 10 54 3b 6d 54
ac 8e c8 6b a8 3f f7 cd 68 47 4f cc 9a a3 4e ba
0f b5 88 00 22 3e 0a
[BTRACE][2020/11/03 14:41:00][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:65
EAPOL packet:
Code:Request(1); Id:108; Length:65; Type:PEAP(25)
[BTRACE][2020/11/03 14:41:00][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=122)
[BTRACE][2020/11/03 14:41:00][6144][EAPoL][64e5-99f3-18f6]:Eapol send request/challenge packet to user successfully.enter request status.(local index:122)
[BTRACE][2020/11/03 14:41:02][6144][EAPoL][64e5-99f3-18f6]:No response of request challenge from user.
[BTRACE][2020/11/03 14:41:02][6144][EAPoL][64e5-99f3-18f6]:Resend a EAPoL request challenge packet to user.
[BTRACE][2020/11/03 14:41:02][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 14:41:02][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 41 01 6c 00 41 19 00 14 03 01 00
01 01 16 03 01 00 30 85 17 ee 90 6c 84 62 9f 66
28 bb d7 29 2c e4 3f 44 dd 79 aa 10 54 3b 6d 54
ac 8e c8 6b a8 3f f7 cd 68 47 4f cc 9a a3 4e ba
0f b5 88 00 22 3e 0a
[BTRACE][2020/11/03 14:41:02][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:65
EAPOL packet:
Code:Request(1); Id:108; Length:65; Type:PEAP(25)
[BTRACE][2020/11/03 14:41:02][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=122)
[BTRACE][2020/11/03 14:41:03][6144][WLAN_AC][64e5-99f3-18f6]:[Process:6][WSTA] Sta table aging.
[BTRACE][2020/11/03 14:41:03][2048][WLAN_AC][64e5-99f3-18f6]:[Process:2][WSTA] Flow fork MultiSta MsgType3101 Vcpu6
[BTRACE][2020/11/03 14:41:03][2048][WLAN_AC][64e5-99f3-18f6]:[Process:2][WSTA] Flow fork MultiSta MsgType3121 Vcpu6
[BTRACE][2020/11/03 14:41:04][6144][EAPoL][64e5-99f3-18f6]:No response of request challenge from user.
[BTRACE][2020/11/03 14:41:04][6144][EAPoL][64e5-99f3-18f6]:Resend a EAPoL request challenge packet to user.
[BTRACE][2020/11/03 14:41:04][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 14:41:04][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 41 01 6c 00 41 19 00 14 03 01 00
01 01 16 03 01 00 30 85 17 ee 90 6c 84 62 9f 66
28 bb d7 29 2c e4 3f 44 dd 79 aa 10 54 3b 6d 54
ac 8e c8 6b a8 3f f7 cd 68 47 4f cc 9a a3 4e ba
0f b5 88 00 22 3e 0a
[BTRACE][2020/11/03 14:41:04][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:65
EAPOL packet:
Code:Request(1); Id:108; Length:65; Type:PEAP(25)
[BTRACE][2020/11/03 14:41:04][6144][EAPoL][64e5-99f3-18f6]:Send EAP_request packet to user successfully.(Index=122)
[BTRACE][2020/11/03 14:41:06][6144][EAPoL][64e5-99f3-18f6]:No response of request challenge from user.
[BTRACE][2020/11/03 14:41:06][6144][EAPoL][64e5-99f3-18f6]:Resend EAP_request/identity times exceed max times.(Index=122)
[BTRACE][2020/11/03 14:41:06][6144][EAPoL][64e5-99f3-18f6]:Send EAP-Failure packet to user.
[BTRACE][2020/11/03 14:41:06][6144][EAPoL][64e5-99f3-18f6]:Add a Eap Packet Node to EAPOL Ucib, MAC is 64e5-99f3-18f6.
[BTRACE][2020/11/03 14:41:06][6144][EAPoL][64e5-99f3-18f6]:
EAPOL packet: OUT
64 e5 99 f3 18 f6 84 5b 12 69 22 e8 81 00 00 c8
88 8e 01 00 00 04 04 6c 00 04
[BTRACE][2020/11/03 14:41:06][6144][EAPoL][64e5-99f3-18f6]:
802.1x packet:
Version:802.1X-2001(1); Type:Eap(0); Length:4
EAPOL packet:
Code:Failure(4); Id:108; Length:4; Type:Unknown(0)

Troubleshoot the fault as follows:

Collect station-trace information (recording the EAP packets sent and received by APs) on the AC.
```
[HUAWEI-diagnose] station-trace sta-mac 64e5-99f3-18f6
```
Confirm the following information in sequence:
```
<7>Nov 03 2020 14:40:58.20.1 AP-10 WSRV/7/BTRACE:(BTRACE)(WLAN_AP)(64e5-99f3-18f6):receive eap pkt to sta from CAPWAP(9),[type(0)=EAP pkt, src mac=84:5b:12:69:22:e8, len=1122]
<7>Nov 03 2020 14:40:58.20.2 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[28] [EAPOL] EAPOL packet payload[1100] Recved from software switch  //The AP receives an EAP Request challenge packet from the AC.
<7>Nov 03 2020 14:40:58.20.3 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[28] [EAPOL] EAPOL packet payload[1100] elapsed[0 ms] Sending pkt to target(Single)
<7>Nov 03 2020 14:40:58.70.1 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[28] [EAPOL] EAPOL packet payload[1100] elapsed[30 ms] Success to send pkt to air  //The AP sends an EAP Request challenge packet to the STA.
<7>Nov 03 2020 14:40:58.70.2 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] Recved from target  //The AP receives an EAP Response challenge packet from the STA.
<7>Nov 03 2020 14:40:58.70.3 AP-10 WIFI7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] elapsed[0 ms] Entering rx reorder
<7>Nov 03 2020 14:40:58.70.4 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] elapsed[0 ms] Exiting rx reorder for release
<7>Nov 03 2020 14:40:58.70.5 AP-10 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][64E5-99F3-18F6]:SeqNo[29] [EAPOL] EAPOL packet payload[6] elapsed[0 ms] Success to send pkt to software switch  //The AP sends an EAP Response challenge packet to the AC.
<7>Nov 03 2020 14:40:58.70.6 AP-10 WSRV/7/BTRACE:(BTRACE)(WLAN_AP)(64e5-99f3-18f6):receive eap pkt from sta by BSS(26),[type(0)=EAP pkt, dest mac=18:de:d7:77:c1:20, len=28]
```
1. Check whether the AP receives an EAP Request challenge packet from the AC.
  Based on station-trace information, check whether the AP receives an EAP Request challenge packet (Recved from software switch) from the AC. If not, enable forwarding debugging on the AP to check whether the AP forwarding module receives the packet. If not, enable forwarding debugging on the AC to check whether the AC forwarding module forwards the packet. If the forwarding modules on the AP and AC are both properly working, packets may be discarded on the intermediate link. In this case, obtain packets on the intermediate link.
2. Check whether the AP sends the EAP Request challenge packet to the STA after receiving the packet.
  Based on station-trace information, check whether the AP successfully sends the EAP Request challenge packet to the STA (Success to send pkt to air).
3. Check whether the AP receives the EAP Response challenge packet from the STA.
  Based on station-trace information, check whether the AP receives the EAP Response challenge packet from the STA (Recved from target).
4. Check whether the AP sends the EAP Response challenge packet to the AC.
  Based on station-trace information, check whether the AP successfully sends the EAP Response challenge packet to the AC (Success to send pkt to software switch). If the packet is sent successfully but the AC does not receive the packet, enable forwarding debugging on the AC to check whether the AC forwarding module receives the packet. If not, enable forwarding debugging on the AP to check whether the AP forwarding module sends the packet. If the forwarding modules on the AP and AC are both properly working, packets may be discarded on the intermediate link. In this case, obtain packets on the intermediate link.

Another possible cause is that the EAP content in the Access-challenge packet sent by the RADIUS server is too large (longer than 1200 bytes). As a result, the STA fails to receive the large EAP Request challenge packet. This can be confirmed in station-trace information.

[G12-AP-09-3-diagnose]
May 13 2019 17:28:10.230.6+00:00 G12-AP-09-3 WSRV/7/BTRACE:[BTRACE][WLAN_AP][3C2E-FF90-662F]:receive eap pkt to sta from CAPWAP(23),[type(0)=EAP pkt, src mac=10:c1:72:90:85:e6, len=1518]
[G12-AP-09-3-diagnose]
May 13 2019 17:28:10.230.7+00:00 G12-AP-09-3 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][3C2E-FF90-662F]:SeqNo[3259] [EAPOL] EAPOL packet payload[1496] Recved from software switch
[G12-AP-09-3-diagnose]
May 13 2019 17:28:10.230.8+00:00 G12-AP-09-3 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][3C2E-FF90-662F]:SeqNo[3259] [EAPOL] EAPOL packet payload[1496] elapsed[0 ms] Sending pkt to target(Single)
[G12-AP-09-3-diagnose]
May 13 2019 17:28:10.240.1+00:00 G12-AP-09-3 WIFI/7/BTRACE:[BTRACE][WLAN_WIFI][3C2E-FF90-662F]:SeqNo[3259] [EAPOL] EAPOL packet payload[1496] elapsed[0 ms] Fail to send pkt to air with status[2]

As shown in the preceding information, the length of the EAP Request challenge packet is 1496 bytes, and the AP fails to send the packet to the STA. The following methods are available for addressing this issue:

Set the value of Frame-Mtu to a value smaller than 1000 on the RADIUS server.
In the RADIUS server template, reduce the value of the Frame-Mtu attribute in the authentication request packet sent by the device to the RADIUS server. The default value of Frame-Mtu is 1500. You are advised to set it to 1000.

Some third-party RADIUS servers do not support this attribute. In this case, use the first method to adjust the attribute.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute set Framed-Mtu 1000
```

Four-Way Handshake Fails

Run the trace object mac-address mac-address command in the system view. The message "4-way-handshake failed" is displayed, indicating that the four-way handshake fails.

[BTRACE] [2020/11/30 11:56:42][3072][WLAN_AC][0433-c2ad-9008]:[Process:3][WSTA] Receive elb table process(Ap:22, radio:1, wlan:1, vlan:1199, access mode:0, L3:0, version:0, IP:00000000, code:0, type:2)
[BTRACE][2020/11/30 11:56:42][6144][WLAN_AC][0433-c2ad-9008]:[Process:6][WSEC] 4-way-handshake failed (Code:00000003).

Generally, the four-way handshake failure is caused by strong interference on the air interface or weak signals of the STA. In this case, you are advised to check the WLAN air interface environment.

Periodic Reauthentication After Successful Authentication

The possible causes are as follows:

Reauthentication Is Configured on the Device

Check whether the dot1x reauthenticate command is configured in the access profile. If so, delete the configuration.

[HUAWEI] dot1x-access-profile name access_dot1x
[HUAWEI--dot1x-access-profile-access_dot1x] display this
#
dot1x-access-profile name access_dot1x
dot1x reauthenticate
#

The RADIUS Server Incorrectly Delivers the Session-Timeout and Termination-Action Attributes

Use the service diagnosis function to trace the online authentication process of the STA. The authorization content delivered by the RADIUS server is displayed.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
As shown in the following trace information, the RADIUS server delivers the Session-Timeout and Termination-Action attributes in the authentication success packet.
[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication accept packet from radius server(server ip = 12.12.12.1).
[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 12.12.12.1
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 194
ID      : 194
[Session-Timeout                ] [6 ] [3600]
[Termination-Action             ] [6 ] [1]
[EAP-Message                        ] [6 ] [03 4a 00 04 ]
[State                              ] [16] [\001uY\311\025N]
[MS-MPPE-Send-Key                   ] [52] [fb a1 e9 55 16 62 a3 e5 da 35 fc ce 3e 8f ae 7d ac 0a d6 0b 20 59 ad 82 a8 66 88 06 6a 81 10 82 61 95 2e cf 44 50 c0 79 e5 3f a4 32 43 45 a5 9e 2b c4 ]
[MS-MPPE-Recv-Key                   ] [52] [fb a1 e9 65 b1 18 6d 60 8f 0a ed af 53 1e 26 8a e6 18 9d 26 8c 21 c8 4f c2 8a 6a d5 a8 85 8a 9d ba d8 be 8d 97 b8 b8 d3 24 04 21 23 90 71 33 35 f4 6b ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]

You can modify the authorization policy on the RADIUS server to delete the corresponding authorization content. Alternatively, run the following commands to configure the device to ignore the corresponding authorization content:

[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Termination-Action receive 
[HUAWEI-radius-radius_test] radius-attribute disable Session-Timeout receive

The RADIUS Server Returns an Access-Reject Packet
The RADIUS Server Does Not Respond
Authorization Data Check on the RADIUS Server Fails
The User Account Is Locked Out
The MAC Address of the STA Is Added to the Quiet Table
The STA Does Not Respond to EAP Packets
- The STA Does Not Respond to the Request Identity Packet
- The STA Does Not Respond to the Request Challenge Packet
Four-Way Handshake Fails
Periodic Reauthentication After Successful Authentication

Translation

简体中文

Download

Updated: 2023-12-01

Document ID: EDOC1000060368

Downloads: 6023

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

The RADIUS Server Returns an Access-Reject Packet

The RADIUS Server Does Not Respond

Authorization Data Check on the RADIUS Server Fails

The User Account Is Locked Out

The MAC Address of the STA Is Added to the Quiet Table

The STA Does Not Respond to EAP Packets

The STA Does Not Respond to the Request Identity Packet

The STA Does Not Respond to the Request Challenge Packet

Four-Way Handshake Fails

Periodic Reauthentication After Successful Authentication

Reauthentication Is Configured on the Device

The RADIUS Server Incorrectly Delivers the Session-Timeout and Termination-Action Attributes

Related Version

Related Documents

Digital Signature File