No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Case Study: During 802.1X Authentication, Some STAs Fail Authentication While Some Succeed

Case Study: During 802.1X Authentication, Some STAs Fail Authentication While Some Succeed

Symptom

Some STAs (such as Samsung J3) fail 802.1X authentication. However, some other STAs with the same configuration (such as iPhones and Huawei smartphones) succeed in 802.1X authentication.

Run the display aaa online-fail-record all brief command to check the STAs' failures to go online.

<AC> display aaa online-fail-record all brief
-------------------------------------------------------------------------------------------      
 UserID   Username                    IP address      MAC                 Reason  
-------------------------------------------------------------------------------------------
 2274     host/PAT-MREI.benfica.est    -              685d-4362-eb66      Authenticate fail
-------------------------------------------------------------------------------------------

Relevant Alarms and Logs

Related log:

[BTRACE][2018/01/18 16:19:45][EAPoL][685d-4362-eb66]:Send EAP_request packet to user successfully.(Index=996)
[BTRACE][2018/01/18 16:19:45][EAPoL][685d-4362-eb66]:Eapol send request/challenge packet to user successfully.enter request status.(local index:996)
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Receive packet, get packet information.(L2Type=1,QinqVlan=0,Vlan=144,
 Ip=0.0.0.0,EAPPktType=1,IFNAME=Wlan-Dbss0, Slot=0, PortIndex=0)
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Receive start packet from user.
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:User is exist status, receive a eap start packet.
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Dot1x user is exist, cut it and offline.(local index:996)
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:EAPOL send cut request message to server.
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Eapol send cut request message to UCM module successfully.(local index:996)

Cause Analysis

Some STAs cannot process long packets.

Procedure

  1. Verify the configurations of the authentication profile and RADIUS server profile.

                    .               
                .
                .
authentication-profile name becorp
 dot1x-access-profile becorp_dot1x_profile
 authentication-scheme becorp_auth_scheme
 accounting-scheme becorp_acc_scheme
 radius-server nps_auth
                .               
                .
                .
radius-server template nps_auth
 radius-server shared-key cipher %^%#]T{v1Pl>>=n^$#6Z)o%>dtEwB1ZW)>0dbG5X<lgPSnif$^G.q<wTNd%U]Vx*%^%#
 radius-server authentication 172.30.202.5 1812 source Vlanif 2511 weight 80
 radius-server accounting 172.30.202.5 1813 source Vlanif 2511 weight 80
radius-server ip-address 172.30.202.5 shared-key cipher %^%#+0z##.Tt2"{w!*QS@j);o&iwEL>\^=4#l82)ltc3^#O_Ga|0q-jR4z8({Z[S%^%#
                .               
                .
                .

  2. Ping the RADIUS server from the AC to check the network connectivity between them.
  3. Create a diagnosis object to locate the user access issue through service diagnosis.

    <AC> system-view
[AC] trace object mac-address 685d-4362-eb66
[AC] trace enable

    User access logs are as follows:

    [BTRACE][2018/01/18 16:19:45][EAPoL][685d-4362-eb66]:Send EAP_request packet to user successfully.(Index=996)
[BTRACE][2018/01/18 16:19:45][EAPoL][685d-4362-eb66]:Eapol send request/challenge packet to user successfully.enter request status.(local index:996)
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Receive packet, get packet information.(L2Type=1,QinqVlan=0,Vlan=144,
 Ip=0.0.0.0,EAPPktType=1,IFNAME=Wlan-Dbss0, Slot=0, PortIndex=0)
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Receive start packet from user.
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:User is exist status, receive a eap start packet.
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Dot1x user is exist, cut it and offline.(local index:996)
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:EAPOL send cut request message to server.
[BTRACE][2018/01/18 16:20:03][EAPoL][685d-4362-eb66]:Eapol send cut request message to UCM module successfully.(local index:996)

    According to the logs, the AC has sent an EAP packet to a STA successfully but does not receive any response packet. The AC starts to receive the start packet from the STA 18 seconds later. The possible cause is that the EAP packet sent from the AC is too long and cannot be processed by the STA. After the MTU is reduced, the problem is resolved.

    Configure the RADIUS attribute Framed-Mtu to reduce the MTU value.

    <AC> system-view 
[AC] radius-server template nps_auth 
[AC-radius-nps_auth] radius-attribute set Framed-Mtu 800

Translation
简体中文
Download
Updated: 2023-06-02

Document ID: EDOC1000060368

Views: 1822533

Downloads: 5810

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :