No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Case Study: 802.1X Authentication Fails When the Agile Controller-Campus Server Is Connected

Case Study: 802.1X Authentication Fails When the Agile Controller-Campus Server Is Connected

Symptom

802.1X authentication failed when the AC is connected to the Agile Controller-Campus server.

Cause Analysis

  1. A shared key is configured in both the RADIUS server profile and the system profile. In this case, the shared key in the system profile takes effect, but this shared key is different from that configured on the RADIUS server.
  2. No service VLAN is configured in direct forwarding mode.

Relevant Alarms and Logs

Related log:

101 Incorrect user name or password or Incorrect dataSource or Incorrect access device key.

Procedure

  1. Run the test-aaa command on the device to locate the fault and record a log. Ensure that the same AAA user is involved in CHAP and PAP tests.

    The following command output shows that CHAP authentication succeeds but PAP authentication fails for the same user.

    CHAP authentication succeeds for the user user.test.

    <AC> system-view
[AC] test-aaa user.test 12344321 radius-template RST-AGILE chap
Info: Account test succeed.

    Logs for the CHAP authentication user are as follows:

    501 Receive an authentication packet 2018-01-10 13:41:11 016
523 Perform CHAP authentication
526 Execute the standard CHAP authentication process
508 Match the authentication rule-TEST
509 Match the authentication data source-Local Data Source
524 Verify the password
509 Match the authentication data source-Local Data Source
514 Match the authorization rule-Default Authorization Rule
510 Return a RADIUS Access packet 2018-01-10 13:41:11 034

    PAP authentication fails for the user user.test.

    <AC> system-view
[AC] test-aaa user.test 12344321 radius-template RST-AGILE pap
Info: Authentication fails due to incorrect name, password, shared key, and so on.ErrCode:4101

    Logs for the PAP authentication user are as follows:

    501 Receive an authentication packet 2018-01-10 13:31:50 270
517 Perform PAP authentication
508 Match the authentication rule-TEST
509 Match the authentication data source-Local Data Source
565 Verify PAP authentication information
515 Verify the account-user.test
576 Verification of authentication information succeeded
524 Verify the password
101 Incorrect user name or password or Incorrect dataSource or Incorrect access device key.
511 Return a RADIUS Reject packet 2018-01-10 13:31:50 441

  2. On the Agile Controller-Campus server, verify that PAP and CHAP authentication are selected during the AAA test.

    As shown in the preceding figure, the PAP and CHAP authentication protocols are selected.

  3. Ensure the same shared key on the AC and Agile Controller-Campus server.

    Check whether shared keys are configured in both the RADIUS server profile and the system profile. If so, the shared key in the system profile takes effect. Check whether but the effective shared key is the same as that configured on the RADIUS server.

    Shared keys are displayed in ciphertext in the configuration file. Therefore, you cannot compare shared keys on the AC and the Agile Controller-Campus server. It is recommended that you reconfigure the same shared key on the AC and RADIUS server.

    As shown in the above configuration file, shared keys are configured in both the RADIUS server profile and the system profile. In this case, perform the following operations:

    1. Run the undo radius-server shared-key command in the system view to delete the shared key of the RADIUS server in the system profile.
    2. Run the radius-server shared-key cipher key-string command in the RADIUS server profile view to reconfigure the shared key to be the same as that on the RADIUS server.

  4. Check whether a service VLAN is configured in direct forwarding mode.

    After the same shared key is configured on the AC and Agile Controller-Campus server, the user succeeds in PAP and CHAP authentication in the AAA test. The Agile Controller-Campus server, however, cannot receive authentication requests. Check the data forwarding mode on the network. It is found that the direct forwarding mode is used, in which configuring a service VLAN is mandatory. No service VLAN configuration is available on the user network.

    After a service VLAN is configured in the system view, 802.1X authentication succeeds.

Suggestion and Summary

When connecting an AC to a RADIUS server, ensure that the same shared key is configured on the AC and server.

Translation
简体中文
Download
Updated: 2023-06-02

Document ID: EDOC1000060368

Views: 1822051

Downloads: 5808

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :