No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
802.1x Authentication Failure

802.1x Authentication Failure

Common causes are as follows:

  • The AC cannot communicate with the RADIUS server.
  • The AC is not in the trusted device list of the RADIUS server.
  • The authorization information configured on the RADIUS server does not match that on the device.

Troubleshooting Flowchart

Troubleshooting Procedure for Authentication Failure

  1. Check whether the following 802.1x authentication configurations are correct:

    • The related security profile and authentication profile are bound to the VAP profile.
    • WPA/WPA2-802.1x authentication policies have been configured in the security profile.
    • The related 802.1x profile is bound to the authentication profile.
    • An authentication mode is configured in the 802.1x access profile.

    Command for displaying configuration in the VAP profile:

    [AC6605-wlan-vap-prof-fordot1x] display this
#
forward-mode tunnel
service-vlan vlan-id 242
ssid-profile fordot1x
security-profile fordot1x
authentication-profile dot1x_authen_profile
#

    Command for displaying configuration in the security profile:

    [AC6605-wlan-sec-prof-fordot1x] display this
#
security wpa dot1x tkip
#

    Command for displaying configuration in the authentication profile:

    [AC6605-authentication-profile-dot1x_authen_profile] display this
#
authentication-profile name dot1x_authen_profile
 dot1x-access-profile dot1x_access_profile
#

  2. Check the configuration of global 802.1x authentication parameters.

    [AC6605] display dot1x
Max users: 10240
Current users: 0
Global default domain is default
Quiet function is Disabled
Parameter set:Quiet Period60s Quiet-times3
Dropped EAPOL Access Flow Control: 0
EAPOL Check Sysmac Error: 0
EAPOL Get Vlan ID Error: 0
EAPOL Packet Flow Control: 0
EAPOL Online User Reach Max: 0
EAPOL Static or BlackHole Mac :0
EAPOL Get Vlan Mac Error: 0
EAPOL Temp User Exist: 0

  3. Check whether the user name and password are correct.

    802.1x authentication cannot be performed locally.

    • If RADIUS authentication is used, run the test-aaa command to test the reachability of the RADIUS server.

      Test result on the Diagnosis > Diagnosis Tool > AAA Test web page:

      Command output on the CLI:

      [AC6605] test-aaa huawei huawei radius-template huawei
Info: Account test succeed
    • If the test fails, troubleshoot the fault following the procedure in 1.2.4.2 AAA Authentication Failure.

  4. Check whether the STA (PC) configuration is correct.
  5. Create a VAP and set the SSID to test and authentication mode to WPA2 802.1x+PEAP CCMP. Windows 7 operating system is used as an example here.

    1. Click on the desktop. A list of wireless networks is displayed. Click Open Network and Sharing Center.

    2. Click Manage Wireless Networks. On the manually connect to a wireless network page, choose add > Manually create a network profile(M).

    3. Enter the SSID and set Security type. Then click Next.

    4. Click Change connection settings.

    5. Click Properties.

    6. Click Settings. On the Protected EAP Properties page, deselect Valid server certificate.

    7. Click Configure. The EAP MSCHAPv2 Properties dialog box is displayed.
    8. Deselect Automatically use my Windows logon name and password (and domain if any). Then click OK.

    9. Click and select SSID test. The Network Authentication page is displayed. Enter your user name and password. Then click OK.

      The STA connects to the network, obtains an IP address, and can ping the gateway.

    10. Capture packets on the RADIUS server.

      Check the packets. If there are EAP-Failure packets a few steps after TLS encryption, check whether authorization information is configured for the group to which the user configured on the RADIUS server belongs. If the related authorization information is not configured on the AC, EAP-Failure packets will be sent. To resolve this problem, add the required authorization information on the AC.

  6. Capture packets on the STA.

    Capture packets using packet capturing software, such as wireshark. Check the packets. If the STA does not send an EAP-response packet, check the NIC configuration of the STA. If there are EAP success packets, the STA is authenticated successfully. If the STA still cannot go online after successful authentication, contact key negotiation developers to locate the fault.

  7. Collect the following information and contact Huawei technical support personnel.

    You can use the trace command to trace the entire system process. If the service volume is small, you can use the debugging commands listed in the following table.

    Command

    Functions

    <Huawei> debugging dot1x all

    Enables 802.1x authenticationdebugging.

    <Huawei> debugging cm all

    Enables UCM module debugging.

    <Huawei> debugging aaa all

    Enables AAA module debugging, which is used to view information such as the user authentication domain.

    <Huawei> debugging radius all

    Displays authentication information between a STA and the RADIUS module.

Translation
简体中文
Download
Updated: 2021-12-27

Document ID: EDOC1000060368

Views: 1221139

Downloads: 4411

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :