802.1x Authentication Failure
Common causes are as follows:
- The AC cannot communicate with the RADIUS server.
- The AC is not in the trusted device list of the RADIUS server.
- The authorization information configured on the RADIUS server does not match that on the device.
Troubleshooting Flowchart
Troubleshooting Procedure for Authentication Failure
- Check whether the following 802.1x authentication configurations are correct:
- The related security profile and authentication profile are bound to the VAP profile.
- WPA/WPA2-802.1x authentication policies have been configured in the security profile.
- The related 802.1x profile is bound to the authentication profile.
- An authentication mode is configured in the 802.1x access profile.
Command for displaying configuration in the VAP profile:
[AC6605-wlan-vap-prof-fordot1x] display this # forward-mode tunnel service-vlan vlan-id 242 ssid-profile fordot1x security-profile fordot1x authentication-profile dot1x_authen_profile #
Command for displaying configuration in the security profile:
[AC6605-wlan-sec-prof-fordot1x] display this # security wpa dot1x tkip #
Command for displaying configuration in the authentication profile:
[AC6605-authentication-profile-dot1x_authen_profile] display this # authentication-profile name dot1x_authen_profile dot1x-access-profile dot1x_access_profile #
- Check the configuration of global 802.1x authentication parameters.
[AC6605] display dot1x Max users: 10240 Current users: 0 Global default domain is default Quiet function is Disabled Parameter set:Quiet Period60s Quiet-times3 Dropped EAPOL Access Flow Control: 0 EAPOL Check Sysmac Error: 0 EAPOL Get Vlan ID Error: 0 EAPOL Packet Flow Control: 0 EAPOL Online User Reach Max: 0 EAPOL Static or BlackHole Mac :0 EAPOL Get Vlan Mac Error: 0 EAPOL Temp User Exist: 0
- Check whether the user name and password are correct.
802.1x authentication cannot be performed locally.
- If RADIUS authentication is used, run the test-aaa command to test the reachability of the RADIUS server.
Test result on the Diagnosis > Diagnosis Tool > AAA Test web page:
Command output on the CLI:
[AC6605] test-aaa huawei huawei radius-template huawei Info: Account test succeed
- If the test fails, troubleshoot the fault following the procedure in 1.2.4.2 AAA Authentication Failure.
- If RADIUS authentication is used, run the test-aaa command to test the reachability of the RADIUS server.
- Check whether the STA (PC) configuration is correct.
- Create a VAP and set the SSID to test and authentication mode to WPA2 802.1x+PEAP CCMP. Windows 7 operating system is used as an example here.
- Click
on the desktop. A list of wireless networks is displayed. Click Open Network and Sharing Center.
- Click Manage Wireless Networks. On the manually connect to a wireless network page, choose add > Manually create a network profile(M).
- Enter the SSID and set Security type. Then click Next.
- Click Change connection settings.
- Click Properties.
- Click Settings. On the Protected EAP Properties page, deselect Valid server certificate.
- Click Configure. The EAP MSCHAPv2 Properties dialog box is displayed.
- Deselect Automatically use my Windows logon name and password (and domain if any). Then click OK.
- Click
and select SSID test. The Network Authentication page is displayed. Enter your user name and password. Then click OK.
The STA connects to the network, obtains an IP address, and can ping the gateway.
- Capture packets on the RADIUS server.
Check the packets. If there are EAP-Failure packets a few steps after TLS encryption, check whether authorization information is configured for the group to which the user configured on the RADIUS server belongs. If the related authorization information is not configured on the AC, EAP-Failure packets will be sent. To resolve this problem, add the required authorization information on the AC.
- Click
- Capture packets on the STA.
Capture packets using packet capturing software, such as wireshark. Check the packets. If the STA does not send an EAP-response packet, check the NIC configuration of the STA. If there are EAP success packets, the STA is authenticated successfully. If the STA still cannot go online after successful authentication, contact key negotiation developers to locate the fault.
- Collect the following information and contact Huawei technical support personnel.
You can use the trace command to trace the entire system process. If the service volume is small, you can use the debugging commands listed in the following table.
Command
Functions
<Huawei> debugging dot1x all
Enables 802.1x authenticationdebugging.
<Huawei> debugging cm all
Enables UCM module debugging.
<Huawei> debugging aaa all
Enables AAA module debugging, which is used to view information such as the user authentication domain.
<Huawei> debugging radius all
Displays authentication information between a STA and the RADIUS module.