No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
802.1x Authentication of a User Fails

802.1x Authentication of a User Fails

Common Causes

This fault is commonly caused by one of the following:
  • Some parameters are set incorrectly or not set, such as the parameters of 802.1x authentication, AAA authentication domain, authentication server, and authentication server template.
  • The user name or password entered by the user is incorrect.
  • The number of online users reaches the maximum.

Troubleshooting Flowchart

A user fails to pass the 802.1x authentication.

Figure 22-3 shows the troubleshooting flowchart.

Figure 22-3  Troubleshooting flowchart for 802.1x authentication failure

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Check that 802.1x authentication is enabled on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

    Run the display dot1x command to check whether 802.1x authentication is enabled globally or on the user-side interface. If Global 802.1x is enabled or 802.1x protocol is enabled is not displayed, 802.1x authentication is not enabled. Run the dot1x enable command to enable 802.1x authentication globally and on the user-side interface.

    802.1x authentication and MAC address authentication cannot be enabled on the same interface. If MAC address authentication is enabled on the interface, the system displays an error message when you run the dot1x enable command.

  2. Check that 802.1x authentication is configured correctly.

    Run the display dot1x command to check the 802.1x configuration.

    The AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 supports the following authentication methods for 802.1x: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP). The authentication method is configured by using the dot1x authentication-method command.

    • The authentication method on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 must be the same as that on the authentication server.
    • EAP authentication and local authentication cannot be configured simultaneously. If the authentication method for 802.1x users is EAP, go to step 3.
    • If the authentication method for 802.1x users is PAP, check whether the client supports PAP authentication. If the client does not support PAP authentication, change the authentication method to CHAP or EAP.

  3. Check the AAA configuration.

    1. Check whether the user name contains the domain name.

      • If user name does not contain the domain name, the user is authenticated in the default domain. In this case, check the authentication template bound to the default domain.
      • If the user name contains the domain name, the user should be authenticated in the specified domain. However, if the domain name is not found, the authentication fails. In this case, check the authentication template bound to the specified domain.
    2. Check the authentication scheme applied to the user domain on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

      • If RADIUS or HWTACACS authentication is configured for the user domain, check whether the user account and the user attributes are created on the authentication server. For details on RADIUS troubleshooting and HWTACACS troubleshooting, see RADIUS Authentication Fails and HWTACACS Authentication Fails. For details on checking the authentication server, go to step 4.
      • If local authentication is configured for the user domain, run the display local-user command to check whether the local user name and password are created on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600. If not, run the local-user command to create the local user name and password.
      • If the authentication scheme is none, go to step 6.
    3. Run the display accounting-scheme command to check the accounting scheme. If accounting is configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 but the authentication server does not support accounting, the user will be forced offline after going online. To allow the user to go online, disable the accounting function in the user domain or run the accounting start-fail online command in the accounting scheme view to configure the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to keep the user online if the accounting fails.

  4. Check the configuration of the authentication server.

    • If the user information does not exist on the authentication server, create the user name and password on the authentication server.
    • If user attributes on the authentication server contain VLAN authorization information but the VLAN is not created on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600, user authorization fails. To rectify the fault, create the VLAN.
    • If user attributes on the authentication server contain ACL authorization information (ACL number or ACL content), but the ACL is not created on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 or the ACL format is different from that required by the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600, user authorization fails. To rectify the fault, create the ACL. Ensure that the ACL format used by the authentication server is the same that required by the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

      NOTE:
      The AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 requires the following ACL format in the user attributes:
      acl acl-num key1 key-value1... keyN key-valueN permit/deny
      If the display access-user user-id command output contains the user IP address and Dynamic ACL desc (Effective), the ACL specified in the user attribute takes effect.
      Table 22-1  Description
      Field Description Field Description
      acl Delivers the ACL content. acl-num Specifies the ACL number. The value ranges from 10000 to 10999.
      permit Allows users matching the rules to access the network. deny Prohibits users matching the rules from accessing the network.
      keyM (1 ≤ M ≤ N) ndicates a keyword in the ACL, including src-ip (source IP address), src-ipmask (mask of source IP address), and tcp-srcport (source TCP port number). key-valueM (1 < M < N) Specifies the value of a keyword, which can be an IP address, a mask, or a port number.
    If the configurations of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and the authentication server are correct, go to step 5.

  5. Check that the user name and password entered by the user are correct.

    If RADIUS authentication is used and the authentication method is CHAP or PAP, run the test-aaa command to check whether the user name and password can pass the RADIUS authentication.
    • If the authentication fails, check the configuration of the RADIUS server and RADIUS configuration on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600. For details, see Troubleshooting Procedure in RADIUS Authentication Fails.
    • If user passes the authentication, check the option settings on the client or obtain packet header on the network adapter of the client to check whether the client sends authentication packets correctly.
    If preceding configurations are correct, go to step 6.

  6. Run the display dot1x interface interface-type interface-number command on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to check whether the number of online 802.1x users reaches the maximum.

    If the number of online 802.1x users reaches the maximum, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 does not trigger authentication for subsequent users, and subsequent users cannot go online.

  7. If the fault persists, collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 443767

Downloads: 4295

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next