No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
Troubleshooting 802.1X Authentication Failures

This document describes common causes and troubleshooting methods of 802.1X authentication failures when Huawei S series switches function as access switches in wired and wireless 802.1X authentication scenarios.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting 802.1X Authentication Failures

Troubleshooting 802.1X Authentication Failures

Overview

This document describes common causes and troubleshooting methods of 802.1X authentication failures when Huawei S series switches function as access switches in wired and wireless 802.1X authentication scenarios. In most cases, 802.1X authentication involves multiple third-party clients and servers. If a fault occurs on a third-party device, you need to work with the vendor of the third-party device to rectify the fault.

Prerequisites

This document uses Huawei S series switches running V200R019C10 as an example. For the functions and commands used on your switch, see the documentation of the specific version.

Quickly Locating Causes of 802.1X Authentication Failures

The 802.1X user access process consists of authentication and access. Authentication, authorization, and accounting (AAA) and Remote Authentication Dial-In User Service (RADIUS) are typically used for authentication, and 802.1X is used for access control. To locate an 802.1X authentication failure, you need to check whether authentication configurations are correct and then locate the failure using commands or the trace function. The following describes the procedure for locating an 802.1X authentication failure:

  1. Check whether AAA and 802.1X configurations are correct.

  2. Check the cause of the user access failure.

    Run the display aaa online-fail-record command to check the cause of the user access failure based on the User online fail reason field.

    If the fault cannot be rectified based on the failure cause, go to step 3. Based on the user's MAC or IP address, check trace diagnostic information, such as the status change and protocol processing result of the user during authentication.

  3. Check trace diagnostic information. To enable the trace diagnosis function, perform the following operations:

    1. Run the trace enable command in the system view to enable the trace diagnosis function.
    2. Run the trace object mac-address mac-address command in the system view to create an object to be diagnosed based on the user MAC address.
Table 1-1 lists the possible causes of 802.1X authentication failures.
Table 1-1 Possible causes of 802.1X authentication failures

Cause

Meaning

Handling Suggestion

The AAA domain to which the user belongs is incorrect.

-

The AAA Domain to Which the User Belongs Is Incorrect

The Extensible Authentication Protocol (EAP) authentication methods of the switch, client, and RADIUS server are different.

-

The EAP Authentication Methods of the Switch, Client, and RADIUS Server Are Different

Radius authentication reject

The RADIUS server rejects the authentication request.

The possible cause is displayed by the User online fail reason field in the display aaa online-fail-record command output.

The RADIUS Server Responds with an Access-Reject Packet

Received a authentication reject packet from radius server(server ip = x.x.x.x).

The switch receives an Access-Reject packet from the RADIUS server.

The possible cause is displayed in the trace object command output.

The radius server is up but has no reply

The RADIUS server is up but does not respond.

The value of the User online fail reason field in the command output specifies the reason.

The RADIUS Server Does Not Respond

The radius server is not reachable

The RADIUS server is unreachable.

The value of the User online fail reason field in the command output specifies the reason.

AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(73).

The AAA module receives a message indicating that the RADIUS server does not respond.

The possible cause is displayed in the trace object command output.

User is still in quiet status

The user is in quiet state.

The possible cause is displayed in the trace object command output.

The User Is in Quiet State

Remote user is blocked or Local Authentication user block

The user account is locked out.

The value of the User online fail reason field in the command output specifies the reason.

The 802.1X User Account Is Locked Out

No response of request identity from user

The switch does not receive any response from the client after sending an EAP-Request/Identity packet to the client.

The possible cause is displayed in the trace object command output.

The Switch Does Not Receive Any Response from the Client After Sending an EAP-Request/Identity Packet

No response of request challenge from user

The switch does not receive any response from the client after sending a Request/Challenge packet.

The possible cause is displayed in the trace object command output.

The Switch Does Not Receive Any Response from the Client After Sending an EAP-Request/MD5 Challenge Packet

Troubleshooting 802.1X Authentication Failures

The AAA Domain to Which the User Belongs Is Incorrect

Context

The switch uniformly manages AAA configurations (including the authentication protocol, authorization protocol, accounting protocol, and authentication server) based on domains. The AAA configurations of users are determined by the domains to which the users belong. To enable a user to use the expected AAA configurations, ensure that the domain to which the user belongs is correct. Domains are classified into mandatory domains, domains in user names, and default domains. These domains are used based on their priorities.

Troubleshooting Procedure

The NAC mode is classified into unified mode and common mode. The troubleshooting methods vary depending on the NAC mode. Before troubleshooting, run the display authentication mode command to check the NAC mode.

  • If Current authentication mode is unified-mode is displayed in the command output, the current NAC mode is unified mode.
  • If Current authentication mode is common-mode is displayed in the command output, the current NAC mode is common mode.

Unified Mode

The following domains are listed in descending order of priority:

  1. Forcible domain for 802.1X users, which is configured using the access-domain domain-name dot1x force command in the authentication profile view
  2. Forcible domain for all users, which is configured using the access-domain domain-name force command in the authentication profile view
  3. Domain contained in a user name. For example, if the user name entered during authentication is user1@huawei.com and the domain name delimiter configured on the device is @, the domain contained in the user name is huawei.com.

    If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in one of the following default domains.

  4. Default domain for 802.1X users, which is configured using the access-domain domain-name dot1x command in the authentication profile view
  5. Default domain for all users, which is configured using the access-domain domain-name force command in the authentication profile view
  6. Global default domain, which is configured using the domain domain-name command in the system view

Check the forcible domain, default domain , domain in a user name, and global default domain in sequence. Determine the domain to which the user belongs based on the priorities of the preceding domains. Check whether the AAA configuration in the domain to which the user belongs is correct, for example, whether RADIUS authentication is used and whether the RADIUS server meets authentication requirements. If so, the fault is not caused by incorrect domain configuration. If not, modify the configuration in the domain or specify a new domain.

  1. Run the display authentication-profile configuration command to check the domain configuration in the authentication profile.
    <HUAWEI> display authentication-profile configuration name authen1
  ………
  Force domain                                : -       //Forcible domain for all users in the authentication profile
  Dot1x force domain                          : -       //Forcible domain for 802.1X users in the authentication profile
  Mac-authen force domain                     : -       
  Portal force domain                         : -       
  Default domain                              : -       //Default domain for all users in the authentication profile
  Dot1x default domain                        : -       //Default domain for 802.1X users in the authentication profile
  Mac-authen default domain                   : -      
  Portal default domain                       : -
  2. Check the domain in a user name. For example, if the user name entered during authentication is user1@huawei.com and the domain name delimiter configured on the device is @, the domain in the user name is huawei.com.
  3. Run the display aaa configuration command to check the global default domain.
    <HUAWEI> display aaa configuration
...
  Administrator user default domain: default_admin
  Normal user default domain       : huawei                   //Global default domain
  Domain                           : total: 32      used: 2
  Authentication-scheme            : total: 17      used: 2
  Accounting-scheme                : total: 16      used: 1
  Authorization-scheme             : total: 16      used: 1
  .......
  4. Run the display domain name domain-name command to check whether the AAA configuration in the specified domain is correct.
    <HUAWEI> display domain name huawei
...
  Authentication-scheme-name      : radius      //Authentication scheme
  Accounting-scheme-name          : default     //Accounting scheme
  Authorization-scheme-name       : -           //Authorization scheme
  Service-scheme-name             : -
   RADIUS-server-template          : default     //RADIUS server template

    Run the display authentication-scheme, display accounting-scheme, and display radius-server configuration template commands to check whether the configurations are correct.

Common Mode

The following domains are listed in descending order of priority:

  1. Domain configured on the interface used for 802.1X user authentication. To configure the domain, run the dot1x domain domain-name command.
  2. Domain in a user name. For example, if the user name entered during authentication is user1@huawei.com and the domain name delimiter configured on the device is @, the domain in the user name is huawei.com.
  3. Global default domain, which is configured using the domain domain-name command in the system view

Check the domain configured on the interface used for user authentication, domain in a user name, and global default domain in sequence. Determine the domain to which the user belongs based on the priorities of the preceding domains. Check whether the AAA configuration in the domain to which the user belongs is correct, for example, whether RADIUS authentication is used and whether the RADIUS server meets authentication requirements. If so, the fault is not caused by incorrect domain configuration. If not, modify the configuration in the domain or specify a new domain.

You need to check whether an 802.1X authentication domain is specified on an interface used for user authentication, and then check the global default domain. Perform the following operation for troubleshooting:

  1. Run the display current-configuration | include dot1x domain command to check the domain configured on the interface used for 802.1X user authentication.
    <HUAWEI> display current-configuration | include dot1x domain
dot1x domain huawei
  2. The methods of checking the domain in a user name, global default domain, and AAA configuration in common mode are the same as those in unified mode. For details, see 2, 3, and 4.

The EAP Authentication Methods of the Switch, Client, and RADIUS Server Are Different

Context

In the 802.1X authentication system, information is exchanged among the switch, client, and authentication server using EAP. EAP authentication methods include EAP relay (EAP-TLS, EAP-TTLS, and EAP-PEAP) and EAP termination (PAP and CHAP).

When configuring an EAP authentication method, note the following:

  • The EAP authentication methods configured on the switch, client, and authentication server must be the same.

  • Only RADIUS authentication supports EAP relay.

  • Local authentication supports only EAP termination.

  • To support authentication for most terminals, the switch must have EAP relay configured.

  • Mobile phones do not support the combination of 802.1X authentication and local authentication because they do not support EAP termination. Terminals such as laptops support EAP termination only after having third-party clients installed.

  • When an 802.1X user is online on an interface and the EAP authentication method is modified in the 802.1X access profile bound to the interface, the online user is logged out if the authentication method is switched between EAP termination and EAP relay. If the authentication method is switched between CHAP and PAP in EAP termination, the user remains online.

Troubleshooting Procedure

The NAC mode is classified into unified mode and common mode. The troubleshooting methods vary depending on the NAC mode. Before troubleshooting, run the display authentication mode command to check the NAC mode.

  • If Current authentication mode is unified-mode is displayed in the command output, the current NAC mode is unified mode.
  • If Current authentication mode is common-mode is displayed in the command output, the current NAC mode is common mode.

Unified Mode

Run the display dot1x-access-profile configuration command and check the value of the Authentication method field in the command output to determine whether the EAP authentication method configured on the switch is consistent with that on the client and RADIUS server.

<HUAWEI> display dot1x-access-profile configuration name d1
  Profile Name                 : d1
  Authentication method        : EAP
  ......

In NAC unified mode, the default authentication method for 802.1X users is eap, which indicates authentication using EAP relay. If the authentication method configured on the switch is inconsistent with that on the client or RADIUS server, run the dot1x authentication-method { chap | pap | eap } command in the 802.1X access profile view to change the authentication method for 802.1X users.

Common Mode

Run the display current-configuration | include dot1x authentication-method command to check whether the EAP authentication method configured on the switch is consistent with that on the client and RADIUS server.

<HUAWEI> display current-configuration | include dot1x authentication-method
 dot1x authentication-method eap

In NAC common mode, the default authentication method for 802.1X users is chap, which indicates CHAP authentication in EAP termination mode. If the authentication method configured on the switch is inconsistent with that on the client or RADIUS server, run the dot1x authentication-method { chap | pap | eap } command in the system view or interface view to change the authentication method for 802.1X users.

If the dot1x authentication-method command is run in both the system view and interface view, the configuration in the interface view takes precedence.

The RADIUS Server Responds with an Access-Reject Packet

Context

The RADIUS server responds with an Access-Reject packet, indicating that some attributes in the Access-Request packet sent by the client fail to be authenticated and the client fails the authentication.

Fault Symptom

When the RADIUS server responds with an Access-Reject packet, the display aaa online-fail-record all command output and trace diagnostic information are as follows:

  • In the display aaa online-fail-record all command output, the User online fail reason field displays Radius authentication reject.
    <HUAWEI> display aaa online-fail-record all
  ------------------------------------------------------------------------------
  ......
  User login time         : 2019/11/21 17:17:58
  User online fail reason : Radius authentication reject
  Authen reply message    : Remote authentication is rejecte...
  User name to server     : test
  ------------------------------------------------------------------------------
  • According to trace diagnostic information "Received a authentication reject packet from radius server(server ip = 10.1.1.1)", an Access-Reject packet is received from the RADIUS server at a specific IP address 10.1.1.1.
    [BTRACE][2019/11/22 14:29:32][7177][RADIUS][000c-291a-4b03]:
 Received a authentication reject packet from radius server(server ip = 10.1.1.1).  //The switch receives an Access-Reject packet from the RADIUS server.
...
[BTRACE][2019/11/22 14:29:32][7177][RADIUS][000c-291a-4b03]:Send authentication reject message to AAA.
[BTRACE][2019/11/22 14:29:32][7177][AAA][000c-291a-4b03]:
AAA receive AAA_RD_MSG_AUTHENREJECT message(51) from RADIUS module(73).

Troubleshooting Procedure

The possible causes of this problem include incorrect user name or password and mismatch of the RADIUS server authorization policy. You can locate the root cause by checking RADIUS server logs and running the test-aaa command on the switch and then adjust the server, client, or switch configurations to solve this problem.

For 802.1X authentication based on certificates, the client and server need to verify the validity of the certificates. When the client uses EAP-PEAP authentication, server certificate verification can be cancelled. In this case, you need to obtain and analyze packets on the client or server. Common certificate errors include expired certificates and the failure to add a CA certificate to the list that contains the certificates trusted by the client, for example, the error message "Unknown CA" is displayed.

The RADIUS Server Does Not Respond

Context

During user authentication, the switch sends an authentication request packet to the RADIUS server. In this process, the switch may fail to receive a response packet from the server if problems such as a network fault or delay occurs. To prevent this problem, a retransmission upon timeout mechanism is used. The maximum number of retransmissions and the retransmission interval are specified using timers. In Figure 1-1, if the switch still does not receive any response packet from the RADIUS server after the retransmission stops, the switch sets the RADIUS server status to down or considers that the RADIUS server does not respond.

Figure 1-1 RADIUS authentication packet retransmission timer

Fault Symptom

When the RADIUS server does not respond, the display aaa online-fail-record all command output and trace diagnostic information are as follows:

  • In the display aaa online-fail-record all command output, the User online fail reason field displays The radius server is up but has no reply or The radius server is not reachable.
    <HUAWEI> display aaa online-fail-record all
  ------------------------------------------------------------------------------
  ......
  User login time         : 2019/11/22 14:28:45
  User online fail reason : The radius server is up but has no reply
  Authen reply message    : -
  User name to server     : test
  ------------------------------------------------------------------------------
  • "AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(73)" is displayed in trace diagnostic information.
    [BTRACE][2019/11/22 16:11:33][7177][AAA][000c-291a-4b03]:
 AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(73).
[BTRACE][2019/11/22 16:11:33][7177][AAA][000c-291a-4b03]:
    CID:10  TemplateNo:0  SerialNo:39
    SrcMsg:AAA_RD_MSG_AUTHENREQ
    PriyServer::: Vrf:0
    SendServer::: Vrf:0

Troubleshooting Method

Scenario 1: The shared key configured on the RADIUS server is inconsistent with that configured on the switch.

Run the radius-server shared-key cipher key-string command in the RADIUS server template view to reconfigure a shared key on the switch and reconfigure a shared key on the RADIUS server to ensure that the shared keys configured on the switch and RADIUS server are the same.

Scenario 2: The IP address of the switch is specified on the RADIUS server or the specified IP address is incorrect.

The IP address of the switch specified on the RADIUS server must be the source IP address of the authentication request packets sent by the switch. The source IP address can be configured using a command in the RADIUS server template view. If the source IP address is not configured, the default value is used. That is, the IP address of the outbound interface for authentication request packets is used as the source IP address. To check the source IP address, perform the following steps:
  1. Run the display radius-server configuration template name command to check whether the source IP address is configured. The Source IP field in the command output indicates the source IP address.
    • If the Source IP field displays a value, the source IP address is configured. Ensure that the IP address of the switch specified on the RADIUS server is the same as that displayed in the command output.
    • If the Source IP field does not display any value, the source IP address is the default value. Go to step 2 to check the source IP address.
    <HUAWEI> display radius-server configuration template test_template
  ------------------------------------------------------------------------------
  Server-template-name          :  test_template
  Protocol-version              :  standard
  Traffic-unit                  :  B
  Shared-secret-key             :  %^%#bc<!/;OBSWm[r"*.7LDG+S@fC8VLL"2ul$Gje-lM%^%#
  Group-filter                  :  class
  Timeout-interval(in second)   :  5
  Retransmission                :  3
  EndPacketSendTime             :  3
  Dead time(in minute)          :  5
  Domain-included               :  Original
  NAS-IP-Address                :  -
  Calling-station-id MAC-format :  xxxx-xxxx-xxxx
  Called-station-id MAC-format  :  XX-XX-XX-XX-XX-XX
  NAS-Port-ID format            :  New
  Service-type                  :  -
  NAS-IPv6-Address              :  ::
  Server algorithm              :  master-backup
  Detect-interval(in second)    :  60
  Authentication Server 1       :  192.168.1.1     Port:1812  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: 192.168.1.101
  Accounting Server     1       :  192.168.1.1     Port:1813  Weight:80  [UP]
                                   Vrf:- LoopBack:NULL Vlanif:NULL
                                   Source IP: ::
  ------------------------------------------------------------------------------
  2. If the source IP address is the default value, that is, the IP address of the outbound interface for authentication request packets, check the source IP address based on the IP routing table. The following example is a direct route scenario, where the IP address of the RADIUS server is 192.168.1.1. In the IP routing table, the NextHop field displays 192.168.1.101, which is used as the source IP address of authentication request packets. Ensure that the IP address of the switch specified on the RADIUS server is the same as the value of the NextHop field in the command output.
    <HUAWEI> display ip routing-table 192.168.1.1 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
 
    192.168.1.0/24  Direct  0    0           D   192.168.1.101   Vlanif4094

Scenario 3: The firewall blocks the port numbers of the RADIUS server.

If the IP address of the switch specified on the RADIUS server is correct, analyze packets on both the switch and RADIUS server to check whether the intermediate link is faulty. The possible link failure is that a firewall deployed on the intermediate network blocks the port numbers (default authentication port 1812 and accounting port 1813) of the RADIUS server.

Scenario 4: The RADIUS server or intermediate network is abnormal.

If a large number of users fail to be authenticated and the RDAUTHDOWN log (indicating that the RADIUS server is down) is generated on the switch, there is a high probability that the RADIUS server or intermediate network is abnormal. In this case, you need to check the RADIUS server and intermediate network one by one.

Nov 22 2019 14:28:46+08:00 HUAWEI %%01RDS/4/RDAUTHDOWN(l)[10]:Communication with the RADIUS authentication server ( IP: 172.16.1.1 Vpn-Instance: -- )  is interrupted!

The User Is in Quiet State

Context

In Figure 1-2, if the number of authentication failures of a user within 60 seconds exceeds the value specified in the dot1x quiet-times fail-times command, the switch quiets the user for a period of time specified by the dot1x timer quiet-period quiet-period-value command. Within the specified quiet period, the switch discards the 802.1X authentication request of the user to prevent the system from being affected by frequent authentication failures of the user in a short period of time.

Figure 1-2 802.1X authentication quiet timer

Fault Symptom

"User is still in quiet status" is displayed in trace diagnostic information.

[BTRACE][2019/11/21 15:25:01][7177][EAPoL][000c-291a-4b03]:User is still in quiet status.(MAC:000c-291a-4b03)    //The client is in quiet state and its packets are discarded.
[BTRACE][2019/11/21 15:25:01][7177][EAPoL][000c-291a-4b03]:Quiet table check failure,drop the packet.
[BTRACE][2019/11/21 15:25:01][7177][EAPoL][000c-291a-4b03]:Failed to check packet,drop the packet.(MAC=000c-291a-4b03).

Troubleshooting Procedure

Run the display dot1x quiet-user all command to check the remaining quiet period of 802.1X users.
<HUAWEI> display dot1x quiet-user all
 ---------------------------------------------------------------
 MacAddress                      Quiet Remain Time(Sec)
 ---------------------------------------------------------------
 000c-291a-4b03                  49
 ---------------------------------------------------------------
  1 silent mac address(es) found, 1 printed.

The 802.1X user with the specified MAC address needs to attempt the authentication again until the quiet period expires. You can also run the dot1x timer quiet-period quiet-period-times command in the system view to set a smaller quiet period for 802.1X authentication users.

The 802.1X User Account Is Locked Out

Context

To ensure the security of user accounts and passwords, the switch provides the account lockout function. If a user enters incorrect accounts or passwords more than the maximum number of consecutive authentication failures within the given period, the user account is locked out. After the lockout duration expires, the user account is unlocked.

  • Account lockout for local authentication users: This function is enabled by default. If a user enters incorrect passwords for three consecutive times within 5 minutes, the user account will be locked out for 5 minutes. To modify the default settings for account lockout, run the local-aaa-user wrong-password retry-interval retry-interval retry-timeretry-time block-time block-time command in the AAA view.
  • Account lockout for server authentication users in versions earlier than V200R019C00: This function is enabled by default. If a user enters incorrect passwords for 30 consecutive times within 5 minutes, the user account will be locked out for 5 minutes. To modify the default settings for account lockout, run the remote-aaa-user authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command in the AAA view
  • In V200R019C00 and later versions, the account lockout function for server authentication users distinguishes between access users and administrators.

    Account lockout for server authentication access users: This function is disabled by default and its settings can be modified using the access-user remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command in the AAA view.

    Account lockout for server authentication administrators: This function is enabled by default. If a user enters incorrect passwords for 30 consecutive times within 5 minutes, the user account will be locked out for 5 minutes. To modify the default settings for account lockout, run the administrator remote authen-fail retry-interval retry-interval retry-time retry-time block-time block-time command in the AAA view

Fault Symptom

The User online fail reason field displays Remote user is blocked in the display aaa online-fail-record all command output, indicating that the remote authentication user account is locked out. If this field displays Local Authentication user block, the local authentication user account is locked out.

Troubleshooting Procedure

The following uses a local authentication user as an example. The procedure for locking out a remote authentication user account is similar to that for locking out a local authentication user account.
  1. Run the display local-user state block command to check the locked-out local authentication account and remaining lockout duration.
    <HUAWEI> display local-user state block   
----------------------------------------------------------------------------
User-name                      State  AuthMask  AdminLevel  BlockTime
----------------------------------------------------------------------------
test2                          B      T         0           2018-04-10 01:55:11-00:00
----------------------------------------------------------------------------
    Total 1 user(s) 
    <HUAWEI> display local-user state block username test2
  The contents of local user(s):
  Password             : ****************
  State                : block
  Service-type-mask    : T
  Privilege level      : 0
  Ftp-directory        : -
  HTTP-directory       : -
  Access-limit         : -
  Accessed-num         : 0
  Idle-timeout         : -
  Block-time-left      : 8 Min(s)        //The account test2 will be unlocked after 8 minutes and can be re-authenticated.
  Original-password    : Yes
  Password-set-time    : 2019-01-27 13:26:55+08:00
  Password-expired     : No
  Password-expire-time : -
  Account-expire-time  : -
  2. Check whether the locked-out account needs to be activated immediately based on the Block-time-left field.
    • If so, run the local-user name state active command in the AAA view to activate the account. After the account is activated, the user needs to enter the correct user name and password for login. Otherwise, the account will be locked out again when the number of consecutive password failures reaches the limit.
    • If not, enable the user to enter the correct user name and password for login after the remaining lockout duration expires. Otherwise, the account will be locked out again when the number of consecutive password failures reaches the limit.

    If an account is used by multiple terminals and is locked out, all the terminals using the account fail the authentication.

The Switch Does Not Receive Any Response from the Client After Sending an EAP-Request/Identity Packet

Context

During 802.1X authentication, the switch sends an EAP-Request/Identity packet to the client to request the user name. The maximum number of times the EAP-Request/Identity packet is retransmitted and the interval for retransmitting the packet are configured using a command.

In Figure 1-3, the switch sends an EAP Failure packet to the client if it does not receive any response to its EAP-Request/Identity packet from the client after the number of retransmissions exceeds the maximum value.

The interval at which the switch retransmits EAP-Request/Identity packets is configured using the dot1x timer tx-period tx-period command, and the maximum number of retransmissions is configured using the dot1x retry max-retry-value command. The EAP-Request/Identity packet timeout period is calculated using the following formula: Timeout = (max-retry-value + 1) * tx-period-value.

Figure 1-3 EAP-Request/Identity packet timeout during 802.1X authentication

Fault Symptom

"No response of request identity from user" is displayed in trace diagnostic information. The information shows that the switch does not receive any response after sending an EAP-Request/Identity packet. After the timeout period expires, the switch retransmits the Request/Identity packet.

[BTRACE][2019/11/21 15:04:36][7177][EAPoL][000c-291a-4b03]:Send a EAPoL request identity packet to user. //The switch sends an EAP-Request/Identity packet for the first time.
[BTRACE][2019/11/21 15:04:36][7177][EAPoL][000c-291a-4b03]:Add a Eap Packet Node to EAPOL Ucib, MAC is 000c-291a-4b03.
[BTRACE][2019/11/21 15:04:36][7177][EAPoL][000c-291a-4b03]:
  EAPOL packet: OUT
      00 0c 29 1a 4b 03 2c 97 b1 e9 52 a0 81 00 00 2a
      88 8e 01 00 00 05 01 87 00 05 01

[BTRACE][2019/11/21 15:04:36][7177][EAPoL][000c-291a-4b03]:
  802.1x packet:
  Version:802.1X-2001(1); Type:Eap(0); Length:5
  EAPOL packet:
  Code:Request(1); Id:135; Length:5; Type:Identity(1)

[BTRACE][2019/11/21 15:04:36][7177][EAPoL][000c-291a-4b03]:Send EAP_request packet to user successfully.(Index=134)
[BTRACE][2019/11/21 15:05:06][7177][EAPoL][000c-291a-4b03]:No response of request identity from user. //The switch does not receive any response from the client in the timeout period of 30 seconds.
[BTRACE][2019/11/21 15:05:06][7177][EAPoL][000c-291a-4b03]:Resend a EAPoL request identity packet to user. //The device retransmits the Request/Identity packet.
[BTRACE][2019/11/21 15:05:06][7177][EAPoL][000c-291a-4b03]:Add a Eap Packet Node to EAPOL Ucib, MAC is 000c-291a-4b03.
[BTRACE][2019/11/21 15:05:06][7177][EAPoL][000c-291a-4b03]:
  EAPOL packet: OUT
      00 0c 29 1a 4b 03 2c 97 b1 e9 52 a0 81 00 00 2a
      88 8e 01 00 00 05 01 87 00 05 01

[BTRACE][2019/11/21 15:05:06][7177][EAPoL][000c-291a-4b03]:
  802.1x packet:
  Version:802.1X-2001(1); Type:Eap(0); Length:5
  EAPOL packet:
  Code:Request(1); Id:135; Length:5; Type:Identity(1)

Troubleshooting Procedure

  1. Check whether there are other devices between the switch and client.

    802.1X packets are multicast packets with the destination MAC address 01-80-C2-00-00-03. By default, the switch does not forward received 802.1X packets. If there are other devices, such as Layer 2 switches or routers, between the switch and client, these intermediate devices must be able to transparently transmit 802.1X packets.

    • If there are other devices between the switch and client, go to step 2.
    • If there are no other devices between the switch and client, go to step 4.
  2. Check whether the intermediate devices can transparently transmit 802.1X packets.
    • If not, replace these devices with the devices that support transparent transmission of 802.1X packets, or change the access authentication mode.
    • If so, go to step 3.
  3. Check whether the intermediate devices have transparent transmission of 802.1X packets configured.
    • If so, go to step 4.
    • If not, run the l2protocol-tunnel user-defined-protocol command to configure the transparent transmission function for the intermediate devices. (The following example uses a Huawei S series switch.)
      l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002  //Define Layer 2 transparent transmission of 802.1X packets in the system view.
#
interface GigabitEthernet0/0/1
 l2protocol-tunnel user-defined-protocol 802.1X enable  //Enable transparent transmission of packets of a specified Layer 2 protocol on downlink and uplink interfaces.
#
  4. Check whether the 802.1X client is installed on the terminal.
    • If so, go to step 5.
    • If not, install the 802.1X client on the terminal.
  5. Check whether the 802.1X authentication function is enabled on the terminal.
    • If so, go to step 6.
    • If not, enable the 802.1X authentication function. The following example uses Windows 7.

      Click Local Area Connection, choose Properties, and click the Authentication tab. Select Enable IEEE 802.1X authentication. The Authentication tab page is not available in the properties of some NICs. This is because Wired AutoConfig is not enabled on the page that is displayed after you choose Control Panel > Administrative Tools > Services.

  6. Check whether the terminal enters the quiet state after it fails 802.1X authentication multiple times.
    • If not, go to step 7.
    • If so, run the display aaa online-fail-record command, and check the User online fail reason field in the command output to locate the fault. You can disable and then enable the NIC, remove and then insert the network cable, or adjust the quiet time for the terminal. For example, the default quiet period in Windows 7 is 20 minutes. You can run the netsh lan set blockperiod value command to set a smaller quiet period, which ensures fast network access for the terminal.
      C:\>netsh lan set blockperiod value=10
  7. If the fault persists, contact technical support.

The Switch Does Not Receive Any Response from the Client After Sending an EAP-Request/MD5 Challenge Packet

Context

In Figure 1-4, the switch starts the authentication timeout timer for an 802.1X client after sending an EAP-Request/MD5-Challenge packet to the client. If the switch does not receive any response from the client before the timer expires, the switch retransmits the EAP-Request/MD5-Challenge packet. If the switch still does not receive any response from the client after the number of retransmissions reaches the maximum value, the device stops retransmission and sends an EAP Failure packet to the client.

The interval at which the switch retransmits EAP-Request/MD5 Challenge packets is configured using the client-timeout client-timeout-value command, and the maximum number of retransmissions is configured using the dot1x retry max-retry-value command. The EAP-Request/MD5 Challenge packet timeout period is calculated using the following formula: Timeout = (max-retry-value + 1) * client-timeout-value.

Figure 1-4 EAP-Request/MD5 Challenge packet timeout during 802.1X authentication

Fault Symptom

Trace diagnostic information shows that the switch does not receive any response to its EAP-Request/MD5 Challenge packet from the client and sends an EAP Failure packet after the number of retransmissions exceeds the maximum value.

[BTRACE][2018/12/13 07:49:30][EAPoL][0016-17ad-f620]:No response of request challenge from user. //The switch does not receive any response from the client.
[BTRACE][2018/12/13 07:49:30][EAPoL][0016-17ad-f620]:Resend a EAPoL request challenge packet to user. //The switch retransmits the Request/MD5 Challenge packet.
[BTRACE][2018/12/13 07:49:30][EAPoL][0016-17ad-f620]:
  EAPOL packet: OUT
      00 16 17 ad f6 20 10 c1 72 f0 50 80 81 00 00 64
      88 8e 01 00 01 65 01 41 01 65 19 00 e9 d5 95 95
      6d de 16 03 01 01 4b 0c 00 01 47 03 00 17 41 04
      fe 82 bd 65 7e 38 9f aa c8 ee fd a5 c6 5e 4e b3
      fb ba e7 ce c6 e5 b9 26 bc 0e 4d 74 39 5c 1c b9
      3d 05 6e 4d 7f 96 a6 55 b8 45 bb 24 29 4c 0e 42
      dd 15 48 09 de 36 a3 81 47 49 30 5d b5 43 67 b9
      01 00 46 35 f1 ae 96 b4 8e 8a 17 d7 9d 8d b3 eb

[BTRACE][2018/12/13 07:49:30][EAPoL][0016-17ad-f620]:Send EAP_request packet to user successfully.(Index=159)
[BTRACE][2018/12/13 07:49:35][EAPoL][0016-17ad-f620]:No response of request challenge from user. //The switch does not receive any response from the client.
[BTRACE][2018/12/13 07:49:35][EAPoL][0016-17ad-f620]:Resend a EAPoL request challenge packet to user. //The device retransmits the Request/MD5 Challenge packet.
[BTRACE][2018/12/13 07:49:35][EAPoL][0016-17ad-f620]:
  EAPOL packet: OUT
      00 16 17 ad f6 20 10 c1 72 f0 50 80 81 00 00 64
      88 8e 01 00 01 65 01 41 01 65 19 00 e9 d5 95 95
      6d de 16 03 01 01 4b 0c 00 01 47 03 00 17 41 04
      fe 82 bd 65 7e 38 9f aa c8 ee fd a5 c6 5e 4e b3
      fb ba e7 ce c6 e5 b9 26 bc 0e 4d 74 39 5c 1c b9
      3d 05 6e 4d 7f 96 a6 55 b8 45 bb 24 29 4c 0e 42
      dd 15 48 09 de 36 a3 81 47 49 30 5d b5 43 67 b9
      01 00 46 35 f1 ae 96 b4 8e 8a 17 d7 9d 8d b3 eb

[BTRACE][2018/12/13 07:49:35][EAPoL][0016-17ad-f620]:Send EAP_request packet to user successfully.(Index=159)
[BTRACE][2018/12/13 07:49:40][EAPoL][0016-17ad-f620]:No response of request challenge from user. //The device does not receive any response from the client.
[BTRACE][2018/12/13 07:49:40][EAPoL][0016-17ad-f620]:Resend EAP_request/identity times exceed max times.(Index=159) //The number of retransmissions exceeds the maximum value, so the switch sends an EAP Failure packet.
[BTRACE][2018/12/13 07:49:40][EAPoL][0016-17ad-f620]:Send EAP-Failure packet to user.
[BTRACE][2018/12/13 07:49:40][EAPoL][0016-17ad-f620]:
  EAPOL packet: OUT
      00 16 17 ad f6 20 10 c1 72 f0 50 80 81 00 00 64
      88 8e 01 00 00 04 04 41 00 04

Troubleshooting Procedure

Scenario 1:

If the client does not respond to the EAP-Request/MD5 Challenge packet, the possible cause is that the 802.1X authentication function in the operating system of the client depends on some services.

For example, if some terminals cannot obtain IP addresses before they pass 802.1X authentication, run the undo authentication pre-authen-access enable command in the system view to disable the pre-connection function to restrict the terminals' permission to obtain IP addresses.

Scenario 2:

Some terminals, especially those using certificates, respond to the Request/MD5 Challenge packet slowly, for longer than 1 minute sometimes. By default, the retransmission timeout period of the switch is 15 seconds. After the timeout period expires, the switch sends an EAP Failure packet and then receives a response from the terminal. In this case, you need to obtain packets to calculate the approximate response time of the terminal.

In the following figure, the 1327th packet is the Request/MD5 Challenge packet sent from the switch to the terminal, and the 1425th and 1447th packets are the retransmitted packets. After the number of retransmissions exceeds the maximum value, the switch sends the 1471st EAP Failure packet. The switch receives a Response/Challenge packet from the terminal 28 seconds after sending the 1518th packet. You need to adjust the retransmission timeout period to a value greater than 28 seconds.

  • In NAC common mode, run the dot1x timer client-timeout 30 and dot1x retry 2 commands in the system view.
  • In NAC unified mode, run the dot1x timer client-timeout 30 and dot1x retry 2 commands in the 802.1X access profile view.
Figure 1-5

Related Information About Huawei 802.1X Authentication

Translation
简体中文
Download
Updated: 2020-12-30

Document ID: EDOC1100142632

Views: 23565

Downloads: 193

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :