Step 1 Connect a user to the network in both wired and wireless mode. The user packets carry the same VLAN tag. The user can pass identity authentication, the policy is successfully delivered, and the authorization result with the ACL defining accessible resources takes effect.
Step 2 Use Wireshark to compare packets obtained in the wired and wireless access modes. The result shows that the Agile Controller delivers the ACL number for user authorization in both modes.
Run the following command on the device to view access user information.
[HJNY-7706-1]dis access-user user-id 26493
User ID : 26493
User name : kevin
Domain-name : default
User MAC : d0df-9acf-0d5c
User IP address : 10.233.165.18
User vpn-instance : -
User access Interface : Wlan-Dbss2:77
User vlan event : Success
QinQVlan/UserVlan : 0/165
User access time : 2015/06/24 17:00:24
User accounting session ID : HJNY-77000000000001652d8c93026493
Option82 information : -
User access type : WEB
AP ID : 20
AP name : ap-20
Radio ID : 0
AP MAC : 9404-9ce2-1060
SSID : HJNY_Guest
Online time : 386(s)
Work group ID : default
User forward slot : 1/2 2/2
Web-server IP address : 10.233.128.68
Dynamic ACL number(Effective) : 3005 //The device has received the ACL number from the server.
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
Step 3 The analysis shows that the fault occurs on the wireless side. The possible causes are as follows:
The device version has a bug.
The ACL delivered on the wireless side does not take effect.
Step 4 Check the configuration of the AP to which the user terminal connects. The ACL 3005 configuration is unavailable. Run the commit ap 20 command to re-deliver the ACL configuration to the AP, and attempt to connect to the network in the wireless mode again. The authorization policy takes effect.