Publication Date: 2016-05-23 | Views: 1823 | Downloads: 0 | Author: SU1001046399 | Document ID: EKB1000116938
Customers plan to use dot1x VLAN assignment for the wireless user to distribution address, but after configued dot1x VLAN assignment, they found the terminal can be assigned to the VLAN, but can not get the address. HUAWEI GTAC engineers analyzed and found that the root cause of the problem is that the share-key between AC and Agile Controller is different from the share-key between Agile Controller and Radius server. This problem is solved by unify the share-key.
ACU2 version: V200R006C10SPC100
Agile Controller version: V100R001C00SPC300
ACU2 on the display terminal has been linked to the target VLAN, but did not get the address, the situation repeated.
[ACU2]dis access-user mac-address 502e-5cef-c197
User ID : 20832
User name : accessscanner
User MAC : 502e-5cef-c197
User IP address : -
User IPv6 address : -
User access Interface : Wlan-Dbss1582
User vlan event : Success
QinQVlan/UserVlan : 0/619
User access time : 2016/04/28 12:45:56
User accounting session ID : AC-VIP-00000000000619761959020832
Option82 information : -
User access type : 802.1x
AP name : AP-MB2-19
Radio ID : 0
AP MAC : f84a-bf5a-4640
SSID : ArenA1
Online time : 1(s)
Dynamic VLAN ID : 619
Dynamic service scheme : ******
By analyzing the debug，EAP packet was sent to user successfully,
Apr 28 2016 10:46:21.92.6+01:00 AC-VIP-Master DOT1X/7/DEBUG:
[EAPOL-packet] Send EAP packet to user successfully. (type:4, packet length:26, output interface:Wlan-Dbss1582, VLAN:619, return:0)
By analyzing the Agile Controller log, found that Agile Controller is runing Radius proxy, the real Radius server is Cisco ISE
501 Receive an authentication packet 2016-04-28 13:51:26 781
508 Match the authentication rule-******
509 Match the authentication data source-****** LAN
616 Use the RADIUS proxy to process request packets from the switch
618 Create a Proxy session with the ID 00 00 01 54 5C B5 9E 39 00 00 01 54 5C B5 9E 39
619 Forward the authentication request packet to the external RADIUS server 2016-04-28 13:51:26 781
501 Receive an authentication packet 2016-04-28 13:51:26 797
617 Use the RADIUS proxy to process response packets from the external RADIUS server
620 Forward the authentication response packet to the switch 2016-04-28 13:51:26 797
Finally, by tracing the terminal, found the 4 - handshake - way establish fail,
[15:29:34] [EAPoL] [502e—5cef—c197] :Send EAP request packet to user successfully. (Index6O7)
[15:29:38] [WLAN AC] [502e—5cef—c197]: [WSEC]4—way—handshake failed (Code:00000502).
[15:29:38] [WLAN AC] [502e—Scef—c197J: [WSTA] Process 5Th aUthentication done reques
[15:29:38] [WLAN AC] [502e—Scef—c197]: [WSTA] User was (QtJJ Type:1, QflJjj code:128
[15:29:38] [WLAN_AC] [502e—Scef—c197]: [WSTA] Process delete STA request message(ApName:AP—MB2—1
Further analysis the root cause may be the share-key between AC and Agile Controller is different from the share-key between Agile Controller and Radius server. Customer also confirmed that such condition is indeed the case.
This problem is solved by unify the share-key.
When Agile Controller runing Radius proxy, to the difference of the share-key will cause such case, so it's better to unify it by default or by prompt.