No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

The terminal of WLAN authentication error (Radius authorization data error)

Publication Date:  2017-06-08  |   Views:  699  |   Downloads:  0  |   Author:  w00364609  |   Document ID:  EKB1000677800

Contents

Issue Description

A WLAN network just be constructed a month . one monday morning a large of area network access exception. Terminal Tip remote computer is not responding.

this customers is a  financial customer, so the terminal access using dot1x + WPA2 and the  business access using protal protocol. Involving multiple security authentication and third party equipment.

 

Alarm Information

 

 

 

 

 

 

Handling Process

According to the old experience most of the issues about large-scale WLAN access problems is authentication issue between the AC and  the radius authentication server .

The customer give some import information  that  the customer just to upgrade the third-party radius server version at the last week.
 
It is determined that the radius server error caused the authentication exception.
 
 On the AC, run the AAA test between the test and the radius service to test the  authentication-feature . The test is successful, it indicates that the account is in the normal,AC-side authentication services are correctly configured.

 

We use the wireshark capture package between the AC and radius and  we can see the authentication request package  and reply package ,but we don't find the DHCP discover package .

So we  think that the issue  occurs after the terminal successful authentication.

 

 

We open the trace function and debug AAA on the AC .

 

 

 

 

Root Cause

We can find this information that  account has been successfully certified but the authorization verification failed from the debug AAA.

Solution

our AC6605 device supports masking the radius attribute.

You can ignore the additional attributes it sent by the radius service use radius-attribute disable on the AC.

also you can ask  the customer to contact the third party radius service vendors and  modify the configuration. (In this case)