No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

802.1x WLAN Users Authentication fails against Agile Controller Radius

Publication Date:  2018-02-17  |   Views:  852  |   Downloads:  0  |   Author:  s84075117  |   Document ID:  EKB1001323614


Issue Description

Version Information: AC6605 V200R007C20SPC300

Fault Symptom: The customer configured as authentication mode for WLAN users 802.1x but after he tried to authenticate the local user accounts the aythentication was failing. There weren’t logs in the Radius log for the users who tried to authenticate but only for the aaa-test which were performed in the troubleshooting phase.

From the following aaa-tests we can obviously see that the credentials used for user and password were the same but for PAP the test didn’t succeded:


AC command PAP test :

[AC6605]test-aaa user.test 12344321 radius-template RST-AGILE pap

Info: Authentication fails due to incorrect name, password, shared key, and so on.ErrCode:4101


Radius log displayed for the above test :

501 Receive an authentication packet 2018-01-10 13:31:50 270

517 Perform PAP authentication

508 Match the authentication rule-TEST

509 Match the authentication data source-Local Data Source

565 Verify PAP authentication information

515 Verify the account-user.test

576 Verification of authentication information succeeded

524 Verify the password

101 Incorrect user name or password or Incorrect dataSource or Incorrect access device key.

511 Return a RADIUS Reject packet 2018-01-10 13:31:50 441



AC command CHAP test:

[AC6605]test-aaa user.test 12344321 radius-template RST-AGILE chap


Info: Account test succeed.


Radius log for the above test :

501 Receive an authentication packet 2018-01-10 13:41:11 016

523 Perform CHAP authentication

526 Execute the standard CHAP authentication process

508 Match the authentication rule-TEST

509 Match the authentication data source-Local Data Source

524 Verify the password

509 Match the authentication data source-Local Data Source

514 Match the authorization rule-Default Authorization Rule

510 Return a RADIUS Access packet 2018-01-10 13:41:11 034 

Handling Process


1)       1)Confirmed that the credentials used for the both aaa tests were the same

In the above tests we can see that he used the same credentials for both tests.

2)        20Confirmed that the shared key between the Agile Controller and AC was consistent

The key was consistent on both sides.

3)         3)Confirmed if the authentication rule created in this scenario (TEST) has enabled both PAP and CHAP.

He confirmed that both options were selected.



Root Cause

After checking again the RADIUS configuration I noticed that the customer configured the shared-key for Agile in both system-view and radius-template. During the remote session, I undo the shared key configured in system-view and after that the aaa-test for PAP was also working. The passwords were in conflict:

Even if the aaa-tests for both PAP and CHAP were succesful, the authentication requests from the users couldn’t reach the Agile Controller server. After checking the forwarding mode used in this vap-profile, I noticed that he was using the default direct-forwarding mode. In this forwarding mode, the service VLAN must be configured also in system-view. After applying the VLAN in system-view I could see the logs for authenticated users on the RADIUS and the authentication was succesful.


Advised to use only the shared-key in the radius-template and add the service-VLAN in system-view.