Ruijie Community

Title: Troubleshooting Ruijie WLAN 802.1X Authentication Failures [Print this page]

Author: zhangqiao@ruiji    Time: 2024-9-11 15:24
Title: Troubleshooting Ruijie WLAN 802.1X Authentication Failures
1. Topology

2. Cause Analysis

The 802.1X configuration is incorrect.
There is a connectivity problem between the NAS and the RADIUS server.
The NAS IP address is incorrect or the IPaddress of the NAS device is not added to the RADIUS server.
In AD scenarios, clients frequently use the combination of hostname and domain name for authentication.
Authentication is rejected by the RADIUSserver.
Authentication server timed out.
3. Troubleshooting

3.1 Incorrect 802.1X Configuration

Check whether the 802.1X authentication configuration is complete on the AP or AC.The following figure shows key 802.1X configurations on the AC.
Configuration example (key authentication configurations are highlighted in red):
(1) Configure the RADIUS authentication server
ip radius source-interface VLAN 10 //Specify the interface for sending RADIUS packets, which needs to be consistent with the NAS IP address. When adding an authentication device on the RADIUS server, use this interface address.
radius-server host 10.10.100.10key Ruijie@123
(2)Configure an AAA method list
aaanew-model
aaa group server radius aruba_radius
server 10.10.100.10
exit
aaa accounting network aruba start-stop group aruba_radius
aaa authentication dot1x aruba group aruba_radius
aaa authentication login default local
(3)Enable 802.1x authentication.
wlan-config1 clearpass_1x
ap-groupdefault
interface-mapping1 100 ap-wlan-id 1
wlansec1
security rsn enable
security rsn ciphers aes enable
security rsn akm 802.1x enable
dot1x authentication aruba
dot1x accounting aruba
3.2 Network Connectivity Issues Between NAS and RADIUS Server

Ping the RADIUS server IP address using the source address (NAS address) and check the output. This step is supplementary. If the ping fails, it may not indicate a connectivity issue, as the server might have ping responses disabled. Use the output of the show radius auth statistics command in the next step to assess connectivity more accurately.

2. Run the show radius auth statistics command to display the statistics about packets exchanged between the NAS andthe RADIUS server.

If the value of the Requests field increases, the device is sending RADIUS packets.
If the value of the Responses field increases, RADIUS packets are received. If not,check the connectivity between the NAS and the RADIUS server.
3. Run the show dot1x user diag mac XXX(client MAC address) or debug command to check the authentication track. If aaa timeout is displayed, the connectivity is abnormal or the RADIUS server is faulty. Check the network and the RADIUS server.
show dot1x user diag mac XXX (client MAC address)

Check the debug logs (Do not run the debug command directly if services have been running onthe device.)

terminal mon

terminal length 0

debug dot1x event

debug dot1x error

debug aaa all

debug radius all




4. Check whether a firewall is deployed between the NAS and the RADIUS server and whether the NAS can access UDP ports 1812 and 1813 of the RADIUS server.
If security devices such as firewalls exist on the network or ACL packet filteringis configured on switches, port 1812 and port 1813 need to be allowed to forward packets.
3.3 NAS IP Address Incorrect or Not Added to RADIUS Server

An authentication device must be added to the RADIUS server. If no device is added or if the device’s IP address is incorrect, authentication will fail.
When adding an authentication device to the RADIUS server, use the device’s RADIUS source IP address. Configure the source IP address for RADIUS packets as follows:
Source IP address of RADIUS packets:
ip radius source-interface interface-name
Note: If no RADIUS source IP address is specified on the device, the device uses the outbound interface IP address to send packets to the RADIUS server.
3.4 Clients Frequently Using Hostname + Domain Name for Authentication inAD Scenarios

In AD scenarios, before the user enters their username and password in the NIC pop-up window, the PC initially uses the computer name and domain name as the authentication username and sends it to the server. This can lead to authentication failures.



When some clients fail authentication, the authentication page does not automatically display, which results in authentication failures.
In AD scenarios, you are advised to run the following two commands before performing the test again:
dot1x timeout quiet-period 1
dot1x multi-account enable

Note:
dot1x timeout quiet-period 1: Sets the quiet period to 1 second.
dot1x multi-account enable: Supports multi-account authentication.

1. When a client is rejected by the server, it enters a quiet state. However, on wireless networks, the client usually re-associates automatically after being rejected. In the device’s authentication component, a client often goes offline and then re-authenticates. This process varies in duration, typically taking a few seconds. When the client goes offline and back online, it is recognized asa new client and does not trigger the quiet period.

2. Re-authentication is not triggered in quiet period.
Shortening the quiet period prompts the AC to actively initiate re-authentication and display a pop-up window before the client goes offline and re-associates. By default, changing the username during authentication is not allowed and will interrupt the process. The second command enables username changes, so the AC will not consider it an authentication failure if a new username is entered inthe pop-up window.
3.5 Authentication Rejected RADIUSServer

Run the showdot1x user diag mac XXX (client MAC address) or debug command tocheck whether aaa reject is displayed for authentication failures.
showdot1x user diag mac XXX (client MAC address)



Output of the debug command



Possible causes and handling suggestions:
3.5 1 Incorrect Username or Password


Check the username format sent by the device through packet capture or running the debug command. Confirm with the customer whether the RADIUS server requirementsare met. (In multi-domain scenarios, the RADIUS server might require a domainname.)
Check

the debug logs (Donot run the debug command directly if services have been running on the device.)
terminal mon
debug dot1x event
debug aaa all
radius-serverhost 10.10.100.10 key Ruijie@123

2.5.3 Missing RADIUS Attributes or Incorrect Format of RADIUS Attributes

The RADIUS server may need authentication request packets to include specific attributes or follow a certain format. This type of issue is difficult to diagnose due to the involvement of third-party integration requirements. It requires joint troubleshooting with the RADIUS server engineers. If the issue involves device replacement or initial setup, and it worked normally before the replacement or migration, test with the same account in both the normal and faulty environments. Capture and compare the packets from each environment, and verify that the RADIUS attributes and formats are consistent.

In the following case, the RADIUS server delivered a dynamic VLAN attribute, but the NAS is not configured with dynamic VLAN and could not recognize the attribute, resulting in authentication failures.
The RADIUS server (ClearPass) delivers a dynamic VLAN with the VLAN ID 34.


On the device (AC in this case), configure a VLAN group (dynamic VLAN function).


SQL

##Configure]vlan-group 1

default-vlan 1
wlan-config 2 clearpass_1x_dynamicvlan
interface-mapping 2 group 1

3.5.4 Issues on the RADIUS Server

Ask RADIUS server engineers to check the rejection reason.

3.6 Server Timeout
If the timeout is caused by a link failure, you can run the following command tochange the timeout interval:
dot1x timeout server-timeout xxx (Default: 5s)
radius-servertimeout xxx (Default: 5s)
radius-serverretransmit xxx (Default: 3 times)

3.7 Information Collection

1. Collect the following information on the device. (If there are services running on the device, do not run the debug command directly. Instead, run the dot1xdbg-filter H.H.H command in configuration mode to filter debug output for specific MAC addresses.)

terminalmon

terminallength 0

debugdot1x event

debugdot1x error

debugaaa all

debugradius all

----Userauthentication test----

----wait5 mini-----

showdot1x user diag mac XXX   

Showdot1x authmng abnormal | inc xxx   ///xxxis client mac

showversion

show run

show log

showradius server  

showdot1x

showdot1x summary

showdot1x user mac  0001.0001.0001//client mac

showradius auth statistics

2. If it is confirmed that authentication is rejected by the RADIUS server, perform the following actions:

Collect authentication failure logs on the RADIUS server.

Reproduce the fault and capture packets on the uplink device of the AP or RADIUS server.







Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2