Ruijie Community

Title: How to do authenticated users experiencing unexpected disconnections in Ruijie WLAN Web Authentication Scenarios? [Print this page]

Author: zhangqiao@ruiji    Time: 2024-9-13 18:11
Title: How to do authenticated users experiencing unexpected disconnections in Ruijie WLAN Web Authentication Scenarios?
1. Possible Causes
2. Solution

2.1 Abnormal Client Disconnections due to the Wireless Environment

Check if the issue persists when authentication is disabled or when there are no authenticated SSIDs in the same network environment (different SSID on the same radio). If the problem continues in either case, the abnormal disconnection of the client may be due to issues with the wireless environment.
2.2 Client No-Traffic Detection Enabled

On the AC, run the show wlan diag sta sta-mac xxx.xxx.xxx command to display the client disconnection cause. (Run the wlan diag enable command on the AC to enable the WLOG feature before the client disconnection.)

The client is disconnected because no traffic from the client is detected, as shown in the following figure.

You can also use the following commands to view the client disconnection cause.
Debug web cli

Show web-auth syslog ip xxxx
(clientIP) — Query the client online and offline records.

The following figure shows the collected information.


The Event and cause fields provide an overview of the offline reason. You can further confirm the cause by checking the Event field.
The Event field indicates a specific reason for disconnection, as follows:
WBA_EVENT_REQ_LOGOUT:A portal request is initiated for disconnection, which is generally initiated by the user. Confirm the disconnection by capturing portal packets.
WBA_EVENT_TMLMT_OUT:The available time of the user expires and the user needs to go offline. The available time is delivered by the RADIUS server and can be confirmed by the RADIUS server.
WBA_EVENT_FORCE_OFFLINE:The clear command is executed to force the user offline.
WBA_EVENT_LINK_CHG:A user goes offline because the port link goes Up or Down.
WBA_EVENT_DEL_USER_ALL:The clear command is executed toforce the user offline.
WBA_EVENT_DEL_USER_UNDERPORT:The user goes offline because authentication is disabled.
WBA_EVENT_SERVER_DEL_USER:The RADIUS server kicks the user offline, which can be confirmed by capturing RADIUS packets.
WBA_EVENT_PORTAL_DOWNand WBA_EVENT_PORTAL_UP: The user goes offline because the portal server goes Upor Down. Check the connection to the portal server.
WBA_EVENT_PORTAL_ESCAPE_OFF:The user goes offline because escape is disabled.
WBA_EVENT_DHCP_UNBINDING_USER:The user goes offline because the DHCP IP address of the user changes or a DHCPRelease packet is sent to the user, which can be confirmed by capturing DHCPpackets.
WBA_EVENT_RDS_DOWNand WBA_EVENT_RDS_UP: The user goes offline because the RADIUS server is up ordown. Check the connectivity with the RADIUS server.
WBA_EVENT_LOW_FLOW_OFFLINE:The user goes offline because of no traffic. Check the user traffic.
WBA_EVENT_INTF_DEFAULT:The user goes offline because the default operation is performed on theinterface.
WBA_EVENT_INTF_DESTROY: If an interface isdeleted or a user is migrated, leading to disconnection, check the cause to diagnose the issue. If the migration involves a VLAN change, such as moving toa VLAN without authentication or a new port without authentication enabled, it may cause the user to go offline. Verify this by examining the configuration and using show mac and show arp commands to confirm if theuser’s VLAN changed after migration.
WBA_EVENT_AFF_ACK:The portal server does not return the AFF_ACK packet to the user, causingtimeout and logout, which can be confirmed by capturing packets.
Solution:

Disable no traffic detection:
Global configuration mode:
no offline-detect
WLAN security configuration mode:
noweb-auth offline-detect
Notes:
In version 11.x, the no-traffic detection function can be configured globally or in the wlansec. The configuration in the wlansec has a higher priority than the global configuration. Therefore, when the no-traffic detection configuration in the wlansec is in effect, the globalsetting does not take effect.
The default global configuration for no-traffic detection is to log users out if the traffic is 0 within 8 hours. The specific command is as follows:
Ruijie(config)# offline-detect interval  xx  threshold  yy
In this command, xx indicates the detection period in minutes. The value range is from 1 to 65535, and the default value is8 hours.
yy indicates the traffic in bytes. The valuerange is from 0 to 4294967294, and the default value is 0.
The default configuration for no-traffic detection in the wlansec is to log users out if the traffic is 0 within 15minutes. The commands are as follows:
The configuration in the wlansec has a higher priority
, so the device logs users out if the traffic is 0 within 15 minutes.

WS(config)#wlansec 7 — The number 7 should be replaced with the number allocated to the wlansec during authentication.  
WS(config-wlansec)#web-auth offline-detect ?  
flow     Configure no flow threshold              interval  Configure no flowi nterval
2.3 Client Connected to a Different SSID (ForInternal Portal Scenarios Only)

In the internal portal scenario, the jitter prevention time is configured to an excessively long period to implement MAB authentication. If a client switches to a different SSID managed by the AC, the original web authentication entry is removed. When the client returns to the original SSID, it will need to go through the authentication process again.
Run the following command to check the client offline reason and whether an SSID switchover occurs based on the offline time:
show wlan diag sta sta-mac xxx.xxx.xxx
(Run the wlan diag enablecommand on the AC to enable the WLOG feature before the client is disconnected.)
Debug web cli
Show web-auth syslog ip xxxx (client IP) —Query the client online and offline records.
2.4 User Logged Out by the Server

Run the following command to check the client offline reason:
Debug web cli

Show web-auth syslog ip xxxx
(clientIP) — Query the client online and offline records.
3. Information Collection Template:
show  run
show version
show logging
show web-auth user all
show dot sum (collect this information for MAB authentication)
show wlan  diag stasta-mac xxxx.xxxx.xxxx
show dot1x user diag mac xxxx.xxxx.xxxx (collect thisinformation for MAB authentication)
debug web statistics
debug web statistics
Debugweb show
show tcp connect
show tcp connect statistics
show tcp connect statistics
show cpu-protect type  tcp80
show cpu-protect type  tcp80
show cpu-protect type  tcp443
show cpu-protect type  tcp443 (Collect debuginformation on the AC when a TCP connection failed to be established.)





Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2