1. Possible Causes
2.1 Abnormal Client Disconnections due to the Wireless Environment Check if the issue persists when authentication is disabled or when there are no authenticated SSIDs in the same network environment (different SSID on the same radio). If the problem continues in either case, the abnormal disconnection of the client may be due to issues with the wireless environment. 2.2 Client No-Traffic Detection Enabled On the AC, run the show wlan diag sta sta-mac xxx.xxx.xxx command to display the client disconnection cause. (Run the wlan diag enable command on the AC to enable the WLOG feature before the client disconnection.) The client is disconnected because no traffic from the client is detected, as shown in the following figure. You can also use the following commands to view the client disconnection cause. Debug web cli Show web-auth syslog ip xxxx (clientIP) — Query the client online and offline records. The following figure shows the collected information. The Event and cause fields provide an overview of the offline reason. You can further confirm the cause by checking the Event field. The Event field indicates a specific reason for disconnection, as follows: WBA_EVENT_REQ_LOGOUT:A portal request is initiated for disconnection, which is generally initiated by the user. Confirm the disconnection by capturing portal packets. WBA_EVENT_TMLMT_OUT:The available time of the user expires and the user needs to go offline. The available time is delivered by the RADIUS server and can be confirmed by the RADIUS server. WBA_EVENT_FORCE_OFFLINE:The clear command is executed to force the user offline. WBA_EVENT_LINK_CHG:A user goes offline because the port link goes Up or Down. WBA_EVENT_DEL_USER_ALL:The clear command is executed toforce the user offline. WBA_EVENT_DEL_USER_UNDERPORT:The user goes offline because authentication is disabled. WBA_EVENT_SERVER_DEL_USER:The RADIUS server kicks the user offline, which can be confirmed by capturing RADIUS packets. WBA_EVENT_PORTAL_DOWNand WBA_EVENT_PORTAL_UP: The user goes offline because the portal server goes Upor Down. Check the connection to the portal server. WBA_EVENT_PORTAL_ESCAPE_OFF:The user goes offline because escape is disabled. WBA_EVENT_DHCP_UNBINDING_USER:The user goes offline because the DHCP IP address of the user changes or a DHCPRelease packet is sent to the user, which can be confirmed by capturing DHCPpackets. WBA_EVENT_RDS_DOWNand WBA_EVENT_RDS_UP: The user goes offline because the RADIUS server is up ordown. Check the connectivity with the RADIUS server. WBA_EVENT_LOW_FLOW_OFFLINE:The user goes offline because of no traffic. Check the user traffic. WBA_EVENT_INTF_DEFAULT:The user goes offline because the default operation is performed on theinterface. WBA_EVENT_INTF_DESTROY: If an interface isdeleted or a user is migrated, leading to disconnection, check the cause to diagnose the issue. If the migration involves a VLAN change, such as moving toa VLAN without authentication or a new port without authentication enabled, it may cause the user to go offline. Verify this by examining the configuration and using show mac and show arp commands to confirm if theuser’s VLAN changed after migration. WBA_EVENT_AFF_ACK:The portal server does not return the AFF_ACK packet to the user, causingtimeout and logout, which can be confirmed by capturing packets. Solution: Disable no traffic detection: Global configuration mode: no offline-detect WLAN security configuration mode: noweb-auth offline-detect Notes: In version 11.x, the no-traffic detection function can be configured globally or in the wlansec. The configuration in the wlansec has a higher priority than the global configuration. Therefore, when the no-traffic detection configuration in the wlansec is in effect, the globalsetting does not take effect. The default global configuration for no-traffic detection is to log users out if the traffic is 0 within 8 hours. The specific command is as follows: Ruijie(config)# offline-detect interval xx threshold yy In this command, xx indicates the detection period in minutes. The value range is from 1 to 65535, and the default value is8 hours. yy indicates the traffic in bytes. The valuerange is from 0 to 4294967294, and the default value is 0. The default configuration for no-traffic detection in the wlansec is to log users out if the traffic is 0 within 15minutes. The commands are as follows: The configuration in the wlansec has a higher priority , so the device logs users out if the traffic is 0 within 15 minutes. WS(config)#wlansec 7 — The number 7 should be replaced with the number allocated to the wlansec during authentication. WS(config-wlansec)#web-auth offline-detect ? flow Configure no flow threshold interval Configure no flowi nterval 2.3 Client Connected to a Different SSID (ForInternal Portal Scenarios Only) In the internal portal scenario, the jitter prevention time is configured to an excessively long period to implement MAB authentication. If a client switches to a different SSID managed by the AC, the original web authentication entry is removed. When the client returns to the original SSID, it will need to go through the authentication process again. Run the following command to check the client offline reason and whether an SSID switchover occurs based on the offline time: show wlan diag sta sta-mac xxx.xxx.xxx (Run the wlan diag enablecommand on the AC to enable the WLOG feature before the client is disconnected.) Debug web cli Show web-auth syslog ip xxxx (client IP) —Query the client online and offline records. 2.4 User Logged Out by the Server Run the following command to check the client offline reason: Debug web cli Show web-auth syslog ip xxxx (clientIP) — Query the client online and offline records. 3. Information Collection Template: show run show version show logging show web-auth user all show dot sum (collect this information for MAB authentication) show wlan diag stasta-mac xxxx.xxxx.xxxx show dot1x user diag mac xxxx.xxxx.xxxx (collect thisinformation for MAB authentication) debug web statistics debug web statistics Debugweb show show tcp connect show tcp connect statistics show tcp connect statistics show cpu-protect type tcp80 show cpu-protect type tcp80 show cpu-protect type tcp443 show cpu-protect type tcp443 (Collect debuginformation on the AC when a TCP connection failed to be established.) |
This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.
More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.
©2000-2023 Ruijie Networks Co,Ltd