![]() Default domain for all users, which is configured using the access-domain domain-name force command in the authentication profile view.Default domain for 802.1X users, which is configured using the access-domain domain-name dot1x command in the authentication profile view.If the user name does not contain a domain name or contains an invalid domain name, the user is authenticated in one of the following default domains. For example, if the user name entered during authentication is and the domain name delimiter configured on the device is the domain contained in the user name is. Forcible domain for all users, which is configured using the access-domain domain-name force command in the authentication profile view.Forcible domain for 802.1X users, which is configured using the access-domain domain-name dot1x force command in the authentication profile view.The following domains are listed in descending order of priority: If Current authentication mode is common-mode is displayed in the command output, the current NAC mode is common mode.If Current authentication mode is unified-mode is displayed in the command output, the current NAC mode is unified mode.Before troubleshooting, run the display authentication mode command to check the NAC mode. The troubleshooting methods vary depending on the NAC mode. The NAC mode is classified into unified mode and common mode. The Switch Does Not Receive Any Response from the Client After Sending an EAP-Request/MD5 Challenge Packet The switch does not receive any response from the client after sending a Request/Challenge packet. No response of request challenge from user The Switch Does Not Receive Any Response from the Client After Sending an EAP-Request/Identity Packet The switch does not receive any response from the client after sending an EAP-Request/Identity packet to the client. No response of request identity from user Remote user is blocked or Local Authentication user block The AAA module receives a message indicating that the RADIUS server does not respond. The value of the User online fail reason field in the command output specifies the reason.ĪAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(73). The RADIUS server is up but does not respond. The possible cause is displayed in the trace object command output. The switch receives an Access-Reject packet from the RADIUS server. Received a authentication reject packet from radius server(server ip = x.x.x.x). The RADIUS Server Responds with an Access-Reject Packet The possible cause is displayed by the User online fail reason field in the display aaa online-fail-record command output. The RADIUS server rejects the authentication request. The EAP Authentication Methods of the Switch, Client, and RADIUS Server Are Different The Extensible Authentication Protocol (EAP) authentication methods of the switch, client, and RADIUS server are different. ![]() The AAA Domain to Which the User Belongs Is Incorrect The AAA domain to which the user belongs is incorrect. Table 1-1 Possible causes of 802.1X authentication failures Run the trace object mac-address mac-address command in the system view to create an object to be diagnosed based on the user MAC address.Run the trace enable command in the system view to enable the trace diagnosis function.To enable the trace diagnosis function, perform the following operations: Based on the user's MAC or IP address, check trace diagnostic information, such as the status change and protocol processing result of the user during authentication.Ĭheck trace diagnostic information. If the fault cannot be rectified based on the failure cause, go to step 3. Run the display aaa online-fail-record command to check the cause of the user access failure based on the User online fail reason field. Check whether AAA and 802.1X configurations are correct.Ĭheck the cause of the user access failure.The following describes the procedure for locating an 802.1X authentication failure: To locate an 802.1X authentication failure, you need to check whether authentication configurations are correct and then locate the failure using commands or the trace function. Authentication, authorization, and accounting (AAA) and Remote Authentication Dial-In User Service (RADIUS) are typically used for authentication, and 802.1X is used for access control. The 802.1X user access process consists of authentication and access.
0 Comments
Leave a Reply. |