Troubleshooting guide
3. Troubleshooting Functional Failures During Operation
50
3.7 Layer 2 authentication communication failures
3.7.1 Communication failures occurring when IEEE 802.1X is used
If communication is not possible when IEEE 802.1X is used, isolate the cause of the
problem according to the failure analysis method described in the following table.
Table 3-25 Failure analysis method for IEEE802.1X
No. Items to check and commands Action
1 Use the show dot1x operation
command to check the operating
status of IEEE 802.1X.
If System 802.1X : Disable or Dot1x doesn't seem to
be running is displayed:
The IEEE 802.1X program has stopped. Check whether the
dot1x system-auth-control configuration command is set
in the configuration.
If System 802.1X : Enable is displayed, go to No. 2.
2 Execute the show dot1x
statistics operation
command, and make sure an
EAPOL handshake has been
performed.
If the value displayed for RxTotal under [EAPOL frames] is
0, EAPOL frames have not been sent from the terminal. If a
value other than 0 is displayed for RxInvalid or RxLenErr,
an invalid EAPOL frame has been received from the terminal, in
which case the event is logged. Use the show dot1x logging
operation command to view the log. The Invalid EAPOL
frame received message is also logged to describe the
invalid EAPOL frame. If any of the above conditions exists,
check the Supplicant setting on the terminal.
For other cases, go to No. 3.
3 Execute the show dot1x
statistics operation
command, and make sure data
has been sent to the RADIUS
server.
If the value displayed for TxTotal under [EAPoverRADIUS
frames] is 0, no data has been sent to the RADIUS server. Check
the following:
Check whether aaa authentication dot1x default
group radius has been specified in a configuration
command.
Check whether the dot1x radius-server host or
radius-server host configuration command is set correctly.
For port-based authentication (static):
Make sure the MAC address on the authentication terminal has
not been registered with the mac-address-table static
configuration command.
For port-based authentication (dynamic):
Make sure the MAC address on the authentication terminal has
not been registered with the mac-address-table static
and mac-address configuration commands.
For VLAN-based authentication (dynamic):
Make sure the MAC address on the authentication terminal has
not been registered with the mac-address configuration
command.
Make sure aaa authentication network default group
radius has been set in a configuration command.
For other cases, go to No. 4.