Troubleshooting guide

ManualsBrandsAlaxala ManualsComputer equipmentAX2400S series

181

182

183

184

185

186

187

188

189

190

3. Troubleshooting Functional Failures During Operation

112

3.13 Layer 2 authentication communication failures

3.13.1 Communication failures occurring when IEEE 802.1X is used

If authentication is not possible when IEEE 802.1X is used, isolate the cause of the problem

according to the failure analysis method described in the following table.

Table 3-57: Authentication failure analysis method for IEEE 802.1X

No. Items to check and commands Action

1Use the

show dot1x command to check

the operating status of IEEE 802.1X.

If Dot1x doesn't seem to be running is displayed, IEEE 802.1X is

not running. Check whether the dot1x system-auth-control

command is set in the configuration.

System 802.1X : Enable is displayed, go to No. 2.

2 Execute the

show dot1x statistics

command, and make sure an EAPOL

handshake has been performed.

If the value displayed for RxTotal under [EAPOL frames] is 0, EAPOL

frames have not been sent from the terminal. If a value other than

0 is

displayed for RxInvalid or RxLenErr, an invalid EAPOL frame has

been received from the terminal, in which case the event is logged. Use

the

show dot1x logging command to view the log. The Invalid

EAPOL frame received message is also logged to describe the invalid

EAPOL frame. If any of the above conditions exists, check the

Supplicant setting on the terminal.

For other cases, go to No. 3.

3 Execute the

show dot1x statistics

command, and make sure data has been

sent to the RADIUS server.

If the value displayed for TxNoNakRsp under [EAPoverRADIUS

frames] is 0, no data has been sent to the RADIUS server. Check the

following:

• Check whether

aaa authentication dot1x default group

radius has been specified in a configuration command.

• Check whether the

radius-server host configuration command

is set correctly.

• If the authentication mode is port-based authentication or

VLAN-based authentication (static), make sure the authentication

terminal has not been registered with the

mac-address-table

static configuration command. For VLAN-based authentication

(dynamic), make sure the authentication terminal has not been

registered with the

mac-address configuration command.

• If the authentication mode is VLAN-based authentication (dynamic),

check whether

aaa authorization network default group

radius has been set in a configuration command.

For other cases, go to No. 4.

4 Execute the

show dot1x statistics

command, and make sure packets have

been received from the RADIUS server.

If the value displayed for

RxTotal under [EAP overRADIUS frames]

0, packets have not been received from the RADIUS server. Check the

following:

• If the RADIUS server is associated with the remote network, make

sure a route to the remote network exists.

• Make sure the ports on the RADIUS server are not subject to

authentication.

For other cases, go to No. 5.

5 Execute the

show dot1x logging

command, and check data exchange

with the RADIUS server.

• If Invalid EAP over RADIUS frames received is displayed,

invalid packets were received from the RADIUS server. Check

whether the RADIUS server is running normally.

• If

Failed to connect to RADIUS server is displayed, an attempt

to establish a connection with the RADIUS server has failed. Check

whether the RADIUS server is running normally.

For other cases, go to No. 6.