Specifications
Troubleshooting AOS-W Environments 593
Chapter 27
802.11 Authentication Fails
The 802.11 authenticate exchange is a primitive form of authentication
specified by the original 802.11 standard, and is not related to secure
authentication such as 802.1x or VPN. This authentication exchange must
still take place before an association exchange, but no useful information is
exchanged.
z Enable client debugging for the client device in question. From the Alcatel
CLI, use the command “aaa user debug mac <MAC address of client>”.
Log output from the debug process can be viewed by issuing the com-
mand “show log intuser 30” (to display the last 30 lines of the log file).
The log file should indicate the reason for a failed authentication or associ-
ation. Often the cause is a capability mismatch between the client and AP.
z If the authenticate process fails, it is likely because the client has been con-
figured for shared-key authentication. Shared-key authentication opens a
security vulnerability and should never be used - the Alcatel system does
not support shared-key authentication. The client should be configured for
either “open system” or “WPA” authentication, but never shared-key.
z Ensure that the user is physically located in an area with AP coverage. If
signal strength is too low, radio transmission may be garbled to the point
that authentication or association is impossible. The Station Manager log
will indicate with which AP the client is attempting to associate – ensure
that this AP is near the user’s physical location.
z Perform a wireless packet capture. If the Station Manager log provides no
useful information or is inaccessible, a packet capture will always show
the reason for a failed association.
z Reset the client NIC. In the case of malfunctioning client software, this
does not fix the underlying problem but is often the fastest way to get the
user back on the network.
N
OTE—It is not possible to set authentication to 'fall-through' to another
method or server if the first authentication fails. If a user fails authentication
to a server, it just "fails". For networks with more than one authentication
server for each authentication method, a secondary server will kick-in only
if the primary server fails (the whole server, not an authentication fail).
Association Fails
During the association request/response exchange, a number of capabilities
are exchanged. If there is a mismatch between the client and network
configuration, the association will often be rejected by the AP. On the client,
there is often no indication that an association has failed other than a lack of
association. For example, under Windows XP using the built-in “Zero
Configuration” service, Windows will continually display “One or more
wireless networks are available…”