Specifications
Troubleshooting AOS-W Environments 595
Chapter 27
Client associates to AP, but higher-layer authentication
fails
Problems with higher-layer authentication such as 802.1x are normally not
related to basic connectivity, but can disguise themselves as such. If
association to an AP is successful, basic connectivity problems are likely ruled
out.
z Reset the client NIC. If association is successful a second or third time but
authentication continues to fail, it is unlikely that a basic connectivity prob-
lem is causing the issue. See the “Authentication” section of this guide for
more details on troubleshooting higher-layer authentication problems.
z Perform a wireless packet capture. If authentication problems are being
caused by a busy network or a denial of service attack, a packet capture
will make this clear.
Client associates/authenticates, but has no network
connectivity
In this scenario, a client has successfully associated to an AP and, if
configured, has successfully gone through higher-layer authentication.
However, the client has no access to network services.
z Static WEP Key mismatch: If the client and AP are configured for static
WEP, it is likely that the WEP keys do not match. This symptom com-
monly manifests itself when a client configured for DHCP fails to obtain an
IP address. Check the client’s WEP key and ensure that it matches the
WEP key configured in the Alcatel system.
z Dynamic WEP Key Exchange Failure: If the network uses 802.1x with
automatically-assigned WEP keys (dynamic WEP), it is possible that the
key exchange process failed. Because this key exchange is non-standard
and does not involve a verified “handshake”, the process sometimes fails
without an error message being generated. Resetting the client NIC or
rebooting the client operating system often restores connectivity in this
situation.
z WPA/802.11i Key Exchange Failure: In a WPA or 802.11i network, the
dynamic key exchange process may fail. This is an error condition and
indicates either a man-in-the-middle attack or a faulty NIC driver. Examine
the “Authentication” log file in the Alcatel switch for details – because the
WPA/802.11i key exchange is a standard and utilizes a four-way verified
handshake, error messages will be generated when part of the process
fails. To view the Authentication log file in the Alcatel management GUI,
navigate to MonitoringÆProcess Logs and filter on “Authentication.” From
the CLI, enter the command “show log authmgr”.