Specifications
OmniAccess Reference: AOS-W System Reference
604 Part 031652-00 May 2005
Incorrect Username/password (TTLS or PEAP)
A typical cause of authentication failure is an incorrect username, password, or
one-time token. In most cases, this is a simple problem to troubleshoot,
because the client will generate an error message indicating the cause of the
failure. However, depending on the 802.1x supplicant in use, this error may
not be obvious.
z Check the RADIUS server. The first line of troubleshooting for authentica-
tion problems should always involve the authentication server. Because
the actual authentication exchange in 802.1x happens between the client
and the authentication server, the server is the most accurate entity for
examining logging information. Server log messages will often indicate
what triggered the failure.
z If the RADIUS server is inaccessible, check authentication log messages on
the Alcatel switch. From the management GUI, navigate to Monitor-
ingÆProcess Logs and filter on Authentication. From the CLI, issue the
command “show log authmgr”. As an 802.1x authenticator, the Alcatel
switch can only see an 802.1x success or failure, but has no information
about why a failure occurred. Checking this log will indicate that a failure
was signaled by the authentication server, which can then lead to further
troubleshooting.
Server certificate is not validated
802.1x operation in wireless networks (PEAP, EAP-TLS, and TTLS) relies on a
valid certificate being transmitted from the authentication server to the client.
The certificate must not be expired, must be valid for the server name, and
must be trusted by the client (if the certificate is signed by a certificate
authority, the certificate authority must be trusted by the client.)
Certificate errors may or may not be indicated by the client. For example, the
Funk Odyssey client will turn an icon red and indicate an explicit error when a
certificate problem occurs. The Microsoft supplicant built into Windows XP
will not.
z If a certificate problem is suspected, most 802.1x supplicants provide an
option to disable server certificate validation. As a troubleshooting mecha-
nism, temporarily disable this option if available. If authentication is suc-
cessful after this option is disabled, a certificate problem has been
confirmed. Note: Do not leave the “validate server certificate” option
turned off in the 802.1x supplicant. This opens a security vulnerability
making a man-in-the-middle attack possible.
z Verify that the client configuration matches the standard enterprise client
configuration. Most 802.1x problems are caused by a misconfigured client.
For example, the wrong certificate authority or wrong server domain name
may have been selected, or password authentication may be selected when
one-time token use is required by the authentication server.