Wireless 802.1x authentication failed
- 0 Followed
- 0Collected ,1088Browsed
Network Topology
None
Problem Description
802.1x authentication, input correct username and password, but authentication failed.
Process Analysis
1) Check if the link is accessible: Verify if the authentication device and server can be pinged, and check if the relevant VLANs are connected.
2) Check the radius related configuration on AC: Check the IP address and secret key of the radius solution server. Check if there are any issues with the source address and associated domain configuration of the radius message sent.
3) Check the relevant configurations on the IMC server: Check if the IP address of the access device is written incorrectly, and if the shared secret key is consistent with the configuration on the AC. Check if there are any issues with the certificate type and subtype of the access policy. Check if the access policy for accessing service calls is consistent. Verify the access user's information, account name, and password.
After routine troubleshooting, no errors were found. By capturing packets, it was found that the message terminated when the terminal sent a client hello message to the authentication server. It is not yet known why the server refused after the terminal sent the client hello message.
Investigate the cause of the fault from the logs on the server side and identify the problem.
1) The server received two identical EAP No.1 messages at the same time.
2) The server received EAP message number 2 at two different times.
The server will receive two identical messages at the same time, which will result in the server thinking that the message is abnormal and replying to reject. In the case where the server receives two identical messages at the same time, it may be due to the configuration of mirrors in the device. As a result of layer by layer investigation, it was found that there is a mirror group configured on the switch connected to the authentication server. This mirror group causes two identical authentication messages sent by the device to the server, which is considered abnormal for the server and therefore authentication will be rejected.
Solution
After deleting the mirror group configuration, 802.1x authentication can proceed normally.