Occasional disconnection of 802.1X authenticated wireless terminals
- 0 Followed
- 0Collected ,11Browsed
Network Topology
Wireless uses local forwarding, with IMC acting as the radius server, cooperating with the third-party device for single sign-on. After the terminal goes online through 802.1X authentication, the IMC server sends an advertisement of the user online record to the third-party device, at which point the device completes the full online process. The device going offline is also advertised by the IMC server to the third-party device.
Problem Description
During implementation deployment, some terminals may experience inability to access the Internet. Users cannot access the Internet but can still access intranet resources. This issue occurs sporadically and is not specific to any terminal type.
Process Analysis
Since the phenomenon is sporadic, debugging and packet capture on the device are difficult. Only debug logs of UAM can be collected on the IMC server. After multiple data collections, logs from a problematic terminal were obtained. The UAM logs show that no accounting update message was received from the device within the aging time. The IMC aged the terminal and synchronized the offline information to the Sangfor single sign-on device, causing the terminal to fail to access external networks. At this point, the terminal requires manual reconnection to the wireless network. Services resume normal operation only after passing 802.1X authentication again, which negatively impacts user experience. Based on the conclusion provided by IMC, we can confirm two scenarios:
1. During the terminal age cycle, the AC indeed did not send charging update messages. The terminal age cycle on the IMC is 30 minutes, while the accounting update message cycle on the AC is 12 minutes.
2. The AC normally sent accounting update messages, but they were lost on the intermediate link.
Since the phenomenon is sporadic, packet capture and debug are less effective. We can determine the issue through the following methods:
Use the command display radius scheme to view AAA information. For specific term explanations, refer to the link. The screenshot shows that the charging port 1813 had a block status, indicating that our AC can normally send accounting packets. The cause of this issue is still unstable intermediate links.
Use display radius statistics to view RADIUS packet statistics. For detailed explanations, refer to the link.
Solution
The issue occurs when IMC fails to receive the accounting update message from AC, causing terminal age. On the AC side, this can be optimized by adjusting the cycle and retry count of the RADIUS charging messages. On the IMC side, increasing the terminal age time can also resolve the issue. Both methods focus on optimizing the retry cycle and frequency of accounting messages, but the fundamental solution lies in ensuring the stability of the intermediate link.
1. Modify the AC configuration.
#
radius scheme 111
retry 6
timer realtime-accounting 6
#
Change the accounting message retry count to 6 (default is 3). Change the accounting message cycle to 6 minutes (default is 12 minutes).
2. Change the terminal age time on IMC to 60 minutes, default is 30 minutes.
