When the wireless controller is connected to ad campus for mac-portal wireless authentication, byod cannot actively switch over.

Authentication process description: When the Wireless controller integrates with AD Campus for MAC-Portal wireless authentication, the terminal needs to go online twice. Only after the final authentication passes will AD Campus issue authorization to allow user internet access. The user obtains two addresses: after the first MAC authentication passes, address 1 is acquired. Then, AD Campus actively forces the terminal offline. After going offline, the terminal goes online again to obtain address 2, after which AD issues authorization allowing the terminal to access the network.

Fault point: After a terminal passes MAC authentication for the first time and obtains address 1, the AD Campus actively attempts to force the terminal offline but fails. The terminal can only access the network again after the online user entry ages on the AD. The entry also cannot be manually set to offline on the EIA (as shown in the figure below).

1. Check the value of the check failures field in the radius packet statistics (display radius statistic) on the AC. It was found that every time the terminal fails during re-authentication and BYOD switchover, this value for Session-control packets increases by one. Therefore, it is suspected that the issue is caused by the Session-control packets sent by the AD failing verification on the AC.

2. Capturing the RADIUS and COA packets exchanged between the server and AC revealed that the session control (Ctl) packet sent by the server to force terminals offline carries an Authenticator identity verify field. It was thus confirmed that the Session-control packet (UDP packet) sent by AD also carried a shared key.

3. Consulted AD R&D to confirm that the value of this shared key is the one configured when the access device was created on EIA.

4. Checking the AC configuration revealed that radius session-control client ip x.x.x.x was not configured with a shared key.

After completing the shared key configuration for radius session-control client ip x.x.x.x key xxx on the AC, the BYOD switchover for the terminal that came online again was successful. This shared key matches the shared key configured when adding the access device on the server and also corresponds to the key in the radius template on the device.