Brief:
We need to get the RADIUS authentication working on a new installation of an AC6005 controller with the APs. Looking at the logs, it does not seem to be sending out the request to the radius server. After some configuration we managed to get the packets to the RADIUS but they are denied.
Error:
N/A RADIUS did not get to process the authentication packets
Handling:
1. First we collected diagnostic and noticed some issues with the configuration:
It was set the accounting-scheme, but did not set the accounting server. Please check the link below for details how to set:
2. Also we fired a ping using the command “ping –a 172.29.X.X 172.17.X.X“ to check the AC can reach RADIUS server or not and was successful;
3. We also created vlan 753 in AC using command “vlan batch 753”
4. Then we used test-aaa to check if the user can authenticate successfully on the RADIUS but seems the server deny the tests;
5. We traced the station, but no information. So, we create a test SSID ‘HW_test’ and the station can connect to it;
6. We suspected the station configuration has issues problem so we changed smart phone to test. In the trace information, we saw AC sent EAP_request packet to the user, but didn’t receive a response from the user.
And we noticed that the EAP_request packet is very large:
Because some stations can’t receive or handle large packet of EAP_request, we changed the MTU value in radius server template:
7. After we changed this, the smart phone was online:
8. We checked the PC, and forgot the old WLAN network of ‘Test Corp’, and reset the configuration. And we traced the PC, we found radius server reject this user:
9. Then after reboot the station, and the PC was online successfully:
Root Cause:
Some STAs cannot handle large MTU so it’s best to choose smaller in those cases.
Solution:
Use commands “radius-attribute set Framed-Mtu 800” in the RADIUS server template.
Suggestions:
Always make sure the MTU is supported on both sides of the connection.
