Got it

Introduction to 802.1x Authentication and Troubleshooting

378 0 4 0

Hi, everyone! Today I’m going to introduce the introduction to 802.1x authentication and troubleshooting.

I. 802.1X authentication trigger mode


The 802.1X authentication process can be initiated by the client or the device. The authentication trigger methods supported by the device include the following two methods:


Client active trigger mode: The client actively sends an EAPOL-Start message to the device to trigger authentication.

Device-side active trigger mode: The device-side trigger mode is used to support clients that cannot actively send EAPOL-Start packets, such as the 802.1X client that comes with Windows.


The dot1x mc-trigger command enables 802.1X multicast triggering.

Use the undo dot1x mc-trigger command to disable 802.1X multicast triggering.

By default, the multicast trigger function of 802.1X is enabled.

II. 802.1X authentication method

1. EAP relay: The EAP protocol packets are relayed by the device. The device uses the EAPOR (EAP over RADIUS) encapsulation format to carry the EAP packets in the RADIUS protocol and sends them to the RADIUS server for authentication. The advantage of this authentication method is that the device is simple to handle and can support multiple types of EAP authentication methods, such as MD5-Challenge, EAP-TLS, PEAP, etc., but requires the server to support the corresponding authentication method.


2. EAP termination: The EAP protocol packets are terminated by the device. The device encapsulates the client authentication information in a standard RADIUS packet. The server uses a password authentication protocol PAP (Password Authentication Protocol) or a challenge handshake authentication protocol CHAP ( Challenge Handshake Authentication Protocol). The advantage of this authentication method is that the existing RADIUS server can basically support PAP and CHAP authentication without upgrading the server, but the device processing is more complicated, and it cannot support other EAP authentication methods except MD5-Challenge.


Compared with the authentication process of the EAP termination method, the difference between the EAP termination method and the EAP relay method is that the MD5 challenge used to encrypt the user password information in step (4) is generated by the device, and the device will then send the user name and MD5 challenge It is sent to the RADIUS server with the encrypted password information of the client for related authentication processing.


dot1x authentication-method

The traditional model uses CHAP authentication by default, and the unified mode EAP authentication method

III. MAC bypass authentication

MAC bypass authentication enables terminals that cannot install and use 802.1X client software in 802.1X authentication systems, such as printers, to use their own MAC address as the user name and password for authentication.

During the 802.1X authentication process, the device will first trigger the user to adopt the 802.1X authentication method. However, if the user has not performed 802.1X authentication for a long time, the user's MAC address is used as the authentication information, and the MAC address is used as the username and password for authentication The server performs authentication.

Use the authentication dot1x-mac-bypass command in unified mode to enable MAC bypass authentication.

Thedot1x mac-bypass command in traditional mode enables MAC bypass authentication on an interface.

The dot1x mac-bypass mac-auth-first command enables priority MAC authentication during MAC bypass authentication.

When the MAC bypass authentication function is configured, the device first performs 802.1X authentication for the user and starts the timer configured by the dot1x timer mac-bypass-delay delay-time-value command. (By default, MAC authentication is performed if the authentication is not successful after 30 seconds after 802.1X authentication starts.) If the timer-delay-time-value is reached and 802.1X authentication is still unsuccessful, the device starts MAC authentication for the user. You can use the dot1x retry max-retry-value command to configure the number of retransmissions max-retry-value for the device to send authentication requests to 802.1X users. The retransmission interval is delay-time-value / (max-retry-value + 1). Integer part.

The link-down offline delay command configures the interval for users to go offline after a link failure occurs on an interface.


The interface sent by any packet also contains DHCP and arp. If arp / dhcp and any-l2 are enabled at the same time, arp / dhcp packets will not enter the queue from the entry of any-l2. Enabled, and if any-l2 is enabled, the queue is entered from any-l2. The product adaptation side does this to prevent the same message from being queued twice. Lib side services can trigger when all the packets come Certified.

IV. Unable to go online

1. View by reason

display aaa abnormal-offline-record all

    display aaa online-fail-record all

    display aaa offline-record all

2. View configuration:

     1. Whether to enable (traditional mode: global and port-enabled 802.1x unified mode: binding authentication template to port, binding dot1x access template to authentication template)

     2. Is the authentication method consistent with that supported by the server? (EAP, CHAP, PAP)

     3. Is the AAA configuration correct? (Domain authentication scheme local authentication? Does the user exist?)

     4. Are the username and password correct? (Test-aaa)

     5. Has the online user reached the maximum?

3. View the silent table

display dot1x quiet-user all

4. View interaction with client messages

display dot1x abnormal-eap-track

Esap sent a request message and the client did not respond. Capture the packet to see if it has been received. It may be lost and look for forwarding. The message is sent by calling the interface ESAP_IF_QosTransmit.

5. Wireless Roaming Viewing Track

display station roam-track sta-mac 0011-43c7-d73e

6. Why does an 802.1X authenticated user fail the authentication when there is a Layer 2 switch between the 802.1X enabled device and the user?

The EAP protocol message in the 802.1X authentication process is a BPDU message. For BPDU packets, Huawei switch devices currently do not perform Layer 2 forwarding by default. Therefore, if there is a Layer 2 switch between the 802.1X-enabled device and the user, you must configure Layer 2 transparent transmission on it. Otherwise, the EAP packets sent by the user cannot reach the authentication device, and cannot pass the authentication

The configuration steps for Layer 2 transparent transmission of 802.1X authentication packets are as follows:

Run the command in the Layer 2 switch global view: l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002

Run the command on the Layer 2 switch connected to the uplink network interface and all downlink interfaces connected to the user: l2protocol-tunnel user-defined-protocol dot1x enable

V. Speed limit packet loss

Speed limit

Command-line: authentication speed-limit auto to enable the device to dynamically adjust the processing rate of NAC user packets.

Functions: EAPOL_Access_Flow_Ctrl (lib side), EAPOL_Packet_Flow_Ctrl (adaption side)


display dot1x variable global-cfg View

     Access rate limit configured by Max user access rate

     Max packet process rate    

     g_stEAPOLAccessRateLimit-ulMaxCntPerSec Access rate limit currently in effect

     g_stEAPOLPktRateLimit-ulMaxCntPerSec Rate limit

When authentication speed-limit auto is enabled, the above values may be different

2. Check for software packet loss

display dot1x statistics

     EAPOL Access Flow Control (limited to the number of users per second)

     EAPOL Packet Flow Control packet rate limit (limit the number of packets per second)

If you have any problems, please post them in our Community. We are happy to solve them for you!

  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Huawei Enterprise Support Community
Huawei Enterprise Support Community
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.