STAs Fail to Associate with a WLAN (802.1X Authentication)
Network Topology
Physical Network Topology
Figure 1-1 Network where STAs fail to associate with a WLAN (802.1X Authentication)
Fault Description
STAs fail to associate with the SSID figo, and an error message indicating Authorization data error is reported.
Configuration File
http secure-server ssl-policy default_policy
http server enable
authentication-profile name figo
dot1x-access-profile figo
authentication-scheme figo
accounting-scheme figo
radius-server figo
#
radius-server template default
radius-server template radius
radius-server template figo
radius-server authentication 10.220.7.129 1812 weight 80
radius-server accounting 10.220.7.129 1813 weight 80
#
interface Vlanif220
ip address 10.220.7.26 255.255.254.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 220
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 95 220
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
#
capwap source interface vlanif95
capwap echo interval 20
#
wlan
ac protect enable protect-ac 192.168.95.2 priority 2
traffic-profile name default
security-profile name HR
security-profile name NOC
security wpa2 psk pass-phrase %^%#R/`*<=`b9&q*IE3~RMl+]o4`U"S8d6M#}^@`mdCM%^%# aes
security-profile name TAC
security wpa-wpa2 psk pass-phrase %^%#amhD<!7|CH~q=NPoQCwMy@{3%M[c8(5t[A+-b,w"%^%# aes
security-profile name figo
security wpa2 dot1x aes
#
device-profile profile-name @default_device_profile
device-type default_type_phone
enable
rule 0 user-agent sub-match Android
rule 1 user-agent sub-match iPhone
rule 2 user-agent sub-match iPad
if-match rule 0 or rule 1 or rule 2
#
dot1x-access-profile name dot1x_access_profile
dot1x-access-profile name figo
#
mac-access-profile name mac_access_profile
mac-access-profile name test
mac-access-profile name HR
mac-authen username macaddress format with-hyphen password cipher %^%#PbW@=jkQFP.wN\L+a)1NyU}F+,%o/;wOX&T`5V}U%^%#
mac-access-profile name figo
#
Troubleshooting Location
Step 1 Check the authentication profile in the VAP profile.
Run the display current-configuration to check the authentication profile in the VAP profile mapping the SSID figo, and check the authentication mode in the authentication profile.
#
wlan
vap-profile name figo
forward-mode tunnel
service-vlan vlan-id 201
ssid-profile figo
security-profile figo
authentication-profile figo
#
authentication-profile name figo
dot1x-access-profile figo
authentication-scheme figo
accounting-scheme figo
radius-server figo
As a result, wo can find the authentication mode is 802.1X authentication. Based on the displayed authentication mode (802.1X authentication), search the product documentation for the configuration example: Example for Configuring 802.1X Authentication (AAA in RADIUS Mode).
Step 2 Check the reason for a STA's failure to go online.
Run the display station online-fail-record command to displays STA online failure records.
<R1U38-AC6005> display station online-fail-record sta-mac 5068-0a10-46f6
Rf/WLAN: Radio ID/WLAN ID
------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Last record time
Reason
------------------------------------------------------------------------------
5068-0a10-46f6 1 d4c8-b02b-5220 0/1 2018-01-09/04:42:56
Authorization data error
0 d4c8-b02b-5b80 0/1 2018-01-09/01:02:52
Authorization data error
------------------------------------------------------------------------------
Total stations: 1 Total records: 2
Step 3 Trace the STA that failed to go online.
Enable the trace-aaa test to test the connectivity to the RADIUS server, and run the trace object command to trace the STA that failed to go online.
[R1U38-AC6005] trace enable
[R1U38-AC6005] trace object mac-address 5068-0a10-46f6
According to trace information, the authentication data verification error is caused by the authorization VLAN 10 delivered by the server.
Solution: Create VLAN 10 on the AC.
[R1U38-AC6005] vlan batch 10
[R1U38-AC6005] interface Vlanif10
[R1U38-AC6005-Vlanif10] ip address 192.168.10.1 255.255.255.0
[R1U38-AC6005-Vlanif10] dhcp select interface
Associate the STA with the SSID again and check the status of the STA.
<R1U38-AC6005> display access-user
----------------------------------------------------------------------------------------
UserID Username IP address MAC Status
----------------------------------------------------------------------------------------
255 figo 192.168.10.199 5068-0a10-46f6 Success
----------------------------------------------------------------------------------------
Total: 1, printed: 1
The STA is online on the AC, and the fault is rectified. Disable the trace function on the AC.
[R1U38-AC6005] undo trace enable
[R1U38-AC6005] undo trace object all
Root Cause
The authorization VLAN 10 is configured on the RADIUS server, but VLAN 10 is not configured on the AC. As a result, the AC fails to verify the authorization VLAN delivered by the RADIUS server. Authentication fails, and STAs fail to associate with the WLAN.
