The Troubleshooting Guide of 802.1X Authentication Failed on NXC5500 Table of Contents The Troubleshooting Guide of 802.1X Authentication Failed on NXC5500 ........1 Preface ............................2 Topology............................2 Configuration Validation ......................2 Active Directory ........................3 Lightweight Directory Access Protocol (LDAP) ..............10 Remote Authentication Dial in User Service (Radius) ............
There is an example for wireless station is authenticated by external authenticated server via NXC5500, which has managed VLAN on NXC5500 is VLAN 1 with IP range 192.168.100.x. USG100 acts as a DHCP server to assign an IP address to the device. Wireless stations pass authentication by using AD/LDAP/RADIUS accounts.
The configuration of NXC Active Directory 1. Check the information of AD server. Go to AAA Server > Active Directory > Edit...
Page 4
There is an example with windows 2008 R2 AD server let us to double check the AD server information of NXC. *Please confirm that the AD server pick up the Advanced Features of View before you check the information of DN. Base DN: write the domain name Go to the AD server and open the Active Directory Users and Computers.
Page 5
Bind DN: write the username who has privilege to set the configuration of AD server and group setting. In our server, the account of Administrator has the complete privilege for setting. The information of account is same as the account of login AD server. Bind DN: CN=Administrator,CN=Users,DC=zyxel,DC=cso,DC=com Password : The password of Administrator Go to the AD server and open the Active Directory Users and Computers.
Page 6
show you the content that can be copied and pasted to the NXC in the field of NetBIOS. Configuration Validation of AD server information After finish entering the information of AD server, you can input an account id of AD server for testing to make sure NXC can capture the user information by correct AD configuration.
Page 7
3. Go to Host Name. Set the domain name as you set on the AD server. 4. Go to DNS > Domain Zone Forwarder > Add. Add the information of domain zone. *Public DNS server: write the IP of DNS server can resolve the domain name. If you have no additional DNS server, you can write the IP of AD server.
Page 8
5. Go to Auth. Method > Add. Select the AD server you create. 6. Go to AP profile > SSID > Security List. Make sure the security list select the 802.1X authentication and correct AD server. Since AD server doesn’t support EAP protocol, so NXC has built-in FreeRADIUS server provide EAP protocol for station authentication.
Page 9
7. Go to AP profile > SSID > SSID List. Check the security profile with 802.1X authentication.
8. Check AP whether set the AP profile that you created. 9. Check the AD server whether receive the information from NXC5500 and add the NXC5500 in the computers list automatically. Lightweight Directory Access Protocol (LDAP)
Page 11
1. Check the information of LDAP is correct or not. Go to AAA Server > LDAP > Edit. Base DN: write the domain name Bind DN: enter a user who has privilege to set the configuration of LDAP. In the example, the account of Administrator “ldapadmin”...
Page 12
2. Go to Auth. Method > Add. Select the LDAP server you create. 3. Go to AP profile > SSID > Security List. Make sure the security list select the 802.1X authentication and correct LDAP server. Since LDAP server doesn’t support EAP protocol and cannot be an authentication server, so NXC has built-in FreeRADIUS server provide EAP...
Page 13
protocol for station authentication. The radius server type must select Internal when the external authenticated server is LDAP server. 4. Go to AP profile > SSID > SSID List. Check the security profile with 802.1X authentication.
5. Check AP whether set the AP profile that you created. Remote Authentication Dial in User Service (Radius) 1. Check the information of Radius is correct or not. Go to AAA Server > Radius > Edit.
Page 15
Key: Enter the correct the password is same as the password in the Radius server.
Page 16
2. Go to Auth. Method > Add. Select the Radius server you create.
Page 17
3. Go to AP profile > SSID > Security List. Make sure the security list select the 802.1X authentication and correct Radius server. Since Radius server support EAP protocol and depend on the topology, you can select the Internal or External for radius server type. Radius server type: Internal...
Page 18
If use the EAP protocol by built-in FreeRADIUS of NXC, you need to add the NXC information in the Radius server be a trusted client. Radius server type: External If use the EAP protocol by Radius server, you need to add the AP information in the Radius server be a trusted client.
Page 19
5. Check AP whether set the AP profile that you created. The configuration of windows computer The computer with windows OS have to add a connection for connecting the SSID with 802.1X authentication, or it will fail to connect. The configuration of device with windows 8 OS connect the SSID with 802.1X 1.
Page 20
3. Select “Manually connect to a wireless network”.
Page 21
4. Write the SSID you set in the field of “Network name” on the NXC5500 and select Security type and Encryption type you set in the AP profile of NXC5500. 5. Click “Change connection settings”.
Page 23
7. Uncheck the “Validate server certificate” and then click Configure…...
Page 24
8. Uncheck “Automatically use my Windows login name and password (and domain if any).” Go back to Protected EAP Properties and click “OK”. 9. Go to ZT_AD Wireless Network Properties and click “Advanced settings”.
Page 25
10. Check “specify authentication mode” and select the mode you want.
Page 26
11. Return to ‘Wireless Network Connection’, click the SSID you set manually before. Noted: If the ‘Encryption type’ setting does not meet the setting on NXC5500, you will see a red cross shown on the picture. 12. Enter the username and password created on Windows server 2008 AD. The wireless...
Network Verification To confirm the network traffic, please make sure the port of server is same as that configured in the NXC5500 and login the console of NXC and ping the domain name and server. Check the port number The default port of Radius server in the NXC is 1812 and the default port of LDAP and AD server in the NXC is 389.
Page 28
If the NXC cannot resolve the domain name, please check the IP address of AD server and DNS configuration in the NXC, or write the command “nslookup <Domain name>” to check the domain name with IP.
Page 29
Ping the external authenticated server and AP: To confirm the fluent network traffic between AP and external authenticated server. NXC ping to external authenticated server and AP The IP of External authenticated server The IP of AP External authenticated server ping to NXC and AP The IP of NXC The IP of AP...
Packet trace by NXC: To confirm that the NXC has communication with external authenticated server when the station do the 802.1X authentication. The default port of AD and LDAP are 389 and the default port of Radius server is 1812. The CLI: packet-trace interface <INTERFACE>...
After finish collecting the logs, please go the Maintenance > Diagnostics > Diagnostics > Files. Download the file and send to us. Capture packets Go to Maintenance > Diagnostics > Packet Capture. Select the interface and press the bottom “Capture” before station connect the SSID and do the 802.1X authentication.
The reference of KB 011033 - The RADIUS attributes sent from NXC5200. 011742 Does the NXC5200 support AD 2008R2? 012220 - What is the procedure to configure RADIUS user in FreeRADIUS to login to the NXC5200? 012627 - Does MAC AUTH on the NXC5200 work with WinRadius server? 013185 - How to add the WTP's IP subnet to NXC5200 trusted clients manually when controller acts as a RADIUS server? 013190 - Can we use the NXC2500 as RADIUS Server (database)?
Page 33
014326 - How to add the information of AD server in the NXC device?
Need help?
Do you have a question about the NXC5500 and is the answer not in the manual?
Questions and answers