Troubleshooting - Planet XGS3-42000R User Manual

In the network topology shown as above, Ethernet 1/1 on SWITCH1 is connected to the Web server whose IP
address is 192.168.20. 20/24, Ethernet 1/2 on SWITCH1 is connected to the RADIUS server whose IP
address is 192.168.20.88/24 and authentication port is 1812. PC is connected to Ethernet 1/16 on SWITCH1
through an unknown network. The Web server and the authentication server are connected to VLA N 1, while
PC is connected to VLAN 2. 802.1x Web authentication can be enabled through the following configuration.
The re-authentication function is disabled by default. To enable this, corresponding 802.1x configuration
should be issued first.
Configuration task li st on SWITCH1
XGS 3-42000R(config)#dot 1x enable
XGS 3-42000R(config)#dot 1x web authentication enable
XGS 3-42000R(config)#dot 1x web redirect http://192.168.20. 20/WebSupplicant/
XGS 3-42000R(config)#interface ethernet 1/16
XGS 3-42000R(config-If-Ethernet1/16)#dot1x enable
XGS 3-42000R(config-If-Ethernet1/16)#dot1x port-method webbased
47.4 802.1x Troubleshooting

It is possible that 802.1x be configured on ports and 802. 1x authentication be set to auto, t switch
can't be to authenticated state after the user runs 802.1x supplicant software. Here are some
possible causes and solutions:

If 802.1x cannot be enabled for a port, make sure the port is not executing MAC binding, or
configured as a port aggregation. To enable the 802.1x authentication, the above functions must be
disabled.

If the switch is configured properly but still cannot pass through authentication, connectivity
between the switch and RA DIUS server, the switch and 802.1x client should be verified, and the
port and VLA N configuration for the switch should be checked, too.

Check the event log in the RADIUS server for possible causes. In the event log, not
unsuccessful logins are recorded, but prompts for the causes of unsuccessful login. If the event log
indicates wrong authenticator password, radius-server key parameter shall be modified; if the event
log indicates no such authenticator, the authenticator needs to be added to the RADIUS server; if
the event log indicates no such login user, the user login ID and password may be wrong and
should be verified and input again.

Web Authentication Proxy based on 802.1x is disabled by default. Open the debug dot1x switch to
check debugging information when the Web A uthentication Proxy based on 802.1x is opened.

If the state display of the port is not disabled when use show dot1x, that means the Web
Authentication Proxy function based on 802.1x is not close it.

The switch of the Web Authentication Proxy based on 802.1x achieves less than 1024 users who
had authenticated simultaneity on line. If exceeds this limit will return hint information.

When the Web Authentication is failed should check whether the dot 1x privateclient enable
command is enabled, if the command had been enabled, then the private authentication function
need close.
47-21
only