Layer 2 Authentication Communication Failures; Communication Failures Occurring When Ieee 802.1X Is Used - Alaxala AX6700S series Troubleshooting Manual

3. Troubleshooting Functional Failures During Operation

3.13 Layer 2 authentication communication failures

3.13.1 Communication failures occurring when IEEE 802.1X is used

If authentication is not possible when IEEE 802.1X is used, isolate the cause of the problem
according to the failure analysis method described in the following table.
Table 3-57: Authentication failure analysis method for IEEE 802.1X
No. Items to check and commands
1 Use the
show dot1x
the operating status of IEEE 802.1X.
2 Execute the
show dot1x statistics
command, and make sure an EAPOL
handshake has been performed.
3 Execute the
show dot1x statistics
command, and make sure data has been
sent to the RADIUS server.
4 Execute the
show dot1x statistics
command, and make sure packets have
been received from the RADIUS server.
5 Execute the
show dot1x logging
command, and check data exchange
with the RADIUS server.
112
command to check If
Dot1x doesn't seem to be running
not running. Check whether the
command is set in the configuration.
If
System 802.1X : Enable
If the value displayed for
frames have not been sent from the terminal. If a value other than
displayed for
been received from the terminal, in which case the event is logged. Use
the
show dot1x logging
EAPOL frame received
EAPOL frame. If any of the above conditions exists, check the
Supplicant setting on the terminal.
For other cases, go to No. 3.
If the value displayed for
frames]
following:
• Check whether
radius
• Check whether the
is set correctly.
• If the authentication mode is port-based authentication or
VLAN-based authentication (static), make sure the authentication
terminal has not been registered with the
static
(dynamic), make sure the authentication terminal has not been
registered with the
• If the authentication mode is VLAN-based authentication (dynamic),
check whether
radius
For other cases, go to No. 4.
If the value displayed for
is , packets have not been received from the RADIUS server. Check the
0
following:
• If the RADIUS server is associated with the remote network, make
sure a route to the remote network exists.
• Make sure the ports on the RADIUS server are not subject to
authentication.
For other cases, go to No. 5.
• If
invalid packets were received from the RADIUS server. Check
whether the RADIUS server is running normally.
• If
to establish a connection with the RADIUS server has failed. Check
whether the RADIUS server is running normally.
For other cases, go to No. 6.
Action
dot1x system-auth-control
is displayed, go to No. 2.
RxTotal
or
RxInvalid RxLenErr
command to view the log. The
message is also logged to describe the invalid
TxNoNakRsp
is , no data has been sent to the RADIUS server. Check the
0
aaa authentication dot1x default group
has been specified in a configuration command.
radius-server host
configuration command. For VLAN-based authentication
mac-address
aaa authorization network default group
has been set in a configuration command.
RxTotal
Invalid EAP over RADIUS frames received
Failed to connect to RADIUS server
is displayed, IEEE 802.1X is
under is
[EAPOL frames] 0
, an invalid EAPOL frame has
Invalid
under
[EAPoverRADIUS
configuration command
mac-address-table
configuration command.
under
[EAP overRADIUS frames]
is displayed,
is displayed, an attempt
, EAPOL
is
0