Table of Contents
Advertisement
3.12 Layer 2 authentication communication failures
3.12.1 Communication failures occurring when IEEE 802.1X is used
If authentication is not possible when IEEE 802.1X is used, isolate the cause of the problem
according to the failure analysis method described in the following table.
Table 3-56 Authentication failure analysis method for IEEE 802.1X
No.
Items to check and
commands
1
Use the
show dot1x
command to check the
operating status of IEEE
802.1X.
2
Execute the
show dot1x
command, and
statistics
make sure an EAPOL
handshake has been
performed.
3
Execute the
show dot1x
command, and
statistics
make sure data has been sent
to the RADIUS server.
4
Execute the
show dot1x
command, and
statistics
make sure packets have been
received from the RADIUS
server.
3 Troubleshooting Functional Failures During Operation
Action
If
Dot1x doesn't seem to be running
not running. Check whether the
command is set in the configuration.
If
System 802.1X : Enable
If the value displayed for
EAPOL frames have not been sent from the terminal. If a value other
than
is displayed for
0
RxInvalid
frame has been received from the terminal, in which case the event is
logged. Use the
show dot1x logging
Invalid EAPOL frame received
describe the invalid EAPOL frame. If any of the above conditions
exists, check the Supplicant setting on the terminal.
For other cases, go to No. 3.
If the value displayed for
is 0, no data has been sent to the RADIUS server. Check the
frames]
following:
Check whether
aaa authentication dot1x default group
has been specified in a configuration command.
radius
Check whether the
command is set correctly.
If the authentication mode is port-based authentication or
VLAN-based authentication (static), make sure the authentication
terminal has not been registered with the
configuration command. For VLAN-based authentication
static
(dynamic), make sure the authentication terminal has not been
registered with the
If the authentication mode is VLAN-based authentication
(dynamic), check whether
default group radius
command.
For other cases, go to No. 4.
If the value displayed for
is 0, packets have not been received from the RADIUS
frames]
server. Check the following:
If the RADIUS server is associated with the remote network,
make sure a route to the remote network exists.
Make sure the ports on the RADIUS server are not subject to
authentication.
For other cases, go to No. 5.
is displayed, IEEE 802.1X is
dot1x system-auth-control
is displayed, go to No. 2.
under
RxTotal
[EAPOL frames]
or RxLenErr, an invalid EAPOL
command to view the log. The
message is also logged to
under
TxNoNakRsp
[EAPoverRADIUS
radius-server host
mac-address-table
configuration command.
mac-address
aaa authorization network
has been set in a configuration
under
RxTotal
[EAP overRADIUS
is 0,
configuration
123
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
