Filter
Top Products
3. Troubleshooting Functional Failures in Operation
89
3.12 Layer 2 Authentication Communication Failure
3.12.1 Communication Failure on Using IEEE 802.1X
If authentication is disabled when using IEEE 802.1X, isolate the problem by following failure analysis methods shown
in the table below.
Table 3-48: IEEE 802.1X Failure Analysis Method
No. Troubleshooting Steps and Command Action
1 Execute the show dot1x command and
check the operation status of the
IEEE802.1X.
If "Dot1x doesn't seem to be running" is displayed, IEEE802.1X has stopped.
Check to see if the dot1x system-auth-control command is set in the
configuration.
Go to No. 2 if "System 802.1X: Enable" is displayed.
2 Execute the show dot1x statistics
command and confirm that EAPOL is
exchanged.
If RxTotal of [EAPOL frames] is 0, the terminal does not send EAPOL. If
RxInvalid or RxLenErr is not 0, illegal EAPOL has been received from the
terminal. When illegal EAPOL is received, log is recorded. The log can be
browsed using show dotlx logging command. The log shows the "Invalid
EAPOL frame received" message and the contents of illegal EAPOL. Check the
Supplicant setting on the terminal.
Otherwise, go to No. 3.
3Execute the show dot1x statistics
command and confirm that data is sent to the
RADIUS server.
If "TxTotal" of [EAP overRADIUS frames] is set to 0, it indicates that no data is
sent to the RADIUS server. Confirm the following:
• Check to see if aaa authentication dot1x default group
radius is set by the configuration command.
• Check to see if the configuration command radius-server host is set
correctly.
• If the authentication mode is port authentication or VLAN authentication
(static), confirm that the authentication terminal is not registered by the
configuration command mac-address-table static. If the
authentication mode is VLAN authentication (dynamic), confirm that the
authentication terminal is not registered by the configuration command
mac-address.
• If the authentication mode is VLAN authentication (dynamic), check to see if
aaa authorization network default group radius is set by
the configuration command.
Otherwise, go to No. 4.
4 Execute the show dot1x statistics
command and confirm that data is received
from the RADIUS server.
If "RxTotal" of [EAP overRADIUS frames] is set to 0, packets are not received
from the RADIUS server. Confirm the following:
• If the RADIUS server is accommodated in the remote network, confirm that the
route to the remote network exists.
• Confirm that the port of the RADIUS server is excluded from authentication.
Otherwise, go to No. 5.
5 Execute the show dot1x logging
command and check exchange with the
RADIUS server.
• If "Invalid EAP over RADIUS frames received" is output, illegal packets are
received from the RADIUS server. Check to see if the RADIUS server is
normally operating.
• If "Failed to connect to RADIUS server" is output, connection to the RADIUS
server failed. Check to see if the RADIUS server is normally operating.
Otherwise, go to No. 6.