Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Steps to troubleshoot 802.1 x authentication issue

0

0

Article ID: KB20902 KB Last Updated: 25 Feb 2020Version: 2.0
Summary:

Steps to troubleshoot 802.1 x authentication issue.

Symptoms:

Environment:

  • Configured 802.1 x for passing EAP messages in Ethernet frames for authentication.
  • Using Radius server for authenticating the users.
  • Laptop is connected to eth0/2 of the firewall.
  • After authentication the laptop gets assigned an IP address from the server.
Solution:

Follow the below steps to troubleshoot 802.1 x.

  1. Make sure that 802.1 x is enabled on the interfaces and the external auth server is reachable by the firewall and configured with authentication type as 802.1 x:
    set auth-server "tcnac" radius port 1812
    set auth-server "tcnac" radius secret "$ABC123"
    set auth radius accounting port 1646
    set auth-server "tcnac" account-type xauth 802.1 X
    set interface ethernet0/2 dot1x
    set interface ethernet0/2 dot1x control-mode interface
    set interface ethernet0/2 dot1x max-user 1
    set interface ethernet0/2 dot1x reauth-period 10
    set interface ethernet0/2 dot1x auth-server tcnac
  2. Verify that the firewall is creating a dot1x session. You can verify that using “get dot1x session” command:
    nacfw2-> get dot1x session
    allocated 2 freed 253 alloc ok 27 fail 0 free ok 25 fail 0
    (1)(0016d4ee17e1)(00000001)(ethernet0/2)(Root) 802.1 X RADIUS
    (2)(0024b5f74b6d)(00000001)(ethernet0/3)(Root) 802.1 X RADIUS
    total 2 session(s)
  3. If a session is not created, check  to make sure that EAPOL packet is being received by the firewall.

  4. To check that the packet is being received by the firewall or not, use the following snoop filter:
    snoop filter ethernet interface eth0/2
    You will receive a packet like:
    515598.0: ethernet0/2(i) len=60: 0016d4ee17e1->0180c2000003/888e
    01 80 c2 00 00 03 00 30 48 88 be 89 88 8e 01 01 .......0H.......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 ............
  5. After creating a session, the firewall will forward the request to the external authentication server, and the firewall will receive a response from the auth server.  Below is the output of  “debug auth radius” and "debug dot1x all”.
    ## 2011-04-07 21:53:41 : [1X] eap signal dequeue success. type 1
    ## 2011-04-07 21:53:41 : [1X|PAK] rx eap packet, code 2 id 7 len 1492 type 13
    ## 2011-04-07 21:53:41 : [1X|SESS] search if ethernet0/2 host 0016d4ee17e1 nsrp_id 0 in db
    ## 2011-04-07 21:53:41 : [1X|FSM] state IDLE2->RECEIVED2, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
    ## 2011-04-07 21:53:41 : [1X|FSM] state RECEIVED2->AAA_REQUEST, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
    ## 2011-04-07 21:53:41 : [1x|AS] aaa client tx q enqueue, eap_sess 1
    ## 2011-04-07 21:53:41 : [1X|FSM] state AAA_REQUEST->AAA_IDLE, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
    ## 2011-04-07 21:53:41 : [1X|AS] aaac tx event trigger

    ## 2011-04-07 21:53:41 : [1X|AS] start to build radius packet, eap_sess 1
    [1X|PAK] Radius packet built
    code 1 id 7 length 1663
    ## 2011-04-07 21:53:41 : [1X|AS] radius packet sent to 192.168.56.122:1812
    ## 2011-04-07 21:53:41 : [1X|AS] radius client send to 192.168.56.122:1812. sock 91 ret 0
    ## 2011-04-07 21:53:41 : [1X|AS] recv radius packet from 192.168.56.122, len 69
    ## 2011-04-07 21:53:41 : [1X|PAK] radius recv a packet, len 69 type ACCESS_CHALLENGE
    04306c10: 0b 07 00 45 1a 38 20 a4 6f db 7f db 18 55 d2 8b ...E.8.. o....U..
    04306c20: 1b 54 4e 1d 18 11 53 42 52 2d 43 48 20 31 33 31 .TN...SB R-CH.131
    04306c30: 34 37 7c 37 00 4f 08 01 08 00 06 0d 00 1b 06 00 47|7.O.. ........
    04306c40: 00 00 1e 50 12 e1 d5 93 ad 9e 31 b2 11 d7 4e 69 ...P.... ..1...Ni
    04306c50: 00 b6 11 1a 52 ....R
    ## 2011-04-07 21:53:41 : [1X|AV] rc_avpair_gen: received attribute 24
    ## 2011-04-07 21:53:41 : [1X|AV] rc_avpair_gen: received attribute 79
    +++++++++++++++++++++++++++
    RADIUS packet recv attributes:
    State:(SBR-CH 13147|7\00)
    EAP-Message:(\01\08\00\06\0D\00)
    Session-Timeout:(30)
    Message-Authenticator:(\E1\D5\93\AD\9E\31\B2\11\D7\4E\69\00\B6\11\1A\52)
    +++++++++++++++++++++++++++
    ## 2011-04-07 21:53:41 : [1X|FSM] state AAA_IDLE->AAA_RESPONSE, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
    ## 2011-04-07 21:53:41 : [1X|FSM] state AAA_RESPONSE->SEND_REQUEST2, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
    ## 2011-04-07 21:53:41 : [1X|FSM] state SEND_REQUEST2->IDLE2, eap_sess 1 host 0016d4ee17e1 if ethernet0/2
    ## 2011-04-07 21:53:41 : [1X|PAK] Rx EAPOL packet, ver 1 type 0 len 253.
  6. Use “get dot1x statistics” command to check Interface 802.1 X statistics.
    nacfw2-> get dot1x statistics
    ------------------------------------------------------------------------------
    Interface ethernet0/2 802.1 X statistics:
    in eapol 4375 | out eapol 4860 | in start 1
    in logoff 0 | in resp/id 486 | in resp 4374
    out req/id 486 | out req 4374 | in invalid 0
    in len error 0 |
    Interfaceethernet0/2 802.1 X diagnostics:
    while connecting:
    enter 0 | eap logoff 0 |
    while authenticating:
    enter 0 | auth success 485 | auth timeout 0
    auth fail 0 | auth reauth 0 | auth start 486
    auth logoff 0 |
    while authenticated:
    auth reauth 485 | auth start 0 | auth logoff 0
    backend:
    response 4375 | challenge 3888 | other request 3888
    non-nak resp 4374 | auth success 486 | auth fail 0
  7. If everything is working as explained, but the client is still not being authenticated then check the settings and logs on the auth server.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search