Alcatel Carrier Internetworking Solutions 6648 User Manual
Troubleshooting with the CLI
Troubleshooting 802.1X
page 19-2
OmniSwitch Troubleshooting Guide
September 2005
Troubleshooting with the CLI
1 Make sure the Radius and Accounting ports are configured the same on both switch and Radius Server.
The default on the Radius Server can be either 1645/1812 for Radius and 1646/1813 for the Accounting.
The default on the Radius Server can be either 1645/1812 for Radius and 1646/1813 for the Accounting.
Layer-2: show aaa server
Server name = rad1
Server type = RADIUS,
IP Address 1 = 133.2.253.1,
Retry number = 3,
Time out (sec) = 2,
Authentication port = 1645,
Server name = rad1
Server type = RADIUS,
IP Address 1 = 133.2.253.1,
Retry number = 3,
Time out (sec) = 2,
Authentication port = 1645,
Accounting port = 1646
2 Verify the port is configured for 802.1x authentication.
Layer-2: show vlan port mobile
cfg ignore
port mobile def authent enabled restore bpdu
-------+--------+----+--------+---------+---------+-------
2/1 on 1 on-avlan on on on
2/2 on 1 on-avlan on on on
2/3 on 1 on-8021x on on on
2/4 on 1 on-8021x on on on
port mobile def authent enabled restore bpdu
-------+--------+----+--------+---------+---------+-------
2/1 on 1 on-avlan on on on
2/2 on 1 on-avlan on on on
2/3 on 1 on-8021x on on on
2/4 on 1 on-8021x on on on
3 Check the physical status and VLAN assignment of the port.
Layer-2: show vlan port 2/3
vlan type status
--------+---------+--------------
1 default forwarding
101 mobile forwarding
vlan type status
--------+---------+--------------
1 default forwarding
101 mobile forwarding
4 Check the status of the MAC address table on the 802.1x port.
Layer-2: show mac-address-table 2/3
Legend: Mac Address: * = address not valid
Legend: Mac Address: * = address not valid
Vlan Mac Address Type Protocol Operation Interface
------+-------------------+--------------+-----------+------------+-----------
101 00:0f:1f:d5:54:95 learned 10800 bridging 2/3
Total number of Valid MAC addresses above = 1
------+-------------------+--------------+-----------+------------+-----------
101 00:0f:1f:d5:54:95 learned 10800 bridging 2/3
Total number of Valid MAC addresses above = 1
5 If a user can not move to VLAN-X after authentication, it could mean that authentication is disabled on
that VLAN, or that the Radius server didn't return a specific VLAN number in the return list attribute.
Please verify that the server is configured properly with the correct return list attribute type as explained in
the user guide. To move a user into a specific VLAN, Radius server has to return the attribute "Alcatel-
Auth-Group" with a valid Authenticated VLAN number.
that VLAN, or that the Radius server didn't return a specific VLAN number in the return list attribute.
Please verify that the server is configured properly with the correct return list attribute type as explained in
the user guide. To move a user into a specific VLAN, Radius server has to return the attribute "Alcatel-
Auth-Group" with a valid Authenticated VLAN number.
Layer-2: show vlan 101
Name : bungaku,
Administrative State: enabled,
Operational State : enabled,
Spanning Tree State : disabled,
Name : bungaku,
Administrative State: enabled,
Operational State : enabled,
Spanning Tree State : disabled,