4-14
the IP address. To address this issue, a function is developed on the wireless device: The STA should obtains the IP address
via DHCP server first then AC sends out the Radius-accounting packet.
The work principles are as follows:
1. The AC enables the DHCP snooping function. This function is used to detect whether a wireless STA obtains the IP address
and corresponding DHCP snooping entry should be generated on AC.
2. On the AC, run
dot1x dhcp-before-acct enable
(for the 11.X version, the command is
dot1x valid-ip-acct enable
). Ensure
that the Radius-accounting packet is not issued before the AC generates the DHCP snooping entry.
After this function is enabled, if the IP address is manually configured for the DHCP snooping entry fails to be generated due
to incorrect configurations, the wireless user is forcibly offline by the AC after the accounting update period ends.
Q10: In iportal + Radius authentication scenario,
what’s the reasons why system prompts connection timeout and
fails to authenticate?
1. The AC and the Radius server is unable to communicate with each other. Check whether the Radius server is configured
with multiple IP addresses, resulting in inconsistent incoming and outgoing routes.
2. The AC device is not added to the Radius server. Check whether the AC device is added to the Radius server.
3. The Radius preshare key configurations are not consistent.
4. The proxy function is enabled on the Internet Explorer browser but the built-in ePortal does not support the proxy. You can
disable the proxy function on the Internet Explorer browser.
4.6 Rogue AP
Q1: How to transmit the IP address to the Radius server in wireless 1X and MAB authentication modes?
[Phenomenon] In building 12 of the old campus area, the ChinaUNICOM-WLAN SSID cannot be associated. The users
connected to this SSID get offline frequently and cannot use the Internet service normally.
Fault locating:
In a dormitory with the worst user experience, it is found that the associated SSID of China Unicom disappeared sometimes.
During the ping operation, a large number of packets were lost. The users frequently got offline.
[Cause] The offline issue is caused by the AP contain.
[Troubleshooting principles]
The ominpeek tool was used to capture packets in the corridor on level 2. A large number of Deauth packets (shown in Figure
1) existed. The AP that broadcast the Deauth packets was located (MAC is 9614 4B1B 34FA), which is an AP of China Unicom.
According to the search result on the AC, the AP i-Smart part was deployed in this position and covered six surrounding rooms.
