某局点AC在公网802.1x认证失败

无

某局点客户反馈WX554H版本是Release 5219在公网配置802.1x认证，客户端认证不成功。相同配置情况下，AC和AP走VPN隧道时是可以认证成功的。

AC侧debug显示终端802.1x认证失败

测试终端地址1c4d-70e6-6a1d

%Apr 21 12:01:34:810 2018 New_WirelessAC_5540H DOT1X/5/DOT1X_WLAN_LOGIN_FAILURE: -Username=-UserMAC=1c4d-70e6-6a1d-BSSID=9ce8-95c5-7c00-SSID=Glodon_Wifi-VLANID=1005; A user failed 802.1X authentication.

第一步

确认清楚组网，AC和AP是跨过公网注册的，AC互联网出口设备映射了AC UDP 5246/5247端口，AP所在局域网出口也有NAT设备，此时AP可以正常上线

AP注册信息
[5540H]dis wlan ap all add | in tianjin
tian-ap-01                   111.62.80.22                   9ce8-95c5-7c00
tian-ap-02                   111.62.80.22                   7425-8a4b-0e40
tian-ap-03                   111.62.80.22                   7425-8a4b-0f80
tian-ap-04                   111.62.80.22                   7425-8a80-2a60
[5540H]

第二步

AC、AP相关配置

服务模板

[5540H-wlan-st-101]dis this 
wlan service-template 101
 ssid GlodWifi
 vlan 1005
 client forwarding-location ap///本地转发，集中认证
 akm mode dot1x
 cipher-suite ccmp
 security-ie rsn
 client-security authentication-mode dot1x
 dot1x domain dot1x
 service-template enable
#

AP配置

[5540H-wlan-ap-tianjin-ap-04]dis this 
#
wlan ap tianjin-ap-04 model WA2620i-AGN 
 serial-id 219801A0CNC15B001360
 map-configuration cfa0:/ap.txt
 hybrid-remote-ap enable
 radio 1
  radio enable
  service-template 101 vlan 1005
  service-template 102 vlan 1006
 radio 2
  radio enable
  service-template 101 vlan 1005
  service-template 102 vlan 1006
802.1x认证相关配置没有问题

第三步

AC侧收集下面DEBUG信息分析

debugging wlan access-security all

debugging dot1x all

Debug radius packet

T d

T m

*Apr 21 13:05:39:852 2018 New_WirelessAC_5540H STAMGR/7/Event: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]Started 802.1X authentication.

*Apr 21 13:05:39:852 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]PAE state machine entered Initialize state.

*Apr 21 13:05:39:852 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]BE state machine entered Initialize state.

*Apr 21 13:05:39:852 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]PAE state machine entered Disconnect state.

*Apr 21 13:05:39:852 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]BE state machine entered Idle state.

*Apr 21 13:05:39:852 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]PAE state machine entered Restart state.

*Apr 21 13:05:39:853 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]PAE state machine entered Connecting state.

*Apr 21 13:05:39:853 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]PAE state machine entered Authenticating state.

*Apr 21 13:05:39:853 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]BE state machine entered Request state.

*Apr 21 13:05:39:854 2018 New_WirelessAC_5540H STAMGR/7/PktSend: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]

-----Packet HEAD-----

Mac Frame Type: 0x888e

Protocol Version ID: 0x1

Packet Type: 0x0///EAP-Packet

Packet Length: 5

-----Packet Body-----

Code: 0x1 ///Request (eap-request)，AC发了EAP用户名请求报文

Identifier: 1

Length: 5

*Apr 21 13:05:39:854 2018 New_WirelessAC_5540H STAMGR/7/Timer: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]Created the client response timer.

*Apr 21 13:05:42:910 2018 New_WirelessAC_5540H STAMGR/7/Timer: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]Client response timer expired.

*Apr 21 13:05:42:910 2018 New_WirelessAC_5540H STAMGR/7/Timer: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]Deleted the client response timer.

*Apr 21 13:05:42:911 2018 New_WirelessAC_5540H STAMGR/7/FSM: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]BE state machine entered Request state.

*Apr 21 13:05:42:911 2018 New_WirelessAC_5540H STAMGR/7/PktSend: [MAC: 1c4d-70e6-6a1d, BSSID: 9ce8-95c5-7c00]

-----Packet HEAD-----

Mac Frame Type: 0x888e

Protocol Version ID: 0x1

Packet Type: 0x0///EAP-Packet

Packet Length: 5

-----Packet Body-----

Code: 0x1 ///Request (eap-request)，AC再次发了EAP用户名请求报文

Identifier: 1

Length: 5

通过上述DEBUG信息分析，应该还是网络问题，AC一直没有收到AP的EAP回复报文

第四步

    客户反馈AC和AP走VPN隧道时是可以认证成功的，同时出口协议分析软件记录到AP和AC之间不光用UDP 5246/5247端口通信，还有AC的TCP 6633端口通信，AP地址是x.x.4.69，AC地址是x.x.2.250

 此时，建议客户走公网时也映射AC的tcp 6633端口测试，映射之后802.1x认证问题解决。

   为了确认上述端口用途，在走公网时，抓取AP的报文，也证实了上述分析，AC以TCP6633端口为源端口向AP发三次请求报文，由于AC没有映射TCP6633端口，因此AP直接中断了三次握手。

 AC出口NAT设备映射AC的TCP6633端口，找研发确认集中认证，本地转发的情况下，DOT1X的EAP报文是借助OpenFlow通道（TCP 6633）跟AC传递的，否则EAP报文交互就不通。