NXC series - support.zyxel.eu...1/124 NXC series NXC2500/NXC5500 Wireless LAN controller Firmware Version 4.20~4.30 Edition 1, 9/2016 Troubleshooting Guide Default Login Details

1/124

www.zyxel.com

NXC series NXC2500/NXC5500

Wireless LAN controller

Firmware Version 4.20~4.30

Edition 1, 9/2016

Troubleshooting Guide

Default Login Details

LAN Port IP Address https://192.168.1.1

User Name admin

Password 1234

2/124

www.zyxel.com

1 Basic Information .................................................................................................................. 4

1.1 Check Firmware Version .................................................................................................... 4

1.2 Issue Definition ...................................................................................................................... 4

1.3 Device Configuration File .................................................................................................. 5

1.3 Collect System Log .............................................................................................................. 6

1.4 Collect dmesg and/or disklog .......................................................................................... 7

2 Capture Packets ................................................................................................................... 8

2.1 Capture Ethernet Packets ................................................................................................. 8

2.1.1 Use WLAN controller/AP .............................................................................................. 8

2.1.2 Use AP CLI (AP cannot save captured packets) ................................................... 9

2.1.3 Use PC ............................................................................................................................. 9

2.1.4 Set Mirror Port on Switch ............................................................................................ 10

2.2 Capture Wireless Packets ................................................................................................ 10

2.2.1 Capture with WLAN Controller and Managed AP .............................................. 10

2.2.2 Use Linux ....................................................................................................................... 11

2.2.3 Use Windows ................................................................................................................ 12

3 Console connection setting .............................................................................................. 12

3.1 The type of Console Cables ............................................................................................ 12

3.2 Serial Console Settings ...................................................................................................... 14

4 Managed AP ....................................................................................................................... 17

4.1 Symptom: Managed AP doesn’t show on the AP management list ...................... 17

4.2 Symptom: Managed AP offline ...................................................................................... 24

4.3 Symptom: Managed AP error with conflict .................................................................. 31

4.4 Symptom: Managed AP keep updating ...................................................................... 39

5 Wireless ................................................................................................................................ 43

5.1 Symptom: Cannot see the SSID name. ......................................................................... 43

5.2 Symptom: Connection Failure ........................................................................................ 48

5.3 Symptom: Wireless low throughput ................................................................................ 51

6 Captive Portal ..................................................................................................................... 52

3/124

www.zyxel.com

6.1 Symptom: Cannot see the Captive Portal on wireless device (cannot find the

webpage) or NXC managed page is redirected instead of Captive Portal .............. 53

6.2 Symptom: Login denied ................................................................................................... 64

7 Roaming .............................................................................................................................. 69

7.1 What is Roaming ................................................................................................................ 69

7.2 What’s the setting conditions of roaming .................................................................... 69

7.3 The Limitation of roaming ................................................................................................ 71

7.4 Symptom: Why station can’t connect to the AP2 ...................................................... 71

7.5 Symptom: Why station disconnect during roaming ................................................... 74

8 802.1X authentication ........................................................................................................ 75

8.1 Symptom: the 802.1X authentication failed with Remote Authentication Dial in

User Service (RADIUS) .............................................................................................................. 76

8.2 Symptom: the 802.1X authentication failed with Active Directory (AD) server .... 93

8.3 Symptom: the 802.1X authentication failed with Lightweight Directory Access

Protocol (LDAP) server ......................................................................................................... 109

8.4 The configuration of windows computer for 802.1X authentication.................... 119

4/124

www.zyxel.com

1 Basic Information

1.1 Check Firmware Version

1 Access NXC via GUI shows FW version.

Figure 1 DASHBOARD > Dashboard > Device Information

2 Access NXC via SSH/Telnet/Console shows FW version.

Figure 2 Tera Term > NXC > Router# show version

3 If the Firmware version is not the latest version, please upgrade the firmware

version to the latest version.

1.2 Issue Definition

Report issue with some conditions:

Issue symptom:

Describe what you observe, NOT JUST GUESS.

Issue condition:

Describe how to reproduce this issue.

Topology:

Show all the effective network devices in the environment.

5/124

www.zyxel.com

Figure 3 Example of Network Topology

Important key points in the topology

Gateway of each subnet

DHCP server

Auth. Server (RADIUS or AD)

VLAN settings

1.3 Device Configuration File

Download startup-config.conf.

Figure 4 MAINTENANCE > File Manager > Configuration File

Figure 5 Tera Term > NXC > Router# show running-config

6/124

www.zyxel.com

If there are multiple devices in environment, collect the config files of all

devices as possible.

If there are multiple tagged VLAN in environment, make sure have the

switch config of VLAN settings are correct.

Make sure NXC is the only AP controller (replies to CAPWAP Discovery

Request) in the network.

1.3 Collect System Log

Collect System log via controller GUI.

Figure 6 MONITOR > Log > View Log or View AP Log

Check system log via Terminal Software.

Figure 7 Tera Term > NXC > Router# show logging entries

7/124

www.zyxel.com

Indicate the date/time and IP/MAC address of the device in report.

Set log to external syslog server or email to monitor device log if system

log flushes frequently.

1.4 Collect dmesg and/or disklog

Collect demesg file via Terminal Software.

Figure 8 Tera Term > NXC > Router# debug system dmesg

Collect disklog file via Terminal Software.

Figure 9 Tera Term > NXC > Router# debug system disklog show

8/124

www.zyxel.com

Note: The dmesg will be cleared after rebooted, but the disklog will be kept

in device.

2 Capture Packets

2.1 Capture Ethernet Packets

2.1.1 Use WLAN controller/AP

Capture packets via controller GUI.

1 Set the parameters and press ‘Capture’

Figure 10 MAINTENANCE > Diagnostics > Packet Capture > Capture

2 Download the packet.

Figure 11 MAINTENANCE > Diagnostics > Packet Capture > Files

9/124

www.zyxel.com

3 Check packets via CLI on controller.

Figure 12 Tera Term > NXC > Router# packet-trace interface <interface>

Press “Ctrl+c” to end of packets capturing.

2.1.2 Use AP CLI (AP cannot save captured packets)

Check packets via CLI on AP.

Figure 13 Tera Term > NXC > Router# packet-trace interface vlan0

Press “Ctrl+c” to end of packets capturing.

Note: ‘vlan0’ is an example of interface you want to capture packets with.

Add port or ip-proto, src-host, dst-host to the command to filter the

captured result.

The saved captured files can be downloaded via GUI or FTP.

2.1.3 Use PC

Capture the packet on PC should install some software. For example:

Windows needs to install Winpcap first: http://www.winpcap.org/

Download Wireshark at: https://www.wireshark.org/

http://www.winpcap.org/

https://www.wireshark.org/

10/124

www.zyxel.com

Winpcap is also bundled with Wireshark.

The new Win10pcap is able to capture packets with 802.1Q VLAN tags:

http://www.win10pcap.org/

Win10pcap supports only Win7 and later windows system.

2.1.4 Set Mirror Port on Switch

Select the source port, destination port, and the flow direction, then

connect the capture device to the destination port and start capture.

2.2 Capture Wireless Packets

2.2.1 Capture with WLAN Controller and Managed AP

1 Set up a MON profile on controller.

Figure 14 CONFIGURATION > Object > MON Profile > MON Profile > Edit

2 Set ‘Scan Channel Mode’ to manual, and select the channel you want to

capture packets.

Figure 15 CONFIGURATION > Object > MON Profile > MON Profile > Edit

http://www.win10pcap.org/

11/124

www.zyxel.com

3 Set a managed AP to MON mode, and apply the MON profile.

Select the MON mode AP and press ‘Capture’

Figure 16 MAINTENANCE > Diagnostics > Wireless Frame Capture > Capture

2.2.2 Use Linux

1 Use the following command to set your WLAN card into monitor mode:

$ sudo ifconfig wlan0 down

$ sudo iwconfig wlan0 mode monitor

$ sudo ifconfig wlan0 up

$ sudo iwconfig wlan0 channel 11 (Change 11 to the channel you want to

use for capture)

12/124

www.zyxel.com

2 Then open Wireshark and capture the interface wlan0.

Please refer to the KB for more detailed instructions:

http://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015072

&lang=EN

2.2.3 Use Windows

Windows does not support wireless monitor mode natively, you will need

extra software (e.g. OmniPeek Network Analysis Software) and USB adapter

with specialized driver to capture wireless packets.

OmniPeek Network Analysis:

https://www.savvius.com/products/application_performance/omnipeek_f

amily/omnipeek_network_analysis

3 Console connection setting

3.1 The type of Console Cables

1 For NXC5500/ WAC6500 series AP:

PN: 1-005-05000003

Figure 17 RJ-45-to-DB-9 Console Cable Color Codes


2 For NWA5301-NJ

PN: 1-005-05000002

http://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015072&lang=EN


https://www.savvius.com/products/application_performance/omnipeek_family/omnipeek_network_analysis

https://www.savvius.com/products/application_performance/omnipeek_family/omnipeek_network_analysis

13/124

www.zyxel.com


3 For NWA5KN/ NWA3KN series:

Provided with the product package

Figure 20 Console Cable for NWA5KN/ NWA3KN series

4 For NWA512X series/ WAC6103D-I:

Please find a cable and connect to the pins according to the description in

this KB:

http://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015102

&lang=EN

Figure 21 Console Cable for NWA512X series/ WAC6103D-I



14/124

www.zyxel.com

3.2 Serial Console Settings

1 Terminal Software:

Tera Term http://ttssh2.osdn.jp/

PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty

2 Serial port setup:

Baud rate 115200 bps

No parity, 8 data bits, 1 stop bit

No flow control

Figure 22 Tera Term > Setup > Serial port

Figure 23 PuTTY > Session > Serial > Speed

http://ttssh2.osdn.jp/



http://www.chiark.greenend.org.uk/~sgtatham/putty/

http://www.chiark.greenend.org.uk/~sgtatham/putty/

15/124

www.zyxel.com

3 Save log:

Enable Timestamp for log in Tera Term, which will record the time slot with

logs.

Figure 24 Tera Term > File > Log

Figure 25 PuTTY > Logging > All session output

16/124

www.zyxel.com

4 Enable console log level 8 (show console debug messages)

Hot key for enable console log level 8: ‘Send break + 8’ to serial console.

Figure 26 TeraTerm > Control > Send break and press ‘8’

Figure 27 PuTTY > move cursor to the top bar (right click) > Special

Command > Break > press ‘8’

17/124

www.zyxel.com

4 Managed AP

Figure 28 The following table describes the icons in this screen.

4.1 Symptom: Managed AP doesn’t show on the AP

management list

If the AP mode was changed to the managed and it doesn’t show on the

AP list after wait a long times, please follow the steps to troubleshooting.

Figure 29 MONITOR > AP Information > AP List

Note: If AP had managed by other controller before, please reset AP first.

The procedure of the troubleshooting:

1. Check the configuration of the controller (USG/ ZyWALL/ NXC).

2. Does AP get the IP?

3. Check the mode of unified AP.

4. Check the CAPWAP status of AP.

5. Can managed AP and NXC communicate with each other?

6. Information collection and report the issue to the HQ.

1 Check the configuration of controller (USG/ ZyWALL/ NXC)

If the topology has USG or ZyWALL devices, please make sure “Registration

Type” is “Manual” to avoid the managed APs are controlled by them.

USG/ ZyWALL:

18/124

www.zyxel.com

Select “Manual” for registration type.

Figure 30 CONFIGURATION > Wireless > Controller > configuration

NXC:

Select “Always Accept” or “Manual” for registration type.

Always Accept: Controller trusts the managed AP automatically.

Manual: User trusts the managed AP.


If the option is “Manual”, don’t forget to trust the managed AP.

Figure 32 MONITOR > Wireless > AP Information > AP List > Add to Mgnt. AP

List

The icon of AP become gray after the controller managed the AP

successfully.


List

2 Does AP get the IP?

Check IP address via DHCP table or access AP by console cable.

19/124

www.zyxel.com

DHCP table:

If the DHCP server is one of the ZyXEL devices - UAG, ZyWALL and NXC, you

can check the IP by GUI.

Figure 34 DASHBOARD > Dashboard > System Status

Figure 35 DASHBOARD > Dashboard > System Status > DHCP Table

Console:

Get the IP by connecting console cable to access AP via terminal software.

Figure 36 Tera Term > AP > Router > show interface all

If the IP address doesn’t get the IP, it will show 0.0.0.0. Please check Ethernet

traffic between the DHCP server and AP.

Check the DHCP server if send the IP address to managed AP.

Check the DHCP server pool is full?

Check the switch configuration, like port blocked, VLAN setting…etc.

Capture the Ethernet packets by Wireshark.

Figure 37 The process of AP asks the IP from DHCP server.

Figure 38 AP gets the IP.

20/124

www.zyxel.com

Figure 39 AP broadcast the CAPWAP packet to controller

When AP gets the IP, you will see the IP shows on the console.


3 Check the mode of unified AP

If the AP is unified access point, please access the AP via SSH or console

cable to check the mode.

Figure 41 The table of the Module of Unified Access Point

The Module of Unified Access Point

NWA5121-N NWA5121-NI NWA5123-NI NWA5301-NJ

NWA3160-N NWA3560-N NWA3550-N

Check the mode of the unified AP via console cable or SSH.

Console:

Figure 42 Tera Term > AP > Router > show hybrid-mode

If the mode is “controller” or “standalone”, please change the

configuration to the “managed”. The configuration can be changed by

console or GUI.

Figure 43 Tera Term > AP > Router > configure terminal > hybrid-mode

managed

AP GUI:

Auto: AP broadcast the CAPWAP packet let controller know.

If the DHCP server set Option 138 with controller IP, the APs get the IP from

DHCP server will get the AC-IP and find the controller directly.

Figure 44 CONFIGURATION > MGNT Mode > Managed AP > Auto

21/124

www.zyxel.com

Manual: Set the AC-IP by user.

Figure 45 CONFIGURATION > MGNT Mode > Managed AP > Static IP

Note: If you have many managed APs on site will set AC-IP, we suggest that

set the AC-IP on the DHCP with option 138. The managed APs get the IP will

also know the AC-IP and send the CAPWAP packet to controller ask for

managing.

4 Check the CAPWAP status of AP

If the AP is managed by the controller, the AC-IP shows the controller’s IP

and the SM-state is RUN(8).

Figure 46 Tera Term > AP > Router > show capwap ap info > SM-State

If the SM-State doesn’t show RUN(8), please check the AC-IP.


22/124

www.zyxel.com

Write the AC-IP address by console:

Figure 48 Tera Term > AP > Router > show capwap ap ac-ip

If you know the AC-IP, you can also write the IP directly via console.

Figure 49 Tera Term > AP > Router > configure terminal > capwap ap ac-ip

<AC-IP1> <AC-IP2> > write > exit > rebot

Note: If there is only one controller in the topology, write the controller’s IP in

the <AC-IP1> and put any IP in the <AC-IP2>.

5 Can managed AP and NXC communicate with each other?

Access managed AP and NXC by console or SSH and ping to each other to

check the status of network traffic.

Managed AP ping to controller successfully:

Figure 50 Tera Term > AP > Router > ping <AC-IP>

Controller ping managed AP successfully:

Figure 51 Tera Term > NXC > Router > ping <AP-IP>

Ping loss:

If the managed AP or controller pings to each other fail, you have to check

23/124

www.zyxel.com

the Ethernet device or network cable.


Check switch, router or firewall whether blocks the traffic or CAPWAP

port 5246.

Trace route:

Use trace route to find the packets are dropped out on where.

Figure 53 Tera Term > AP > Router > traceroute <AC-IP>

Use Wireshark capture CAPWAP packets between controller and managed

AP to check the status of network traffic.

6 Information collection and report the issue to the HQ.

Capture the related logs file from controller and managed AP.

Collect log files of controller by GUI:

Capture the entire category to provide RD completed information.

Figure 54 MAINTENANCE > Diagnostics > Diagnostics > Collect on Controller

> Collect Now.

Note: Capture the logs need to spend some time, please kindly wait.

Collect log files of managed AP by controller GUI

Select the managed AP to the Collected APs.

Figure 55 MAINTENANCE > Diagnostics > Diagnostics > Collect on AP >

Collect Now.

24/124

www.zyxel.com

Download log files.

Figure 56 MAINTENANCE > Diagnostics > Diagnostics > Files > Download

Provide topology/controller config/packet/remote access/Diagnostic info

to HQ to do advanced check.

4.2 Symptom: Managed AP offline

If the AP has managed by controller before and the color of AP icon is gray,

please follow the steps to troubleshooting.

Figure 57 MONITOR > AP Information > AP List



2. Does AP get the IP?

3. Check the CAPWAP status of AP.

25/124

www.zyxel.com

4. Can managed AP and NXC communicate with each other?

5. How to know APs off-line cause by external factors?


1 Check the configuration of controller (USG/ ZyWALL/ NXC).

If customer’s topology has USG or ZyWALL, please make sure “Registration

Type” is “Manual” to avoid the managed APs are controlled by them.

USG/ ZyWALL

Select “Manual” for registration type.


NXC

Select “Always Accept” or “Manual” for registration type.

Always Accept: Controller trusts the managed AP automatically.

Manual: User trusts the managed AP.

Figure 59 CONFIGURATION > Wireless > Controller > Configuration

If the option is “Manual”, don’t forget to trust the managed AP.


List

The icon of AP become gray after the controller managed the AP

successfully.

Figure 61 MONITOR > Wireless > AP Information > AP List

26/124

www.zyxel.com

2 Does AP get the IP?

Check IP address via DHCP table or access AP by console cable.

DHCP table:

If the DHCP server is one of the ZyXEL devices - UAG, ZyWALL and NXC, you

can check the IP by GUI.

Figure 62 DASHBOARD > Dashboard > System Status

Figure 63 DASHBOARD > Dashboard > System Status > DHCP Table

Console:

Get the IP by connecting console cable to access AP via terminal software.


If the IP address doesn’t get the IP, it will show 0.0.0.0. Please check Ethernet

traffic between the DHCP server and AP.

Check the DHCP server if send the IP address to managed AP.

Check the DHCP server pool is full?

27/124

www.zyxel.com

Check the switch configuration, like port blocked, VLAN setting…etc.

Capture the Ethernet packets by Wireshark.

Figure 65 The process of AP asks the IP from DHCP server.

Figure 66 AP gets the IP.

Figure 67 AP broadcast the CAPWAP packet to controller

When AP gets the IP, you will see the IP shows on the console.


3 Check the CAPWAP status of AP

If the AP is managed by the controller, the AC-IP shows the controller’s IP

and the SM-state is RUN(8).


If the SM-State doesn’t show RUN(8), please check the AC-IP.


How to write the AC-IP address by console?

Figure 71 Tera Term > AP > Router > show capwap ap ac-ip

28/124

www.zyxel.com

If you know the AC-IP, you can also write the IP directly via console.

Figure 72 Tera Term > AP > Router > configure terminal > capwap ap ac-ip

<AC-IP1> <AC-IP2> > write > exit > rebot

Note: If there is only one controller in the topology, write the controller’s IP in

the <AC-IP1> and put any IP in the <AC-IP2>.

4 Can managed AP and NXC communicate with each other?

Access managed AP and NXC by console or SSH and ping to each other to

check the status of network traffic.

Managed AP ping to controller successfully:


Controller ping managed AP successfully:


Ping loss

If the managed AP or controller pings to each other fail, you have to check

the Ethernet device or network cable.


29/124

www.zyxel.com

Check switch, router or firewall whether blocks the traffic or CAPWAP

port 5246.

Trace Route:

Use trace route to find the packets are dropped out on where.

Figure 76 Tera Term > AP > Router > traceroute <AC-IP>

Use Wireshark capture CAPWAP packets between controller and managed

AP to check the status of network traffic.

5 How to know APs off-line cause by external factors?

Check the last offline time of off-line APs.

Last Offline Time: This displays the most recent time the AP went off-line. N/A

displays if the AP has either not come on-line or gone off-line since NXC last

started up.


If all the APs or a group of APs show offline at the same time, there might the

power supply issue on the PoE SW or configuration of SW.

Please check by following steps.

Does someone turn off the switch or some devices in the topology?

Does the switch block the port of VLAN for APs traffic?

Is the voltage stable in customer site?

If some of APs offline with random time, please check by following steps.

30/124

www.zyxel.com

Does the network cable plug-in the port properly.

Does the network cable have a good qualify?

Does someone touch the network cable or turn off the APs?

Check the PoE status of switch. Does the PoE SW power off the port?

Does AP reboot?

If AP has rebooted, the AP system uptime will shorter than

controller system uptime.

Figure 78 Tera Term > AP > Router > show system uptime

Note: If AP off-line isn’t caused by external factors, please collect the logs.



Collect log files of controller by GUI



> Collect Now.





Collect Now.

31/124

www.zyxel.com

Download log files.




4.3 Symptom: Managed AP error with conflict

When the color of managed AP icon is red, it means AP has configuration

conflict.

Figure 82 MONITOR > Wireless > AP Information > AP List.

Select the error managed AP and gets more information, which will show

you the message where the configuration is incorrect.

Figure 83 MONITOR > Wireless > AP Information > AP List > More Information

32/124

www.zyxel.com

There is some information you have to know the troubleshooting and follow

the order of the steps.


1. Check the configuration of the controller

2. Check AP’s wireless card

3. Information collection and report the issue to the HQ

1 Check the configuration of the controller

Example of VLAN Conflict: mismatches management VLAN ID


Check the system log.

Figure 85 MONITOR > Log > View Log

The managed AP was set with management VLAN ID 10, but the controller

is set with management VLAN ID 1.

Change management VLAN ID by GUI. Select the managed AP to modify

the managed VLAN ID.

Figure 86 CONFIGURATION > Wireless > AP Management > Mgnt. AP List >

Edit

33/124

www.zyxel.com


Edit > Edit AP List > VLAN Settings

Check the “Override Group VLAN setting” and “Force Overwrite VLAN

Config” boxes to modify the VLAN ID of controller for having same

management VLAN ID as the managed AP. Changing “Management

VLAN ID” to 10, and unchecking “As Native VLAN” box which make

NWA5160-N sending out packet with VLAN ID 10 tag.

Note: Check the As Native VLAN means the packets with VLAN ID untag.

Apply the configuration and checking management VLAN ID of controller.


Example of Configuration Conflict about the radio profile: the radio 2 was

set in 2.4GHz.

v

34/124

www.zyxel.com

Check the root cause.

Figure 89 MONITOR > Wireless > AP Information > AP List > More Information

Figure 90 CONFIGURATION > Wireless > AP Management > Mgnt. AP List.

Figure 91 MONITOR > Wireless > AP Information > Radio List.

Figure 92 MONITOR > Log > View Log.

Apply 5GHz radio profile to radio 2. (The radio profile of default2 is set in the

5GHz radio by default.)

AP Group setting

35/124

www.zyxel.com

Figure 93 CONFIGURATION > Wireless > AP Management > AP Group > Edit >

Radio 2 Setting

Edit Managed AP by single


Edit

Check managed AP status on controller.


Note: Make sure radio 1 and 2 are activated and applied with the correct

profiles.

2 Check AP’s wireless card

There are two symptoms when the wireless card has problem.

LED WLAN is off

SSID doesn’t broadcast

Check controller’s MAC address incorrect? Is there any status show n/a?

Figure 96 MONITOR > Wireless > AP Information > Radio List

36/124

www.zyxel.com

Tx/Rx PKT count, Rx FCS Error Count, Tx Retry Count and TX Power show zero.

Figure 97 MONITOR > Wireless > AP Information > Radio List

Check the WLAN status of managed AP with n/a via console.

Figure 98 Tera Term > Router > show interface all

Check the wireless card status of managed AP via console.

Figure 99 For different models, please use different CLIs

Model NWA3K-N /

NWA5K-N

NWA5301-NJ / NWA5120 series AP.

CLI Router> show

wlan all

Check status by 2 CLIs

1. Router>_debug show file

/proc/interrupts

2. Router> _debug wireless_dbg

iwconfig

Wireless Card status

Normal

status

unknown

card

1. Display: PCI wifi1

2. Display wlan-1-1 and wlan-2-1 info

Abnormal

status

None 1. No PCI wifi1 info

2. No wlan-2-1 info

Example of NWA3K-N with normal status: It shows unknow card.

Figure 100 Tera Term > AP > Router > show wlan all

37/124

www.zyxel.com

Example of NWA3K-N with abnormal status: It shows none.

Figure 101 Tera Term > AP > Router> show wlan all

Example of NWA5120 series with normal status: It shows PCI wifi1 and the

information of interface.

Figure 102 Tera Term > AP > Router >_debug show file /proc/interrupts

Figure 103 Tera Term > AP > Router> _debug wireless_dbg iwconfig

Example of NWA5120 series with abnormal status: There is no PCI wifi1 info.

Figure 104 Tera Term > AP > Router>_debug show file /proc/interrupts

38/124

www.zyxel.com

There is no wlan-2-1 info.

Figure 105 Tera Term > AP > Router> _debug wireless_dbg iwconfig

Let the managed AP implement cold start (unplug/plug in the power of

managed AP). If wireless card status still in abnormal, please RMA the AP.

3 Information collection and report the issue to the HQ





> Collect Now.





Collect Now.

39/124

www.zyxel.com

Download log files.

Figure 108 MAINTENANCE > Diagnostics > Diagnostics > Files >

Download



4.4 Symptom: Managed AP keep updating

If a group of APs has upgraded the FW and there is a several AP still keeps

updating, please collect the info to HQ by following steps.

Controller:


Managed AP:

Check the status of managed AP via console. It shows updating(7).

Figure 110 Tera Term > AP > Router > show capwap ap inof

40/124

www.zyxel.com

This issue may cause by below reasons:

1. For NWA3000-N series, it could be caused by boot code version is 1.13

2. Unstable network connection between controller and managed AP

3. Upgrade process could not pass through NAT if Controller or managed

is in different network

4. Collect the information

To clarify the root cause, please follow the steps.

1 For NWA3000-N series, check the boot code version and FW version

This step is only for NWA3000-N series.

The original design of NWA3000-N series with boot code version v1.13 was

not supported by controller. Hence, it would keep update after the AP in

the managed mode.

If the boot code version is newer than v1.13 and still have issue, we suggest

to use upgrade the firmware to 2.23 patch 8 or above.

AP in standalone mode

Check the boot code version

Figure 111 NWA3560-N > DASHBOARD > Device Information > Firmware

Version

AP in managed mode

Figure 112 Tera Term > AP > Router> show version

Note:

If the boot module is v1.13, please upgrade the FW to v2.23 patch 2

and then upgrade to the FW v2.23 patch 8.

41/124

www.zyxel.com

If the boot module is newer than v1.13, please upgrade the FW to the

2.23 patch 8.

2 Unstable network connection between controller and managed AP

Ping test between controller and managed AP via SSH to check the

network connection on both directions is stable (no long latency or ping

drop).

AP ping to controller and trace route of AC.


According the result of trace route, you will know which path cost the more

time for response.

Figure 114 Tera Term > AP> Router > traceroute <AC-IP>

Controller ping to AP


Note: By default, the maximum number of AP for FW upgrading is 10 units at

one time. If the first group (maximum 10 APs) upgrades firmware failed, the

AP will be released and upgraded again on the next group.

3 Upgrade process could not pass through NAT if Controller or managed AP is

in different network.

Ensure that the firewall does not block CAPWAP port. (The CAPWAP default

port is 5246.)





Figure 116 MAINTENANCE > Diagnostics > Diagnostics > Collect on

Controller > Collect Now.

42/124

www.zyxel.com





Collect Now.

Download log files.




43/124

www.zyxel.com

5 Wireless

5.1 Symptom: Cannot see the SSID name.

There are some information you have to know from customer and follow the

order of the questions you will know how to troubleshooting.





Check the SSID status whether it is hidden?

Figure 119 CONFIGURATION > Objetct > AP Profile > SSID > SSID List > Edit

Check the SSID if binding with the radio profile?

Figure 120 Configuration > AP Management > AP Group > Edit AP Group

Profiled<name> > Radio Setting

44/124

www.zyxel.com

Check the radios if binding the correct band? (Radio 1 is 2.4GHz band and

radio 2 is 5GHz band)

Figure 121 CONFIGURATION > Object > AP Profile > Radio > Edit

Figure 122 CONFIGURATION > Wireless > AP Management > AP Group > Edit

The AP using the channel is the Weather Radar?

If using the channels has overlap with the 112~120 must waiting 10 min and

using the DFS channels need waiting 1 min just will be seen the SSID.

Figure 123 Configuration > Object > AP Profile > Radio > Edit

45/124

www.zyxel.com

Note: If using the tunnel mode and then the CAPWAP is disconnected (AP

status on NXC AP information is “offline”) the SSID also will be cannot see the

SSID. (Please refer the topic for “Managed AP”)






Controller > Collect Now.





Collect Now.

46/124

www.zyxel.com

Download log files.




Capture the packet for wireless

Use OmniPeek (software) to capture wireless packet between STA and AP.

If the user cannot use the OmniPeek (software) to capture wireless packet,

please use another NWA3000-N series and NWA5000 –N series to set monitor

mode to capture wireless packet, and packet capture feature on NXC

series AP on the standalone mode capture the wireless packet.

Note: Capture the wireless packet and provide the AP MAC address、client

MAC address、station info to HQ to verify the packet.

Station devices detail information:

Devices mode

Devices drive version

Devices wireless card MAC address and IP address

The client connecting AP MAC address and IP address

Display all wireless interfaces on station and Access Point.

Figure 127 Laptop> cmd > netsh wlan show interface all

47/124

www.zyxel.com

The station list info of associated AP:

Figure 128 MONITOR > Wireless > Station Info

48/124

www.zyxel.com

5.2 Symptom: Connection Failure





2. Environment Verification


If you don’t know how to do above the question and steps, please keep

reading.


Clarify which kind of connection is failed.

Check the configuration which was setup the mac-filter or not.

Check the AP output power which was set to excessive AP output

power or low output power or not.

If the 802.1x authentication fails, please refer the 802.1x

troubleshooting Guide.

Check the configuration of controller to see if the router’s security is

interfering. If you were using WPA or WPA2 already, try changing the

encryption mode from TKIP to AES.

Check the AP’s configuration which was setup the RSSI threshold or

not.

If there are the logs which were indicated AP CAPWAP status is offline

or error, please refer the CAPWAP troubleshooting.

2 Environment Verification.

Make sure the wireless site survey performance is exceptionally.

Check the AP’s signal strength directly by the utility of the station. Using the

SSID scanning free application “NetSurveyor” to scan the environment and

check the AP signal and co-channel / overlapping.

49/124

www.zyxel.com

Using the Wi-spy to scanning the environment have others interference.






Controller > Collect Now




50/124

www.zyxel.com


Collect Now

Download log files.




Capture the packet for wireless

Use OmniPeek (software) to capture wireless packet between STA and AP.

If the user cannot use the OmniPeek (software) to capture wireless packet,

please use another NWA3000-N series and NWA5000 –N series to set monitor

mode to capture wireless packet, and packet capture feature on NXC

series AP on the standalone mode capture the wireless packet.

Note: Capture the wireless packet and provide the AP MAC address、client

MAC address、station info to HQ to verify the packet.

Station devices detail information:

Devices mode

Devices drive version

Devices wireless card MAC address and IP address

The client connecting AP MAC address and IP address

51/124

www.zyxel.com

Display all wireless interfaces on station and Access Point.

Figure 132 Laptop> cmd > netsh wlan show interface all

The station list info of associated AP:

Figure 133 MONITOR > Wireless > Station Info

5.3 Symptom: Wireless low throughput





2. Environment Verification


If you don’t know how to do above the question and steps, please keep

reading.


Clarify the client can get the IP address or not.

Check the configuration which was setup the rate limited or not.

52/124

www.zyxel.com

Check the AP output power is 100% or not. We suggest the AP power is

50% or less than 50%, it is because the client’s output power is less than

AP, so it will caused the AP can be sent the packet for client but the

packet cannot be reached by AP.

Check the security mode of configuration which was setup with TKIP or

AES.

Check the AP which has setup the RSSI threshold or not. If the client

reaches the RSSI threshold, the client can’t connect the AP

successfully.

2 Environment Verification

Make sure the wireless site survey performance is exceptionally.

Check the client which was connected with far AP or near one. If the

station is a laptop, use the CMD command “netsh wlan show interface”

to check the laptop which connects with nearby client AP or not.

Client can ping to the gateway, Internet or not? Using the CMD

command “ping” and ping to the Gateway and Internet on the same

time to verify the high latency which was bottleneck on Internet or AP.

Check the client which was connected with far AP or near one. Using

the CMD command “tracert” to show you the path your traffic takes

when you are attempting to connect to another machine.

Check the distance of AP which the transmit AP to the receive station.

Check the security of APs’ configuration. The security mode is setup

with TKIP mode, and it will cause the client cannot reach 802.11n type.


Collect the basic information on AP.

Capture the Ethernet packets between DHCP server and AP, if the

client cannot get IP address.

Collect the AP and NXC controller log via diagnostics.

Provide the station devices detail information.

6 Captive Portal The process of captive portal redirect on controller

1. User tries to access Internet and open browser.

2. Captive Portal intercepts and sends Login Page.

3. Username / Password entered are sent to authentication server.

53/124

www.zyxel.com

4. Authentication server authenticates. If NXC Controller DNS query the URL

successfully. NXC controller will redirect Captive Portal to client’s laptop.

5. After successful authentication, user is allowed to access Internet.

Figure 134 The flow chart of captive portal redirect on AP

6.1 Symptom: Cannot see the Captive Portal on wireless device

(cannot find the webpage) or NXC managed page is redirected

instead of Captive Portal

The captive portal cannot be redirected on the device or device access

internet doesn’t blocked by captive portal.

There are key points for you to set the captive portal:

The traffic is blocked by captive portal must can access internet.

The valid DNS server is necessary.

If NXC controller is not a gateway, the interface for captive portal must

write the gateway address.


1. Check the station get the IP can access Ethernet when disable captive

portal.

2. The station get the IP can resolve the URL by valid DNS.

3. Check the configuration of the NXC.

Redirect on Controller

54/124

www.zyxel.com

Redirect on AP

4. Check the topology.

NXC controller location.

Internal or external Captive Portal?

5. Check the network.

6. If the user login to the captive portal before?


1 Check the station get the IP can access Ethernet when disable captive

portal.

Use CLI to confirm the computer if gets the IP and DNS address.

Figure 135 Computer > cmd > ipconfig /all

If the station doesn’t get the IP, you will see the incorrect IP and DNS address

station get.

55/124

www.zyxel.com

Confirm the computer can access internet.

Figure 136 Computer > cmd > ping 8.8.8.8

2 The station get the IP can resolve the URL by valid DNS.

If station gets the IP and DNS address, you can ping the global website to

resolve the URL by valid DNS.

Figure 137 Computer > cmd > ping www.google.com

Use CLI to resolve global website.

Figure 138 Computer > cmd > nslookup www.google.com

http://www.google.com/

http://www.google.com/

56/124

www.zyxel.com

3 Check the configuration of the NXC.

If the NXC controller is not a gateway, please check the interface for station

doing captive portal whether write the gateway IP address.

Assume the stations in the VLAN10 must blocked by captive portal. The

interface VLAN10 in the NXC controller must write the correct gateway IP

address, otherwise; the NXC cannot redirect the correct captive portal

page.

Figure 139 CONFIGURATION > Network > VLAN > VLAN10 > IP Address

Assignment

There are two types for user to set the authentication policy – Redirect on

controller and Redirect on AP.

Note: Do not enable captive portal redirect on the NXC controller and on

the Managed AP simultaneously.

Redirect on controller

Enable the function of Captive Portal.

Figure 140 CONFIGURATION > Captive Portal > Captive Portal

57/124

www.zyxel.com

Enable the auth. policy to “force” the source traffic.

Figure 141 CONFIGURATION > Captive Portal > Redirect on Controller >

Authentication Policy Rule

Figure 142 CONFIGURATION > Captive Portal > Redirect on Controller >


Note: Make sure the traffic matches the User Authentication Policy. As

above screenshot, the traffic must from the range

192.168.10.33~192.168.10.200, otherwise; the NXC will not able to block the

traffic and redirect the Captive Portal to users.

Traffic must go through NXC when you redirect the captive portal on NXC

controller.

If the traffic doesn’t pass-through the NXC and it goes between switches or

routers, the NXC cannot monitor the traffic to block station access internet

and the captive portal would not be redirected.

To let the traffic go back to NXC, set tunnel for Forwarding Mode of SSID.

58/124

www.zyxel.com

Figure 143 Configuration > Object > AP Profile > SSID

Figure 144 CONFIGURATION > Object > AP Profile > SSID > SSID List

For NXC2500

If a NXC2500 acts as a bridge switch, the uplink port must be set to P1 for

authenticating the traffic via the Captive Portal from the clients.

Redirect on AP

Enable the function of Captive Portal.

Figure 145 CONFIGURATION > Captive Portal > Captive Portal

59/124

www.zyxel.com

Enable the auth. policy to “force” the source traffic. The auth. policy rule in

Redirect on AP is an SSID-based policy to filter the traffic from AP.

Note: The forwarding mode of SSID must be local bridge.

Figure 146 CONFIGURATION > Captive Portal > Redirect on AP >



Authentication Policy Rule > Edit

Create an auth. policy group profile and include the rule entry.


Authentication Policy Rule Group> Edit

60/124

www.zyxel.com

Select the policy for the AP group

Note: Portal redirect on the AP still needs the controller to be involved in the

authentication flow. If the connection to the controller is lost, there is an

option to skip authentication.

4 Check the topology. Internal or external Captive Portal web server?

Internal: Login page hosted on NXC.

External: Login page hosted on external web server and then NXC will

redirect the login page to external web server.

61/124

www.zyxel.com

Confirm the traffic between NXC and external captive portal web

server is passing.

Use NXC ping to the external captive portal web server.

Make sure the URL of Web pages are correct or not if it is external web

portal.

Figure 149 CONFIGURATION > Captive Portal > Captive Portal > External

Web Portal

5 Check the network

Make sure the WAN connection of NXC is working and can resolve URL of

destination which means to have valid DNS.

NXC can ping gateway IP address successfully via console:

Figure 150 Tera Term > NXC > Router > ping <Gateway IP>

62/124

www.zyxel.com

NXC can ping and resolve the global website such as Google (IPv4)

successfully via console:

Figure 151 Tera Term > NXC > Router > ping <Public DNS IP>

6 If the user login to the captive portal before?

If the user has logged into the captive portal before and didn’t log out, the

station will still remain in the user list until the authentication times out.

Figure 152 MONITOR > System Status > Login Users

Assume the user “joy” was logged into the Captive Portal and did not

logout, the device will not see Captive Portal again and access internet

directly.


Check the IP table which has station’s IP who doesn’t do the captive portal

via CLI.

Figure 153 Tera Term > Router > debug system iptables list table nat > Chain

FORCE AUTH

63/124

www.zyxel.com

Check if user is still existed after user logout from NXC captive portal. If you

still could see user’s IP address (192.168.10.33 as below screenshot) from the

“Chain FORCE_AUTH”, it means the device (192.168.10.33) is used to access

NXC via other account (like admin).

Check the authentication policy is written in firewall NAT table in “Chain

FORCE_AUTH_POLICY”.

As below screenshot, NXC will block source IP from range

192.168.10.33~192.168.10.200 which is the authentication policy configured

from CONGIGURATION > Captive Portal.

Figure 154 Tera Term > NXC > Router > debug system iptables list table nat

> Chain FORCE_AUTH_POLICY

Capture the packets on NXC.

Please adjust Captured Packet Files to 100 MB to avoid oversize.

Figure 155 MAINTENANCE > Diagnostics > Packet Capture > Capture

64/124

www.zyxel.com

Station can ping NXC and station opens new browser

Webpage is not redirected to Captive Portal (can’t find the webpage)

Stop capturing packet and download the captured files

Please indicate the IP of NXC, AP, station and the URL of the webpage

which station is going to open.

Download log files.




6.2 Symptom: Login denied

The error massage shows “login denied”.

Figure 157 The login page of NXC’s captive portal

65/124

www.zyxel.com


1. Login account doesn’t exist in server or password is incorrect.

2. Admin type cannot login captive portal page


1 Login account doesn’t exist in server or password is incorrect.

The error massage will be “login denied” if login name is not existed in server

or password is not correct.

Please check the user name is created in the server

Check the password is correct.

2 Admin type cannot login captive portal page

The error massage will be “Login denied: Verify user has failed” if login name

is admin type.

Figure 158 The login page of NXC’s captive portal

66/124

www.zyxel.com


Check the System & debug log of NXC

System log on NXC could know why login denied in first place.

Figure 159 MONITOR > Log > View log

Choose debug log for more user information:

Figure 160 CONFIGURATION > Log & Report > Log Setting > System log > Edit

> Active Log and Alert (AC) > User

67/124

www.zyxel.com

Check debug log:

From below screenshot, I type right username and password.

Figure 161 MONITOR > Log > Display > Debug Log

From below screenshot, I typed a username joy which existed in database

but with wrong password.

The Auth User (test) result is 7.


From below screenshot, I typed a username test which does not exist in

68/124

www.zyxel.com

database.

The Auth User (test) result is 9.


Choose other debug log for more information:

Active log and alert (AC): account, captive portal, authentication server,

force authentication


> Active Log and Alert (AC)

Active log and alert (AP): account, force authentication, user.


> Active Log and Alert (AC)

69/124

www.zyxel.com

7 Roaming

7.1 What is Roaming

When WiFi user walks from one AP’s coverage to the other AP’s without

disconnection, we call roaming.

For example, station 2 wants to walk from AP1’s coverage to AP2’s. Station 2

“Reassociation “ with AP2 first, and then “Deathauthentication” with AP1.

Figure 166 The Process of Roaming

7.2 What’s the setting conditions of roaming

The APs need to set the same SSID, security, and the same DHCP server.

Figure 167 CONFIGURATION > Object > AP profile > SSID > SSID List > Add

70/124

www.zyxel.com

Figure 168 Configuration > Wireless > AP Management > Mgnt. AP List > Edit

AP List > Radio1 Setting

Checking the APs coverage range should overlap. (You may use the

application to scan the signal, like inSSIDer)

Figure 169 inSSIDer

The station usually disconnect with AP when the RSSI lower than -60dBm, so

the overlapping edge should not lower than -60dBm to avoid signal too

weak for connection.

We can check the RSSI of connected station on AP by CLI.

Signal strength = RSSI-95 (ex. 59-95= -36dBm)

71/124

www.zyxel.com

Figure 170 Tera Term > AP > Router> show wlan slot1 list all sta

7.3 The Limitation of roaming

“Band Select” may potentially cause interruptions for time-sensitive

applications because of roaming delays

The connection might be not stable if the “Load Balance” is enabled

and the station number is reached to the maximum number. The

roaming station may connect to the AP and disconnection soon.

To set the threshold in radio might cause disconnection between AP

and station. When the overlap area RSSI is lower than threshold value,

station is not able to connect to AP.

7.4 Symptom: Why station can’t connect to the AP2

If the station can’t connect to AP2 when roaming, please follow the steps to

troubleshooting.

1. Check AP2’s the SSID, Security, and DHCP server are the same as AP1.

2. Check radio threshold

3. Does station always connect to AP1?

1 Check AP2’s the SSID, Security, and DHCP server are the same as AP1

If using the controller to control managed APs, it’s better to make AP1 and

AP2 in the same AP group that has the same SSID and security.

AP1 and AP2 should use the same DHCP server and in the same subnet.

NXC

Use AP group to set the same configuration for AP1 and AP2.

Figure 171 CONFIGURATION > Wireless > AP Management > AP Group >

Radio1 Setting

72/124

www.zyxel.com

Figure 172 CONFIGURATION > Wireless > AP Management > AP Group > AP

List

Standalone AP

Configure standalone AP SSID and Radio by below GUI page.

Figure 173 CONFIGURATION > Object > SSID > SSID List > Edit SSID Profile

Figure 174 CONFIGURATION > Wireless > AP Management > WLAN Setting

2 Check radio threshold.

When the threshold is enable and set to the value higher than the

73/124

www.zyxel.com

overlapped area RSSI value, the station is not able to connect with AP.

For example, the station signal threshold is -50dBmm, but the overlapped

area RSSI is -60 to -65dBmm. Station is not able to connect with AP.

The threshold is disabled in default setting, and can change in GUI.

Figure 175 CONFIGURATION > Object > AP Profile > Radio > Edit Radio

Profile > Show Advanced Settings

3 Does station always connect to AP1?

If AP1’s coverage is too large to overlap most of AP2’s, station is able to

keep connecting with AP.

The power strength of AP is able to change.

74/124

www.zyxel.com

Figure 176 Configuration > Wireless > AP Management > Mgnt. AP List > Edit

AP List

7.5 Symptom: Why station disconnect during roaming

If the station disconnect during roaming, please follow the steps to

troubleshooting.

1. Check AP2’s the SSID, Security, and DHCP server are the same as AP1.

2. Check “Band Select” is disable

3. Check AP1 and AP2’s coverage overlap

4. Check the RSSI of overlapped area.

1 Check AP2’s the SSID, Security, and DHCP server are the same as AP1

Please refer to the troubleshooting step 1 of previous symptom for checking

the configuration.

2 Check “Band Select” is disable

If band select enables, station needs to spend more time to connect with

AP and causes the roaming disconnection.

Figure 177 Configuration > Object > AP profile > SSID > Edit SSID Profile

75/124

www.zyxel.com

3 Check AP1 and AP2’s coverage overlap

If the AP1 and AP2’s coverage don’t overlap, the station disconnect when

roaming.

4 Check RSSI of overlapped area

If the RSSI is lower than -65dBm, the station might disconnect because of

weak signal.

8 802.1X authentication How should we do when the 802.1X authentication failed with RADIUS, AD

and LDAP? There are three phases for you to find what the problem let the

authentication failed is. The check order is configuration, network and

information collection. First, we have to confirm that the configurations are

the same and then check the network is no problem. If there is no problem

76/124

www.zyxel.com

for configuration and network and the issue is still existed, then collect the

regarding information for us to realize the symptom as soon as possible and

fix it.

Topology:

There is an example for wireless station is authenticated by external

authenticated server via NXC5500, which has managed VLAN on NXC5500

is VLAN 1 with IP range 192.168.100.x. USG100 acts as a DHCP server to

assign an IP address to the device. Wireless stations pass authentication by

using AD/LDAP/RADIUS accounts.

8.1 Symptom: the 802.1X authentication failed with Remote

Authentication Dial in User Service (RADIUS)


1. Check the configuration of the controller and RADIUS server.

2. Check the port number of RADIUS server

3. Ping the external RADIUS server and AP


5. Analysis for System logs and Packets.

1 Check the configuration of the controller and RADIUS server.

There are many authentication failed cause by the error settings, so it is

necessary to check the configuration of NXC correctly when the

authentication failed.

77/124

www.zyxel.com

Check the information of RADIUS is correct or not in the NXC.

Note: Enter the correct password is same as the password in the RADIUS

server for Key field.

Figure 178 CONFIGURATION > Object > AAA Server > RADIUS > Edit.

Check the information in the RADIUS is correct or not.

Figure 179 Windows2008 RADIUS server > Network Policy Server > RADIUS

Clients > New user

Select the RADIUS server you create.

Figure 180 CONFIGURATION > Object > Auth. Method > Authentication

Method > Add

Make sure the security list select the 802.1X authentication and correct

RADIUS server.

78/124

www.zyxel.com

Figure 181 CONFIGURATION > Object > AP profile > SSID > Security List > Edit

Since RADIUS server support EAP protocol and depend on the topology,

you can select the Internal or External for RADIUS server type.

RADIUS server type: Internal

If use the EAP protocol by built-in FreeRADIUS of NXC, you need to add the

NXC information in the RADIUS server be a trusted client.


Clients > New user

RADIUS server type: External

NXC setting:

Figure 183 CONFIGURATION > Object > AP Profile > SSID > Security List >

Radius Server Type

79/124

www.zyxel.com

Figure 184 CONFIGURATION > Object > AP Profile > SSID > Security List >

Radius Authentication Settings

RADIUS server setting:

If use the EAP protocol by RADIUS server, you need to add the AP

information in the RADIUS server be a trusted client.


Clients > New user

80/124

www.zyxel.com

Check the security profile with 802.1X authentication.

Figure 186 CONFIGURATION > Object > AP profile > SSID > SSID List > Edit

Check AP whether set the AP profile that you created.

2 Check the port number of RADIUS server

To confirm the network traffic, please make sure the port of server is same as

that configured in the NXC5500 and login the console of NXC and RADIUS

server.

Figure 187 Check the port number

The default port of RADIUS server in the NXC is 1812. If you have the firewall

in network, please check those ports also are opened in the firewall.

3 Ping the external RADIUS server and AP



server.

Figure 188 Ping the external RADIUS server and AP

Confirm the fluent network traffic between AP and external RADIUS server.

NXC ping to external RADIUS server and AP.

Figure 189 Tera Term > NXC > Router > ping <RADIUS server’s IP> and AP’s IP

81/124

www.zyxel.com

External RADIUS server pings to NXC and AP.

Figure 190 RADIUS server > cmd > ping <device’s IP>

Packet trace by NXC

To confirm that the NXC has communication with external RADIUS server

when the station do the 802.1X authentication.

The default port of RADIUS server is 1812.

After typing the CLI command, and then let the station connect to the SSID

to do the authentication.

If NXC can access the RADIUS server, it will show those messages after

station connect the SSID and do the 802.1X authentication. (KB# 011033

show the detail information of RADIUS Access Request packet)

Trace the packets between Radius server and client.

Figure 191 Tera Term > NXC > packet-trace interface <INTERFACE> port

<port number>

The IP of AP

The IP of RADIUS server

The IP of NXC

The IP of AP

82/124

www.zyxel.com


After check the configuration and network verification and the

authentication are still failed, please collect the information for us to

analyze the symptom.

Check all the options and press the bottom ”Collect Now”. It is necessary

wait for some minutes.

Figure 192 MAINTENANCE > Diagnostics > Diagnostics > collect on

controller > Collect Now

Finish collecting the logs, download the file and send to us.

Figure 193 MAINTENANCE > Diagnostics > Diagnostics > Files.

Capture packets

83/124

www.zyxel.com

Select the interface and press the bottom “Capture” before station

connect the SSID and do the 802.1X authentication.

Figure 194 MAINTENANCE > Diagnostics > Packet Capture.

The CLI command and debug log

Follow below steps to retrieve the 802.1x debug log

Login by console or SSH using admin account

Figure 195 Tera Term > NXC > Router> enable > debug authentication

server log move to ftp

Login controller by ftp server using admin account

Download the /tmp/RADIUS.log from the ftp

Figure 196 Computer > cmd > ftp <NXC’s IP> > cd/tmp > ls > get radius.log

84/124

www.zyxel.com

5 Analysis for System logs and Packets

Normal log and packets:

From AC:

STA Association. MAC: XX:XX:XX:XX:XX:XX, AP:

Ext-User <user account> from 802.1x has logged in EnterpriseWLAN

Figure 197 MONITOR > Log > View log

From AP:

Station had associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX

Station had authorized. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX

Figure 198 MONITOR > Log > View AP log

85/124

www.zyxel.com

RADIUS Server Event log:

Network Policy Server granted full access to a user because the host met

the defined health policy.

Figure 199 Windows2008 RADIUS server > Event Viewer > Custom Views >

ServerRoles > Network Policy and Access Servers

Figure 200 RADIUS_server.txt

86/124

www.zyxel.com

Packet: Access-Accept

Figure 201 Wireshark > Success_RADIUS.cap

RADIUS.log

Figure 202 Success_RADIUS.cap > Wireshark

No response from external RADIUS server:

From AC:

RADIUS: rejecting the user <user account>


From AP


Station had disassoc. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX

Figure 204 MONITOR > Log > View AP Log

87/124

www.zyxel.com

Packet: Access-Reject

Figure 205 no radius server.cap > Wireshark

RADIUS.log

Figure 206 lack of any response from home server.log

Unknown user or wrong password:

From AC



From AP


88/124

www.zyxel.com



RADIUS Server

Network Policy Server denied access to a user.



Figure 210 Wrong_password.txt

v

89/124

www.zyxel.com

Figure 211 Wrong_password.txt

Packet

Figure 212 Wireshark > Wrong_password.cap

RADIUS.log

Untrusted Controller

From AC

STA is blocked by Auth Failed(AAA Profile: <profile name>), MAC:

XX:XX:XX:XX:XX:XX, Interface:wlan-X-X



v

v

90/124

www.zyxel.com

From AP

STA is blocked by Auth Failed(AAA Profile: <profile name>), MAC:

XX:XX:XX:XX:XX:XX, Interface:wlan-X-X




RADIUS Server

A RADIUS message was received from the invalid RADIUS client IP address

192.168.100.15.



Figure 216 Untrusted AC.txt

v

v

v

91/124

www.zyxel.com

Packet

Figure 217 Wireshark > untrusted AC.cap

RADIUS.log

Figure 218 untrusted AC_radius.log

Untrusted AP

From AC

STA is blocked by Hostapd3. MAC: XX:XX:XX:XX:XX:XX, Interface:wlan-X-X


From AP

Station has associated. Interface: wlan-X-X Station: XX:XX:XX:XX:XX:XX

v

v

92/124

www.zyxel.com

Station has deauth. reason <reason code>, flag= Interface:wlan-X-X ,

Station: XX:XX:XX:XX:XX:XX

Station is blocked. reason <reason code>,event by Hostapd3,

Interface:wlan-X-X , Station: XX:XX:XX:XX:XX:XX


RADIUS Server

A RADIUS message was received from the invalid RADIUS client IP address

192.168.100.32.



Figure 222 Untrusted AP.txt

v

93/124

www.zyxel.com

Packet: Access-Request

Figure 223 Wireshark > untrusted AP.cap

RADIUS.log

No RADIUS.log in the AC controller and AP

8.2 Symptom: the 802.1X authentication failed with Active

Directory (AD) server


1. Check the configuration of the controller and AD server.

2. Check the port number of AD server.

3. Ping the AD server and AP

4. Ping the domain name


6. Analysis for System logs and Packets.

1 Check the configuration of the controller and AD server.

Check the information of AD server on the NXC.

Figure 224 CONFIGURATION > Object > AAA Server > Active Directory > Edit

94/124

www.zyxel.com

Check the AD server information of NXC.

There is an example with windows 2008 R2 AD server let us to double

*Please confirm that the AD server pick up the Advanced Features of View

before you check the information of DN.

Figure 225 Windows2008 RADIUS server > Active Directory Users and

Computers > View > Advanced Fwatures

Base DN: write the domain name

Go to the AD server and open the Active Directory Users and Computers.

Right click the domain name and go to Properties > Attribute Editor >

95/124

www.zyxel.com

distinguishedName > view. It will show you the content that can be copied

and pasted to the NXC in the field of Base DN.


Computers > Domain name(right click) > Properties >

distinguished Name

Bind DN: write the username who has privilege to set the configuration of

AD server and group setting. In our server, the account of Administrator has

the complete privilege for setting. The information of account is same as the

account of login AD server.

Bind DN: CN=Administrator,CN=Users,DC=zyxel,DC=cso,DC=com

Password : The password of Administrator

Go to the AD server and open the Active Directory Users and Computers.

Select the Users and right click the Administrator and go to Properties >

Attribute Editor > distinguishedName > view. It will show you the content that

can be copied and pasted to the NXC in the field of Bind DN.


Computers > Users > Administrator (right click) > Properties >

attribute Editor > distinguished Name

96/124

www.zyxel.com

Server Authentication

User name (Must be a user who has rights to add a machine to the

domain.)

Password: write the password of user name.

(You can also write the Administrator account that has complete

rights.)

Realm: write the domain name


Computers > Domain name

NetBIOS Name: Go to the AD server and open the Active Directory Users

and Computers. Right click the domain name and go to Properties >

General. It will show you the content that can be copied and pasted to

the NXC in the field of NetBIOS.


Computers > Domain name (right click) > Properties > General

97/124

www.zyxel.com

After finish entering the information of AD server, you can input an account

id of AD server for testing to make sure NXC can capture the user

information by correct AD configuration.

The Test Status will show you the message about the result of user

authentication.

Figure 230 CONFIGURATION > Object > AAA Server > Active Direction > Edit

Active Direction > Configuration Validation > Test

Make sure the time of NXC and AD server both have the correct time.

Figure 231 CONFIGURATION > System > Date/Time > Time Zone Setup

Set the domain name as you set on the AD server.

Figure 232 CONFIGURATION > System > Host name.

98/124

www.zyxel.com

Add the information of domain zone.

Figure 233 Public DNS server: write the IP of DNS server can resolve the

domain name. If you have no additional DNS server, you can

write the IP of AD server.

Figure 234 CONFIGURATION > System > DNS > Domain Zone Forwarder >

Add.

Select the AD server you create.

Figure 235 CONFIGURATION > Object > Auth. Method > Add.

Make sure the security list select the 802.1X authentication and correct AD

server. Since AD server doesn’t support EAP protocol, so NXC has built-in

FreeRADIUS server provide EAP protocol for station authentication. The

RADIUS Type must select Internal when the external authenticated server is

AD server.

If AD server installs IAS or NPS that support EAP protocol, the RADIUS server

type of NXC can be select External option.

Figure 236 CONFIGURATION > Object > AP profile > SSID > Security List.

99/124

www.zyxel.com


Figure 237 CONFIGURATION > Object > AP profile > SSID > SSID List.


Check the AD server whether receive the information from NXC5500 and

add the NXC5500 in the computers list automatically.


Computers > Computers

100/124

www.zyxel.com

2 Check the port number of AD server.



server.

Check the port number

The default port of AD server in the NXC is 389. If you have the firewall in

network, please check those ports also are opened in the firewall.

3 Ping the AD server and AP


that configured in the NXC5500 and login the console of NXC and AD

server.

Confirm the fluent network traffic between AP and AD server.

NXC ping to external AD server and AP

Figure 239 Tera Term > NXC > Router > ping <AD server’s IP> and AP’s IP

AD server pings to NXC and AP.

Figure 240 AD server > cmd > ping <NXC’s IP> and AP’s IP

The IP of AP

The IP of AD server

The IP of NXC

101/124

www.zyxel.com

4 Ping the domain name.

If you use the AD server to authenticated clients, the NXC have ability to

resolve the domain name.

Figure 241 Tera Term > NXC > Router > ping <Domain name>

If the NXC cannot resolve the domain name, please check the IP address of

AD server and DNS configuration in the NXC, or write the command

“nslookup <Domain name>” to check the domain name with IP.

Figure 242 Tera Term > NXC > Router > nslookup <Domain name>

Packet trace by NXC

To confirm that the NXC has communication with AD server when the

station do the 802.1X authentication.

The IP of AP

The IP of NXC

102/124

www.zyxel.com

The default port of AD server is 389.

[CLI]: packet-trace interface <INTERFACE> port <port number>










controller > Collect Now.



Capture packets



103/124

www.zyxel.com










6 Analysis for System logs and Packets.

104/124

www.zyxel.com

Normal log and packets:

From AC:




From AP




Packet: Access-Accept

Figure 250 Success_packets.cap > Wireshark

RADIUS.log

Figure 251 Success_AD_radius.log

105/124

www.zyxel.com

No response from AD server

From AC



From AP





Figure 254 Wireshark > no ad server.cap

106/124

www.zyxel.com

RADIUS.log

Figure 255 no ad server_radius.log

Unknown user or wrong password

From AC


Figure 256 MONITOR > Log > View Log or View AP Log

From AP


107/124

www.zyxel.com


Figure 258 Wrong_password-AD.cap > wireshark

RADIUS.log

Figure 259 Wrong_password-AD_radius.txt

Wrong DNS

From AC


From AP


v

v

108/124

www.zyxel.com

Packet

Figure 262 Wireshark > Wrong_DNS_AD.cap

RADIUS.log

Figure 263 Wrong_DNS_AD.radius.log

v

v

v

109/124

www.zyxel.com

8.3 Symptom: the 802.1X authentication failed with Lightweight

Directory Access Protocol (LDAP) server


1. Check the configuration of the controller and LDAP server.

2. Check the port number of LDAP server.

3. Ping the LDAP server and AP


5. Analysis for System logs and Packets

1 Check the configuration of the controller and LDAP server.

Configure LDAP setting

Figure 264 LDAP settings

Figure 265 LDAP server > Users and Computers

Check the information of LDAP is correct or not.

Figure 266 CONFIGURATION > Object > AAA Server > LDAP > Edit

110/124

www.zyxel.com

Base DN: write the domain name

Bind DN: enter a user who has privilege to set the configuration of LDAP. In

the example, the account of Administrator “ldapadmin” has the complete

privilege for setting. The information of account is same as the account of

login LDAP.

After finish to enter the information of LDAP, you can input an account id of

LDAP for testing whether the information of LDAP is correct or not.

Note: The Test Status will show you the message about the result of user

authentication.

Figure 267 CONFIGURATION > Object > AAA Server > LDAP > Edit LDAP >

Configuration Validation > Test

111/124

www.zyxel.com

Select the LDAP server you create.

Figure 268 CONFIGURATION > Object > Auth. Method > Authentication

method > Add

Make sure the security list select the 802.1X authentication and correct

LDAP server. Since LDAP server doesn’t support EAP protocol and cannot

be an authentication server, so NXC has built-in FreeRADIUS server provide

EAP protocol for station authentication. The RADIUS server type must select

Internal when the external authenticated server is LDAP server.

Figure 269 CONFIGURATION > Object > AP profile > SSID > Security List >

Add


Figure 270 CONFIGURATION > Object > AP profile > SSID > SSID List

112/124

www.zyxel.com


2 Check the port number of LDAP server


that configured in the NXC5500 and login the console of NXC and LDAP

server.

Check the port number

The default port of LDAP server in the NXC is 389. If you have the firewall in

network, please check those ports also are opened in the firewall.

3 Ping the LDAP server and AP


that configured in the NXC5500 and login the console of NXC and LDAP

server.

Confirm the fluent network traffic between AP and LDAP server.

NXC ping to external LDAP server and AP

Figure 271 Tera Term > NXC > Router > ping <LDAP server’s IP> and AP’s IP

LDAP server pings to NXC and AP.

Figure 272 AD server > cmd > ping <NXC’s IP> and AP’s IP

The IP of AP

The IP of LDAP server

The IP of NXC

113/124

www.zyxel.com

Packet trace by NXC

To confirm that the NXC has communication with LDAP server when the

station do the 802.1X authentication.

The default port of LDAP server is 389.

[CLI]: packet-trace interface <INTERFACE> port <port number>










controller > Collect Now.

The IP of AP

The IP of NXC

114/124

www.zyxel.com



Capture packets




115/124

www.zyxel.com









5 Analysis for System logs and Packets

Normal log and packets

116/124

www.zyxel.com

From AC




From AP




Packet – Access-Accept

Figure 280 Wireshark > Success_LDAP.cap

RADIUS.log

Figure 281 Success_LDAP_radius.log

117/124

www.zyxel.com

No response from external LDAP server

From AC



From AP





Figure 284 Wireshark > no_LDAP_server_radius.cap

RADIUS.log

118/124

www.zyxel.com

Figure 285 no_LDAP_server_radius.log

Unknown user or wrong password

From AC


From AP



Figure 288 Wireshark > wrong_password_LDAP.cap

RADIUS.log

119/124

www.zyxel.com

Figure 289 wrong_password_LDAP_radius.log

8.4 The configuration of windows computer for 802.1X

authentication

The computer with windows OS have to add a connection for connecting

the SSID with 802.1X authentication, or it will be failed to connect.

The configuration of device with windows 8 OS connect the SSID with 802.1X

Open the “Network and Sharing Center”.

Figure 290 Computer > open Network and Sharing Center

Click “Set up a new connection or network”.

Figure 291 Computer > open Network and Sharing Center > Set up a new

connection or network

Select “Manually connect to a wireless network”.


connection or network > Manually connect to a wireless

network

120/124

www.zyxel.com

Write the SSID you set in the field of “Network name” on the NXC5500 and

select Security type and Encryption type you set in the AP profile of

NXC5500.



network

Click “Change connection settings”.



network

Click Settings for more settings.



network > Change connection settings > security

121/124

www.zyxel.com

Uncheck the “Validate server certificate” and then click Configure…



network > Change connection settings > security > settings

Uncheck “Automatically use my Windows login name and password (and

domain if any).” Go back to Protected EAP Properties and click “OK”.



network > Change connection settings > security > settings >

configure…

122/124

www.zyxel.com

Go to ZT_AD Wireless Network Properties and click “Advanced settings”.



network > Change connection settings > security >Advanced

settings

Check “specify authentication mode” and select the mode you want.



network > Change connection settings > security >Advanced

settings > 802.1X settings

123/124

www.zyxel.com

Return to ‘Wireless Network Connection’, click the SSID you set manually

before.

Noted: If the ‘Encryption type’ setting does not meet the setting on

NXC5500, you will see a red cross shown on the picture.

Enter the username and password created on Windows server 2008 AD. The

wireless authentication will succeed.

124/124

www.zyxel.com

Documents

NXC series - support.zyxel.eu...1/124 NXC series NXC2500/NXC5500 Wireless LAN controller Firmware Version 4.20~4.30 Edition 1, 9/2016 Troubleshooting Guide Default Login Details