Login
- Released At: 06-02-2026
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
H3C EAD
Troubleshooting Guide
Document version: 5W100-20260204
Copyright © 2026 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Endpoint Intelligent Access module
Troubleshoot user authentication issues
Troubleshoot user login failures
Troubleshoot policy and service failures
Troubleshoot MSCHAPv2 authentication issues
Troubleshoot third-party issues
Troubleshoot common issues with MAC portal authentication
Troubleshoot common issues with transparent portal authentication
Endpoint compliance management module
Collect logs for the EAD endpoint compliance management module
Introduction
This document provides information about troubleshooting common hardware and software issues with the EAD product.
Restrictions and guidelines
|
|
CAUTION: To prevent an issue from causing loss of configuration, save the configuration each time you finish configuring a feature. For configuration recovery, regularly back up the configuration to a remote server. |
Before you perform fault diagnosis and troubleshooting, follow these restrictions and guidelines:
· To help identify the cause of the issue, collect system and configuration information, including:
¡ Symptom, time of failure, and configuration.
¡ Installation environment and software running status.
¡ Log messages and diagnostic information.
¡ Steps you have taken and their effects.
· Personnel involved in diagnosing and troubleshooting must have a detailed understanding of the software's operating mechanism and be proficient in using the software and its dependent programs and systems.
· If program file replacement or patch installation is required during troubleshooting, perform the task as described in the related release notes to ensure compatibility.
Contact technical support
If an issue persists after you perform the troubleshooting procedures in this document, contact H3C Support.
Email: [email protected]
Endpoint Intelligent Access module
Troubleshoot user authentication issues
A user does not exist
Symptom
Prompt message: User does not exist.
Solution
Possible causes
The user is not configured in EIA.
Recommended actions
Add this user to the access user list in EIA.
The user has other connections undergoing authentication. Please try again later
Symptom
Prompt message: The server is processing your last authentication request, please try again later.
Solution
Possible causes
EIA is processing the user's last authentication request.
Recommended actions
Wait for a while before re-authentication.
The user has been added to the blacklist
Symptom
Prompt message: User is already in the blacklist.
Solution
Possible causes
Common causes for adding users to the blacklist include:
· Operators lock out users.
· Malicious login attempts occur.
· Overdue payments exceed the specified billing cycle.
· Failed top-ups exceed the threshold.
· Invalid clients are detected.
Recommended actions
· For users locked out by an operator, manually remove them from the blacklist.
· For users added to the blacklist due to overdue payments beyond the specified billing cycle, pay the outstanding fees.
· For malicious login attempts, failed top-ups that reach the threshold, or invalid clients, use either of the following methods to resolve the issue:
¡ Solution 1: Wait until midnight the next day for the system to automatically release the users. Navigate to the Automation > Network Access > Access Management > Parameter Management > UAM > System Parameters page to configure the Blacklist Period parameter. Select this option to set a blacklist removal time. If you disable this feature, the system automatically removes entries from the blacklist at 3:30 a.m. every day.
Figure 1 Blacklist period
¡ Solution 2: Contact the administrator to manually release the users.
Invalid user state
Symptom
Prompt message: User state is invalid.
Solution
Possible causes
The user requests the device to perform device management user authentication, but the device performs common user authentication, causing a mismatch.
Recommended actions
Identify whether the authentication types match on both the device and EIA. For device management users, configure the scheme-based authentication method on the device.
Expired user
Symptom
Prompt message: User is out of date.
Solution
Possible causes
The expiration time of a user has reached when the user performs authentication.
Recommended actions
On the Automation
> Network Access > Access
Management > Access User > All Access Users page, click the Modify
icon 
in the Actions
column for the user. Then edit the end time on the page for editing the user.
User written off
Symptom
Prompt message: User is already written off.
Solution
Possible causes
The account has been written off.
Recommended actions
Add the user on the Automation > Network Access > Access Management > Access User > All Access Users page.
Forbidden user status
Symptom
Prompt message: User is forbidden.
Solution
Possible causes
Preregistration reconfirmation is enabled for pre-registered users in system parameters. This feature keeps the user status as inactive after the operator completes formal or batch registration for pre-registered users.
Recommended actions
Activate this user as the operator.
The user does not exist or has not requested this service
Symptom
Prompt message: The user does not exist or has not subscribed to this service.
Solution
Possible causes
The user is not configured in EIA or the user does not request the service used in authentication. The domain service suffix configuration exists on the device side.
Recommended actions
Identify whether the user is configured in EIA or whether the requested service is correct. Add the user if missing. Modify the service if incorrect.
Invalid service state
Symptom
Prompt message: Service state is invalid.
Solution
Possible causes
The user undergoing authentication is in abnormal state, for example, a pre-generated account for a dumb terminal is canceled.
Recommended actions
Add the user on the Automation > Network Access > Access Management > Access User > All Access Users page.
Online user limit
Symptom
Prompt message: The online number reaches the upper limit.
Solution
Possible causes
The number of online users using this account has reached the configured limit.
Recommended actions
Edit the maximum concurrent logins on the Automation > Network Access > Access Management > Access User > All Access Users page. Alternatively, configure the maximum number of online endpoints for an account on the Automation > Network Access > Access Management > Access Service. The maximum concurrent logins for access users and the maximum number of online endpoints for an account for access service scenarios trigger different prompt messages. Use these prompt messages to identify the issue.
Incorrect password
Symptom
Prompt message: Incorrect password.
Solution
Possible causes
The password entered for user authentication is incorrect.
Recommended actions
Use the correct user password for authentication.
The password is incorrect and you have been added to the blacklist
Symptom
Prompt message: Incorrect password. You have been added into blacklist.
Solution
Possible causes
The number of consecutive failed password authentication attempts by the user reaches the set value.
Recommended actions
· Use either of the following methods:
¡ Solution 1: Wait until midnight the next day for the system to automatically release the users. Navigate to the Automation > Network Access > Access Management > Parameter Management > UAM > System Parameters page to configure the Blacklist Period parameter. Select this option to set a blacklist removal time. If you disable this feature, the system automatically removes entries from the blacklist at 3:30 a.m. every day.
Figure 2 Blacklist period
¡ Solution 2: Contact the administrator to manually release the users.
Incorrect password. You can retry #Count more times
Symptom
Prompt message:Incorrect password. You can retry #Count times.
Solution
Possible causes
Incorrect user passwords are entered. The system prompts how many attempts remain before adding the user to the blacklist.
Recommended actions
Use the correct password for authentication.
Empty authentication username
Symptom
Prompt message: User name is null.
Solution
Possible causes
The authentication packets did not include the username during user authentication.
Recommended actions
Identify whether the device sends authentication packets with username information.
Incorrect user authentication type
Symptom
Prompt message: Invalid authentication type.
Solution
Possible causes
The authentication type configured in EIA does not match the type configured on the device for user authentication.
Recommended actions
Make sure the authentication types configured on the EIA, device, and client are consistent.
The Rivest, Shamir and Adleman (RSA) algorithm supports only the following authentication types: PAP, EAP-MD5, PEAP-MD5, and PEAP-GTC
Symptom
Prompt message: RSA supports only the following authentication types: PAP, EAP-MD5, PEAP-MD5, and PEAP-GTC.
Solution
Possible causes
The authentication type used for user authentication is not supported by RSA authentication.
Recommended actions
Use the PAP, EAP-MD5, PEAP-MD5, or PEAP-GTC authentication method.
No corresponding dumb terminal configuration is available
Symptom
Prompt message: No MAC address information is available for the mute terminal.
Solution
Possible causes
When a user performs dumb terminal authentication, the MAC address information is not configured in the dumb terminal settings.
Recommended actions
Add MAC address information on the Automation > Network Access > Access Management > Access User > Dumb Terminal Profile page.
Your account is not active yet and please try again in 15 minutes
Symptom
Prompt message: The user account has not been generated. Please retry 15 minutes later.
Solution
Possible causes
On-demand LDAP synchronization users generate some pre-registered accounts when synchronizing users or configuring third-party authentication. When a user performs authentication, the pre-registered account is not generated.
Recommended actions
Wait 15 minutes before re-authentication.
No predefined account is available for the mute terminal user. Please contact the administrator
Symptom
Prompt message: No predefined account is available for the mute terminal user. Please contact the administrator.
Solution
Possible causes
The system generates pre-defined users when configuring dumb terminal user settings, but fails to find their pre-defined user information during authentication.
Recommended actions
Click Activate on the Automation > Network Access > Access Management > Access User > Dumb Terminal Profile page. Alternatively, wait for a while before re-authentication.
Static IPv6 address binding check failed
Symptom
Prompt message: Failed to check IPv6 address binding.
Solution
Possible causes
The access policy has the Bind User IPv6 Address option selected, but the user fails to obtain an IPv6 address during authentication or the obtained address does not match the bound IPv6 address in the access user.
Recommended actions
· Solution 1: Make sure the user obtains an IPv6 address during authentication.
· Solution 2: Make sure the IPv6 address uploaded during user authentication matches the bound user IPv6 address set in the access policy.
· Solution 3: Clear the Bind User IPv6 Address option in the access policy.
Because you have failed authentication %d times consecutively, the server drops this request. Try again after %d minutes
Symptom
Prompt message: The request is dropped by UAM because of %d consecutive authentication failures. Please try again %d minutes later.
Solution
Possible causes
The system has the authentication anti-attack feature enabled. The user has reached the authentication failure threshold set in the system parameters due to consecutive authentication failures.
Recommended actions
1. Disable the authentication anti-attack feature.
2. Adjust the authentication failure threshold in system parameters or wait for the time specified in the failure message before retrying authentication.
The guest password has expired. Please obtain a new password
Symptom
Prompt message: The password of the guest is expired. Click Forget Password to obtain a new password.
Solution
Possible causes
The password entered for guest authentication has expired. The password validity period is configured in the guest policy.
Recommended actions
Administrators can re-set the guest password validity period on the guest policy page, or users can reset their passwords by themselves during login.
User not active
Symptom
Prompt message: The user is not validated.
Solution
Possible causes
Navigate to the Automation > Network Access > Access Management > Access User page. Click Add to access the Add Access User page, as shown in the following figure, where the effective date is set. During user authentication, the access information has not yet reached the effective date.
Figure 3 Configure the effective date parameters
Recommended actions
Edit the effective date of this user in the access user list.
Authentication forbidden for anonymous BYOD users
Symptom
Prompt message: An anonymous BYOD user cannot perform MAC portal authentication.
Solution
Possible causes
The endpoint has already performed 802.1X or portal authentication and cannot perform MAC portal authentication afterward.
Recommended actions
Delete the corresponding endpoint record on the endpoint management page.
Troubleshoot online users
The service requested by an LDAP user automatically switches to another service
Symptom
The service requested by an LDAP user automatically switches to another service.
Solution
Possible causes
Locate the LDAP server associated with the LDAP policy for the LDAP user. If you configure the LDAP server to synchronize services based on AD groups, EIA automatically re-applies for services for LDAP users according to their AD groups when the following operations are performed:
1. An operator edits an LDAP user’s service or moves a user to another AD group.
2. EIA runs a scheduled task or an operator manually triggers synchronization operations.
Recommended actions
1. When applying for or canceling services for LDAP users, edit the services assigned to the corresponding AD groups in the LDAP synchronization policy. During the next synchronization, EIA will automatically apply for or cancel services based on the user's AD group membership.
2. Configure the service sync type as Manual Assignment for the LDAP server. This ensures that user-requested services remain unchanged during LDAP user synchronization.
Figure 4 Service synchronization method
The user went offline due to a NAS error
Symptom
The user went offline after being online for a period of time. The Internet access details show the offline reason as NAS Error.
Solution
Possible causes
The access device failed, causing users to go offline unexpectedly.
Recommended actions
Collect logs as described in "Collect logs." Contact H3C Support to locate device issues.
Troubleshoot user login failures
Trial users are not allowed to come online
Symptom
Prompt message: A trial account is not allowed to log in.
Solution
Possible causes
The user has not been approved and is not a formal user.
Recommended actions
Approve the trial users in the access user settings.
Pre-canceled users are not allowed to come online
Symptom
Prompt message: A temporarily canceled account is not allowed to log in.
Solution
Possible causes
The user has been pre-canceled.
Recommended actions
The user has been pre-canceled. Administrators can restore the pre-canceled user in the access user list.
The device is lost and cannot come online
Symptom
Prompt message: The device cannot access the network because it has been marked as "lost".
Solution
Possible causes
The device is marked as lost on the self-service page.
Recommended actions
On the self-service page, change the endpoint status from lost to normal in the endpoint management area.
An access user cannot come online with the current endpoint
Symptom
Prompt message: The user cannot access the network from the current endpoint.
Solution
Possible causes
If an endpoint is bound to an access user in endpoint management, the system displays this message when the access user is not among the bound users.
Recommended actions
Add this user to the bound access users.
Troubleshoot policy and service failures
Port binding check failed
Symptom
Prompt message: Failed to check device port binding.
Solution
Possible causes
The access policy has the Bind Access Device Port option selected, but the device port used for user authentication does not match the bound port in the access user settings.
Recommended actions
· Solution 1: Make sure the device port used for user authentication matches the bound access device port set in the access policy.
· Solution 2: Clear the Bind Access Device Port option in the access policy.
MAC address binding check failed
Symptom
Prompt message: Failed to check MAC address binding.
Solution
Possible causes
The access policy has the Bind User MAC Address option selected, but the MAC address used for user authentication does not match the bound MAC address in the access user settings.
Recommended actions
· Solution 1: Make sure the MAC address used for user authentication matches the MAC address bound to the access user.
· Solution 2: Clear the Bind User MAC Address option in the access policy.
IP address binding check failed
Symptom
Prompt message: Failed to check IP address binding.
Solution
Possible causes
The access policy has the Bind User IP Address option selected, but the user fails to obtain an IP address during authentication or the address does not match the bound IP address in the access user.
Recommended actions
· Solution 1: Make sure the IP address uploaded during user authentication matches the bound user IP address set in the access policy.
· Solution 2: Clear the Bind User IP Address option in the access policy.
Access time limit
Symptom
Prompt message: Access time limit.
Solution
Possible causes
The access policy or scenario has the access time limit configured, and the user initiates authentication during the time limit or exceeds the time limit after authentication.
Recommended actions
Edit the restricted access period in the access time range or disable the access time range.
Access host permission limit
Symptom
Prompt message: User has no right to access the host.
Solution
Possible causes
The device management user has a bound user IP address or device IP address, but the user IP or device IP is not within the bound range during authentication.
Recommended actions
· Solution 1: Make sure the user or device IP address uploaded during user authentication matches the configured IP address in the management user settings. This keeps the IP address used for authentication within the bound range.
· Solution 2: Cancel the user IP address or device IP address binding feature in the device management user.
Authentication client version too low
Symptom
Prompt message: The authentication client version is too old.
Solution
Possible causes
· The access policy has the Client Only option selected and sets a minimum version number. The iNode client version used for user authentication is lower than the set version number, or the client does not select to upload its version number.
· The user did not perform authentication with the iNode client.
Recommended actions
· In the access policy, clear the Client Only option. Use a client with a version number not lower than the configured value. In the iNode client attribute settings, select the Upload Client Version Number option.
· Use the iNode client.
Device IP binding check failed
Symptom
Prompt message: Failed to check device IP address binding.
Solution
Possible causes
The access policy has the Bind Access Device IP option selected, but the access device used for user authentication does not match the bound access device in the access user configuration.
Recommended actions
· Solution 1: Make sure the IP address of the selected access device in the access policy matches the actual access device IP address during user authentication.
· Solution 2: In the access policy, clear the Bind Access Device IP option.
Device VLAN binding check failed
Symptom
Prompt message: Failed to check device VLAN binding.
Solution
Possible causes
The access policy has the Bind VLAN or Bind QinQ Double VLAN option configured, but the user fails to obtain VLAN information or obtains a VLAN that conflicts with the user's bound VLAN during authentication.
Recommended actions
· Solution 1: Make sure the VLAN carried during user authentication matches the VLAN bound in the access policy.
· Solution 2: In the access policy, clear the Bind VLAN or Bind QinQ Double VLAN option.
Wireless user SSID binding check failed
Symptom
Prompt message: Failed to check user SSID binding.
Solution
Possible causes
The access policy has the Bind User SSID option configured, but the user fails to obtain an SSID or obtains an SSID that conflicts with the user's bound SSID during authentication.
Recommended actions
· Solution 1: Make sure the SSID obtained during user authentication matches the SSID set in the access user configuration.
· Solution 2: In the access policy, clear the Bind User SSID option.
Access from a MAC address is denied
Symptom
Prompt message: Access from the MAC address is denied.
Solution
Possible causes
The access policy has the Control Access IP/MAC Address option selected, but the endpoint MAC address used for user authentication is not in the permitted MAC address pool or is in the denied MAC address pool.
Recommended actions
Add this MAC address to the endpoint IP/MAC address list and set the control type to Permit.
Access from an IP address is denied
Symptom
Prompt message: Access from the IP address is denied.
Solution
Possible causes
The access policy has the Control Access IP/MAC Address option selected, but the endpoint IP address used for user authentication is not in the permitted IP address pool or is in the denied IP address pool.
Recommended actions
Add this IP address to the endpoint IP address pool and set the control type to Permit.
Access from an IP address and MAC address is denied
Symptom
Prompt message: Access from the IP/MAC address is denied.
Solution
Possible causes
The access policy has the Control Access IP/MAC Address option selected, but the endpoint IP and MAC addresses used for user authentication are not in the permitted IP/MAC address pool or are in the denied IP/MAC address pool.
Recommended actions
Add the IP and MAC addresses to the endpoint IP/MAC address pool and set the control type to Permit.
IMSI binding check failed
Symptom
Prompt message: Failed to check IMSI code binding.
Solution
Possible causes
The access policy has the Bind User IMSI option configured, but the user fails to obtain an IMSI number or obtains an IMSI number that conflicts with the user's bound IMSI number during authentication.
Recommended actions
· Solution 1: Make sure the IMSI number uploaded during user authentication matches the IMSI number set for the access user.
· Solution 2: In the access policy, clear the Bind User IMSI option.
Device SN binding check failed
Symptom
Prompt message: Failed to check access device SN binding.
Solution
Possible causes
The access policy has the Bind Access Device SN option selected, but the user fails to obtain a device SN or obtains a device SN that conflicts with the user's bound device SN in the access user during authentication.
Recommended actions
· Solution 1: Make sure the device SN uploaded during user authentication matches the one set in the access device for the access user.
· Solution 2: In the access policy, clear the Bind Access Device SN option.
IMEI number binding check failed
Symptom
Prompt message: IMEI number binding check failure.
Solution
Possible causes
The access policy has the Bind User IMEI option configured, but the user fails to obtain an IMEI number or obtains an IMEI number that conflicts with the user's bound IMSI number during authentication.
Recommended actions
· Solution 1: Make sure the IMEI number uploaded during user authentication matches the IMEI number set for the access user.
· Solution 2: In the access policy, clear the Bind User IMEI option.
Users cannot access in this scenario
Symptom
Prompt message: Access is denied in the access scenario.
Solution
Possible causes
The access service uses a forbidden access policy or has a forbidden access policy bound to it.
Recommended actions
Edit the access policy used in the service requested by this user.
A dumb terminal user requests more than one service
Symptom
Prompt message: The mute terminal user has been assigned multiple services.
Solution
Possible causes
A dumb terminal user requested multiple services during configuration.
Recommended actions
Remove redundant services in the dumb terminal configuration and request only one.
The authentication client version is too low, and the computer name binding check fails
Symptom
Prompt message: The authentication client version is too old. Failed to check computer name binding.
Solution
Possible causes
On the Automation > Network Access > Access Management > Access Service > Access Policy page, click Add to open the Add Access Policy page. If the Bind Computer Name option is selected, the computer name check will fail during authentication.
Figure 5 Bind computer name
Recommended actions
Edit the bound computer name in the access policy.
Computer name binding check failed
Symptom
Prompt message: Failed to check computer name binding.
Solution
The cause and solution are the same as those for "The authentication client version is too low, and the computer name binding check fails."
Computer domain binding check failed
Symptom
Prompt message: Failed to check domain binding.
Solution
Possible causes
On the Automation > Network Access > Access Management > Access Service > Access Policy page, click Add to open the Add Access Policy page. If the Bind Domain option is selected, the domain binding check will fail during user authentication.
Figure 6 Computer domain binding configuration
Recommended actions
Edit the domain binding configuration in the access policy.
Logon domain check failed
Symptom
Prompt message: Failed to check logon domain.
Solution
Possible causes
On the Automation > Network Access > Access Management > Access Service > Access Policy page, click Add to open the Add Access Policy page. If the Logon Domain option is selected, the logon domain check will fail during user authentication.
Figure 7 Configure the logon domain
Recommended actions
Edit the logon domain configuration in the access policy.
Hard disk serial number binding check failed
Symptom
Prompt message: Hard disk serial number binding check failed.
Solution
Possible causes
On the Automation > Network Access > Access Management > Access Service > Access Policy page, click Add to open the Add Access Policy page. If the Bind Hard Disk Serial Number option is selected, the hard disk serial number binding check will fail during authentication.
Figure 8 Configure hard disk serial number binding
Recommended actions
Edit the hard disk serial number binding configuration in the access policy.
Operating system authorization code binding check failed
Symptom
Prompt message: Os auth code serial number binding check failed.
Solution
Possible causes
On the Automation > Network Access > Access Management > Access Service > Access Policy page, click Add to open the Add Access Policy page. If the Bind Operating System Authorization Code option is selected, the operating system authorization code binding check will fail during authentication.
Figure 9 Bind the operating system authorization code
Recommended actions
Edit the operating system authorization code binding configuration in the access policy.
Access from a user main board serial number is not allowed
Symptom
Prompt message: BaseBoardSN is not allowed.
Solution
Possible causes
The access policy has the Bind BIOS Serial Number option selected, but the user fails to obtain a BIOS serial number or obtains a BIOS serial number that is prevented from accessing.
Recommended actions
· Solution 1: Add the endpoint's main board serial number uploaded during user authentication to the permitted endpoint main board serial number list.
· Solution 2: In the access policy, clear the Bind BIOS Serial Number option.
Troubleshoot LDAP
The LDAP user password is incorrect and you have been added to the blacklist
Symptom
Prompt message: Incorrect LDAP password. You have been added into blacklist.
Solution
Possible causes
The number of consecutive failed LDAP user password authentication attempts reaches the set value.
Recommended actions
For the specific solution, see "Solution."
The LDAP user does not exist or the password is incorrect. You can retry #Count more times
Symptom
Prompt message: Incorrect LDAP password. You can retry #Count times.
Solution
Possible causes
Incorrect LDAP user passwords are entered. The system shows how many attempts remain before adding the user to the blacklist.
Recommended actions
Use the correct password for authentication.
An LDAP user receives a password error prompt despite entering the correct password
Symptom
When an LDAP user performs authentication, the authentication fails even if the correct username and password are entered, and a password error is prompted.
Solution
Possible causes
1. If the EIA server and LDAP server use different password processing methods, this issue might occur. For example, the EIA side requires the LDAP server to return plaintext passwords, but the LDAP server returns encrypted passwords instead.
2. A non-iNode client is used for PEAP-MD5 or EAP-MD5 authentication.
3. Incorrect domain controller information is entered.
The following table describes the relationship between the LDAP server types, authentication methods, and authentication results.
Table 1 Authentication result
|
LDAP server type |
LDAP user authentication method |
Authentication result |
|
Universal LDAP server |
EAP-PEAP/EAP-MSCHAPv2 |
The LDAP server returns an encrypted password or the password cannot be obtained. The system prompts a password error. |
|
CHAP |
The LDAP server returns an encrypted password, but the system prompts a password error. |
|
|
PEAP-MD5/EAP-MD5 (for authentication via non-iNode client) |
EIA cannot obtain the plaintext password from the packet, causing the password check to fail and prompting a password error. |
|
|
Other authentication methods |
EIA does not support the encryption method used on the LDAP server, causing the password check to fail and prompting a password error. |
The preceding table shows that LDAP user authentication fails with a password error due to incorrect password encryption or unsupported scenarios.
Recommended actions
Table 2 Recommended actions
|
LDAP server type |
LDAP user authentication method |
Authentication result |
|
Universal LDAP server |
EAP-PEAP/EAP-MSCHAPv2 |
The LDAP server is required to provide the password in plaintext. |
|
CHAP |
The LDAP server is required to provide the password in plaintext. |
|
|
PEAP-MD5/EAP-MD5 (for authentication via non-iNode client) |
Use the iNode client for authentication. |
|
|
Other authentication methods |
Make sure the encryption method on the LDAP server is supported by EIA, or adapt the encryption method on the EIA side later. |
The LDAP server does not support CHAP authentication
Symptom
Prompt message: LDAP server does not support CHAP authentication.
Solution
Possible causes
The LDAP user uses the CHAP authentication method, but Microsoft AD servers do not support this authentication method.
Recommended actions
For 802.1X authentication, edit the authentication type on the device. For portal authentication, edit the authentication type in the portal configuration on EIA.
The LDAP server connection timed out, or the IP address or port is incorrect. Retry later or contact the administrator
Symptom
Prompt message: LDAP server connection timed out due to invalid server IP or port. Please retry later or contact the administrator.
Solution
Possible causes
· An LDAP server configuration error or network error causes connection failure.
· The LDAP server connects successfully but times out when users are authenticated by using LDAP or information is synchronized from the LDAP server.
Recommended actions
· Check connectivity on the configuration console.
· Identify whether the LDAP server has any issues.
Error in LDAP server protocol version
Symptom
Prompt message: LDAP server protocol error.
Solution
Possible causes
LDAP server version configuration error.
Recommended actions
Make sure the server version number configured in EIA matches the LDAP server version number.
The LDAP server configuration has an error. Please contact the network administrator
Symptom
Prompt message: LDAP server configuration error. Please contact the administrator.
Solution
Possible causes
The EIA server cannot find the target object in the LDAP server directory.
Recommended actions
Check the configuration on the LDAP server or contact the network administrator.
Administrator configuration error
Symptom
Prompt message: LDAP server administrator error.
Solution
Possible causes
The administrator DN configuration on the LDAP server has an issue. The administrator DN is used to manage user data on the LDAP server.
Recommended actions
Check the administrator-related configurations on the LDAP server or contact the network administrator.
Failed to connect to the LDAP server. Try again later or contact the administrator
Symptom
Prompt message: LDAP server unknown error.
Solution
Possible causes
The LDAP server returned an unrecognized error message.
Recommended actions
Capture packets to identify the specific error code returned by the LDAP server, and then check its meaning.
The LDAP server is currently unavailable. Try again later or contact the administrator
Symptom
Prompt message: LDAP server is disconnected. Please retry later or contact the administrator.
Solution
Possible causes
If a user fails to connect to the LDAP server during authentication, the system marks the server as disconnected in the LDAP server configuration. The holdtime of the state depends on the reconnection interval. The system displays an error message when you attempt authentication without a connection.
Recommended actions
Identify whether the LDAP server is enabled and the network is connected. Make sure the server can correctly communicate with the LDAP server.
System unknown error. Contact the administrator
System description
Prompt message: Unknown system error. Please contact the administrator.
Solution
Possible causes
The LDAP server returned an unknown exception.
Recommended actions
Identify whether the LDAP server has any issues. If you see specific error messages with other error codes, they usually indicate unknown issues. If the LDAP server shows no issues, collect packet capture data, LDAP server system information, and EIA debug logs, including UAM and Java server logs. For EIA log collection steps, see "Collect logs."
The account is locked by the LDAP server. Contact the administrator to unlock it
Symptom
Prompt message: The account is locked by the LDAP server. Please contact the administrator to unlock the account.
Solution
Possible causes
The LDAP server sets an account lockout threshold. If the number of user authentication failures exceeds this threshold, the system locks the user account.
Recommended actions
Select the Unlock account option in the user properties window on the LDAP server.
Failed to obtain the password from the LDAP server
Symptom
Prompt message: Failed to obtain the password from the LDAP server.
Solution
Possible causes
For the LDAP server, you select to synchronize the password to the local host for verification, but the synchronization fails during authentication.
Recommended actions
Identify whether the password attribute in the EIA server configuration is correct. Identify whether the LDAP server supports synchronizing passwords to the local host.
The LDAP user password has expired
Symptom
Prompt message: The password of the LDAP user has expired.
Solution
Possible causes
A user password expiration time is set on the LDAP server. Accounts expire after this period.
Recommended actions
In the user properties window of the LDAP server, select the Password never expires option for the account or delay the user password expiration time.
LDAP user login to computers is restricted. Please contact the administrator
Symptom
Prompt message: The LDAP user does not have the privilege to log on to the computer.
Solution
Possible causes
The computers that LDAP users can log in to are restricted.
Recommended actions
In the user properties window on the LDAP server, select Account > Log On To (T) to configure permitted computer accounts. Select All computers to allow login to any computer, or select The following computers to add virtual computer accounts that the LDAP server permits to log in to.
The LDAP server connection timed out, or the IP address or port is incorrect
Symptom
The LDAP server connection timed out, or the IP address or port is incorrect.
Solution
Possible causes
An LDAP server configuration error or network error causes connection failure.
Recommended actions
Check connectivity on the configuration console.
Figure 10 Configuration check
The device connects to the LDAP server but the response from the device times out during bind or search operations, as shown in the packet capture screenshot below:
Figure 11 Packet capture
The LDAP server protocol version number is incorrect
Symptom
The LDAP server protocol version number is incorrect.
Solution
Possible causes
Server version configuration error.
Recommended actions
Verify that the configuration on EIA matches the LDAP server.
Figure 12 Server configuration
An LDAP user is invalid
Symptom
An LDAP user is invalid.
Solution
Possible causes
An account expiration time is set on the LDAP server. The account will expire after the specified period.
Recommended actions
Do not configure an account expiration time.
An LDAP user is disabled
Symptom
An LDAP user is disabled.
Solution
Possible causes
The Account Disabled option is selected in the LDAP server.
Recommended actions
Clear the Account Disabled option in the LDAP server.
The account is locked out by the LDAP server
Symptom
The account is locked out by the LDAP server.
Solution
Possible causes
An account lockout threshold is configured on the LDAP server. The system displays this message when the number of user authentication failures exceeds the threshold.
Recommended actions
Unlock the account on the server.
Change the password at first login
Symptom
Login failed. Change your password on first login. If you cannot change the password, contact the administrator to identify whether the certificate authentication type in the access policy is EAP-PEAP/MSCHAPv2. Under this certificate authentication type, EIA does not allow LDAP users to change their passwords.
Solution
Possible causes
The LDAP server requires users to change their password at next login, and the user performs authentication through PEAP-MSCHAPv2.
Recommended actions
In the user properties window of the LDAP server, clear the User must change password at next logon option.
The username does not exist on the LDAP server
Symptom
The system prompts "The username does not exist on the LDAP server" during user authentication.
Solution
This issue includes two scenarios: users synchronized with non-on-demand synchronization policies and users synchronized with on-demand synchronization policies. Different synchronization policies cause this issue for different reasons and require different solutions. The following sections explain each scenario.
Non-on-demand synchronization policy—Possible causes
For users synchronized by non-on-demand synchronization policies, possible causes include:
1. The user does not exist in the LDAP server.
2. A new user was added to the LDAP server, but manual synchronization was not performed on EIA.
3. No LDAP sync/backup task is configured.
4. The DN setting is incorrect or the filter condition is incorrectly configured, so the system fails to synchronize the user.
5. The user moves to another OU but manual synchronization is not performed on EIA, or the scheduled task period did not reach.
Non-on-demand synchronization policy—Solution
The solution is as follows:
6. Add this user to the LDAP server or perform authentication with an existing username.
7. Execute the synchronization operations in the synchronization policy list, as shown in the following figure.
Figure 13 Manual synchronization
8. Configure the LDAP synchronization/backup task in the LDAP function parameters as shown in the following figure.
Figure 14 LDAP auto synchronization
9. Check the user list and user status in LDAP. Make sure the DN and filter conditions in the synchronization policy are correct.
Figure 15 Check user status
10. Manually execute synchronization operations on the synchronization policy configuration page, or wait for the scheduled task to run.
On-demand synchronization policy—Possible causes
For on-demand synchronization policies, possible causes include:
11. The user does not exist in the LDAP server.
12. When you add users to the LDAP server, the administrator did not perform an on-demand synchronization on EIA or wait for the scheduled task period to reach. Also, the LDAP on-demand authentication mode was not set to real-time authentication.
Figure 16 Enable on-demand synchronization
Figure 17 Select the LDAP on-demand authentication mode
13. The user resource table lacks relevant user information due to incorrect DN settings or filter conditions, and the LDAP on-demand authentication mode does not have real-time authentication enabled.
On-demand synchronization policy—Solution
The solution is as follows:
14. Add this user to the LDAP server or perform authentication with an existing username.
15. Enable on-demand synchronization and configure the LDAP on-demand authentication mode as real-time authentication.
16. Identify whether the DN and filter conditions are correct. Set the LDAP on-demand authentication mode to real-time authentication in the system parameter configuration.
Troubleshoot certificates
The certificate ID does not match the username
Symptom
Prompt message: The account name does not match the attribute in the client certificate.
Solution
Possible causes
Select the Check username in certificate option in system parameters. During TLS authentication, the system identifies whether the subject name in the client certificate matches the login username. If they don't match, the system displays this message.
Recommended actions
Clear the Check username in certificate option in system parameters, or replace the client certificate.
Failed to obtain the certificate issuer
Symptom
Prompt message: Unable to get issuer certificate.
Solution
Possible causes
When users perform authentication with a certificate, the system retrieves the issuer information from it. If the certificate lacks this information, the authentication fails.
Recommended actions
Identify whether the certificate includes issuer information. Replace the certificate if it does not.
Certificate invalid
Symptom
Prompt message: Invalid certificate.
Solution
Possible causes
The system detected an invalid certificate during user authentication.
Recommended actions
Replace the certificate.
The certificate has expired
Symptom
Prompt message: Certificate has expired.
Solution
Possible causes
The certificate used for user authentication has expired.
Recommended actions
Check the certificate validity period and replace the certificate.
Certificate authentication error
Symptom
Prompt message: Certificate authentication error.
Solution
Possible causes
The system triggers this message for various reasons. It usually appears when the certificate has an issue.
Recommended actions
1. Analyze this issue based on specific scenarios. Collect certificate information, including the root certificate, server certificate, and client certificate.
2. Identify the client authentication method.
3. Capture packet logs from both the client and server.
4. Obtain debug logs from the server. For EIA log collection steps, see "Collect logs."
Certificate not imported
Symptom
Prompt message: Certificate not imported.
Solution
Possible causes
The user attempted certificate authentication, but the server did not import the certificate.
Recommended actions
Import the certificate in the certificate configuration of service parameters.
Troubleshoot MSCHAPv2 authentication issues
Domain controller connection failed. Contact the administrator
Symptom
Prompt message: Connection error with the domain controller. Please contact the administrator.
Solution
Possible causes
AD users encounter issues when connecting to the domain controller server during MS-CHAPv2 authentication.
Recommended actions
Check the configuration and network connection status of the EIA server and domain controller server. Telnet to port 445 on the domain controller from the EIA server to check connectivity.
The domain controller information is incorrect. Contact the administrator
Symptom
Prompt message: Incorrect domain controller information. Please contact the administrator.
Solution
Possible causes
The Domain Controller Full Name configuration in the MS-CHAPv2 authentication is incorrect.
Recommended actions
Verify that the Domain Controller Full Name value on the PEAP authentication domain controller page matches the actual full name of the domain controller server. To view the full name of the domain controller server, follow these steps:
1. In the domain controller server, right-click My Computer.
2. Select the Properties menu item to open the system properties page. The full computer name value in the Computer Name field represents the domain controller's full name.
Failed to receive the authentication packets from the MSCHAPv2 server
Symptom
The system displays the error that the LDAP user password is incorrect during user authentication.
Solution
Possible causes
· The error might occur because you entered an incorrect domain controller server address in the PEAP authentication domain configuration.
· The error might occur because you did not correctly configure the local server port in the PEAP authentication domain configuration. The default value for the local server port is 9812. To change it, restart the mschapv2server process on the EIA server for the modification to take effect.
Recommended actions
· Enter the correct domain controller server address.
· Enter the correct local server port.
Domain controller information error
Symptom
Domain controller information error.
Solution
Possible causes
The error occurs because you configured the domain controller full name incorrectly in the PEAP authentication domain configuration.
Recommended actions
To view the full name of a domain controller, right-click My Computer on the domain controller, select Properties from the right-click menu, and check the Full Computer Name on the system properties page.
Domain controller connection error
Symptom
The virtual computer name or password is incorrect.
Solution
Possible causes
· The error occurs because port 445 on the LDAP server might not be open.
· This error might also occur if the SMB protocol is not enabled on the LDAP server.
Recommended actions
· Use the telnet command to check.
· In versions earlier than EIA (E0604H06), only SMB1 was supported. Later versions support both SMB1 and SMB2. You can check the SMB protocol status on the LDAP server.
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Enable or disable the SMB protocol:
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Set-SmbServerConfiguration -EnableSMB2Protocol $false
Set-SmbServerConfiguration -EnableSMB1Protocol $true
Set-SmbServerConfiguration –EnableSMB2Protocol $true
Access is denied
Symptom
Access is denied.
Solution
Possible causes
The log shows an error that "Access is denied" with the following details:
Figure 18 Error message 1
Figure 19 Error message 2
Figure 20 Error message 3
Recommended actions
This error occurs because you modified the server SPN target name validation level of the domain controller server. The domain controller server supports three SPN validation levels as follows:
· Off. The SPN from an SMB client isn't required or validated by the SMB server.
· Accept if provided by client. The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPNs. If the SPN doesn't match, the session request for that SMB client will be denied.
· Required from client. The SMB client must send an SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided doesn't match, the session is denied.
The default setting is Off. If you set it to required from client, the preceding authentication error will occur during MS-CHAPV2 authentication. To edit the server SPN target name validation level, access the Local Security Policy > Security Options > Microsoft Network Server: Server SPN Target Name Validation Level > Local Security Setting page, and set the server SPN target name validation level to Off or Accept if provided by client.
Troubleshoot third-party issues
Third-party RADIUS authentication failed. Make sure you enter the correct username and password, or contact your administrator.
Symptom
Prompt message: Third-party Radius authentication failed. Please check your username and password or contact the administrator.
Solution
Possible causes
The user entered an incorrect dynamic password during third-party RADIUS authentication, or the user does not exist on the third-party server.
Recommended actions
Identify whether the dynamic password entered for third-party RADIUS authentication is correct. Alternatively, identify whether the user already exists on the third-party server.
The Boss system authentication failed. Make sure you enter the correct cell phone number and password, or contact the administrator.
Symptom
Prompt message: Boss authentication failed. Please check your cell-phone number and password or contact the administrator.
Solution
Possible causes
The EIA server processes authentication, while a third-party server processes accounting. Set cell phone numbers for users on the server. After authentication, the server sends the cell phone numbers and passwords to the third-party server. If either the passwords or cell phone numbers are incorrect, the system displays an error message.
Recommended actions
Verify that the cell phone numbers and passwords on the EIA server match those on the third-party server.
The BOSS system is not responding
Symptom
Prompt message: Timeout for waiting the response message of Boss system.
Solution
Possible causes
The EIA server processes authentication, while a third-party server processes accounting. Set cell phone numbers for users on the server. After authentication, the server sends the cell phone numbers and passwords to the third-party server. The third-party server does not respond after receiving the data.
Recommended actions
Check the EIA server configuration for third-party servers to ensure accuracy. Identify whether any third-party servers show anomalies.
A third-party server is unreachable
Symptom
Prompt message: The third-party server cannot be connected.
Solution
Possible causes
The system uses third-party authentication but fails to authenticate users because the third-party server is unreachable.
Recommended actions
Check the connectivity of third-party servers and networks.
Troubleshoot licenses
License quantity limit
Symptom
Prompt message: The number of users reached the upper limit permitted by the license.
Solution
Possible causes
The number of online users exceeds the maximum license limit, or the current online user count has not updated yet.
Recommended actions
Purchase a license that supports more online users.
EIA license quantity limit
Symptom
Prompt message: The number of users reached the upper limit permitted by the EIA license.
Solution
Possible causes
The server has the EIA component installed, but the number of online users exceeds the maximum number permitted by EIA, or the online user count has not been updated yet.
Recommended actions
If the number of online users exceeds the maximum number permitted, force some users to go offline. If not, wait for the scheduled update or purchase an EIA license that supports more online users.
EIP license quantity limit
Symptom
Prompt message: The number of users reached the upper limit permitted by the EIP license.
Solution
Possible causes
The server has the EIP component installed, but the number of online users exceeds the maximum number permitted by EIP, or the online user count has not been updated yet.
Recommended actions
If the number of online users exceeds the maximum number permitted, force some users to go offline. If not, wait for the scheduled update or purchase an EIP license that supports more online users.
Troubleshoot page prompts
Tab disappears
Symptom
A menu or tabs within a menu disappear on the page
Solution
Possible causes
Permission issues prevent the page from being displayed.
Recommended actions
Restart the eia-uam-rs pod.
Failed to notify the RADIUS server
Symptom
When you are configuring EIA, the system prompts "Failed to notify the RADIUS server."
Solution
Possible causes
Possible causes include:
1. The dm pod in the backend is operating abnormally.
2. The kafka pod is operating abnormally.
Recommended actions
3. Restart the eia-uam-dm pod.
4. Restart the kafka pod of the platform.
Failed to notify the policy server
Symptom
When you are configuring EIA, the system prompts "Failed to notify the policy server."
Solution
Possible causes
The policy server pod is operating abnormally.
Recommended actions
Restart the eia-uam-policy pod.
Troubleshoot common issues with MAC portal authentication
Failed to display the MAC portal authentication page
Symptom
After you open the browser, you are not redirected to the MAC portal authentication page after entering any IP address or domain name.
Solution
Possible causes
· No DNS server is configured.
· The server deployed an incorrect URL or ACL.
Recommended actions
1. Manually enter the URL address to identify whether you can access it.
2. Verify that the server deploys the correct URL and ACL.
Figure 21 View the ACL and redirect URL assigned to a specific MAC address on the device
If both the preceding items are correct, contact Technical Support to troubleshoot the issue.
Transparent MAC portal authentication fails to take effect and requires users to enter their username and password every time
Symptom
Even if you have passed transparent authentication, the authentication page might still pop up later, asking for your username and password.
Solution
Possible causes
· Transparent authentication is not enabled in the user endpoint settings or access service.
· The online quantity has reached the limit.
· The online users are forced to go offline.
· The endpoint fails to pass authentication.
· Endpoint records age according to the aging policy.
Recommended actions
1. First, identify whether transparent authentication is enabled correctly. Enable transparent authentication in both the access service and user endpoint settings.
Figure 22 Enable transparent authentication in the access service
Figure 23 Enable transparent authentication in user endpoint settings
2. Check the MAC binding record of the endpoint. If the MAC portal status shows registered and transparent auth invalid, check the following:
a. For the access user, the maximum number of concurrent logins for one account is set to 1, and logging off duplicate accounts is enabled.
b. On EIA, force the offline operation for the online record.
c. Check the authentication failure logs to identify whether this endpoint has any failed authentication records.
d. Check the endpoint aging policy to identify whether the requirements are met.
Failed to use MAC portal authentication. The authentication result page keeps popping up
Symptom
After you open the browser, you are always redirected to the MAC portal authentication result page after entering any IP address or domain name
Solution
Possible causes
For endpoints that have completed 802.1X authentication, the transparent authentication status is disabled, and the MAC portal status shows "/". This status triggers pushing the login result page.
Recommended actions
Execute the following SQL statement to enable the parameter for 802.1X and MAC Portal coexistence.
UPDATE EAD.TBL_PARAMETER SET VALUE='0' WHERE PARAMETER_NAME ='IF_DENY_MAC_AUTH'
Troubleshoot other issues
The system is busy. Please try again later.
Symptom
Prompt message: System is busy. Please try again later.
Solution
Possible causes
After you add or edit configurations (such as third-party authentication settings, LDAP settings, or dumb terminals), the terminals immediately initiate authentication.
Recommended actions
Wait a moment and try authentication again. If the issue persists, see "Collect logs" and contact Technical Support.
Failed to find the RSA service configuration. Contact the administrator.
Symptom
Prompt message: RSA configuration is not found. Please contact the administrator.
Solution
Possible causes
The access policy has RSA enabled, but the RSA authentication settings are incomplete on the Automation > Network Access > Access Management > Parameter Management > UAM > Roaming Configuration page.
Recommended actions
Configure RSA authentication information on EIA.
The user is not activated. Contact the administrator to activate the user
Symptom
Prompt message: The user is not activated. Please contact the administrator to activate it first.
Solution
Possible causes
A user is not activated.
Recommended actions
Contact the administrator to activate the user. Activate the user on the Automation > Network Access > Access Management > Access User > All Access Users page.
IP binding exception
Symptom
Prompt message: An exception occurred during IP binding.
Solution
Possible causes
Communication with the DHCP service timed out
Recommended actions
Check the DHCP server connectivity and identify whether the DHCP service is enabled.
Failed to receive a response message
Symptom
Prompt message: No response packet is received.
Solution
Possible causes
The user performed RSA authentication by using EAP-MD5, PEAP-MD5, or PEAP-GTC but did not receive a response from the RSA server during dynamic password verification.
Recommended actions
Identify whether the RSA server configuration on the EIA server is correct and the configuration on the RSA server is correct.
Authentication error
Symptom
Prompt message: Authenticator error.
Solution
Possible causes
When users perform RSA authentication in EAP-MD5, PEAP-MD5, or PEAP-GTC mode, the system verifies the checksum generated from the shared password upon receiving the response from the RSA server during dynamic password verification. If the checksum from the EIA server does not match that in the response from the RSA server, the system displays this message.
Recommended actions
Identify whether the shared password configured on the EIA server and that on the RSA server match.
The number of access users exceeds the server's maximum capacity
Symptom
Prompt message: The number of managed access users has reached or exceeded the maximum capacity of the server.
Solution
Possible causes
The number of access users added to the server exceeds the maximum user limit set on the server.
Recommended actions
Remove some access users.
The number of bound endpoints has reached the upper limit, which is set to #MaxCount
Symptom
Prompt message: The number of bound endpoints reached the upper limit, the number of limit is #MaxCount.
Solution
Possible causes
The maximum number of endpoints that can be bound to an account is set in the system parameters. The number of endpoints used by the user has reached this limit.
Recommended actions
Delete the endpoint record related to this account in endpoint management, or adjust the maximum number of endpoints that can be bound to an account in the parameters.
You did not enter both the static password and RSA dynamic password. Please re-enter
Symptom
Prompt message: The static or RSA dynamic password is empty. Please provide both passwords.
Solution
Possible causes
The user enabled RSA authentication in the access policy and selected dynamic + static password authentication but only entered the static password during authentication.
Recommended actions
During RSA authentication, a user must enter both a static password and a dynamic password.
The maximum number of bound endpoints in the current scenario has been reached. The limit is #MaxCount endpoints
Symptom
Prompt message: The number of bound endpoints reached the maximum in the current scenario, the number of limit is #MaxCount.
Solution
Possible causes
The user configured the maximum number of endpoints that can be bound to an account in the access scenario. The number of endpoints coming online in this scenario has reached the threshold.
Recommended actions
· Solution 1: Navigate to the Automation > Network Access > Access Management > Access Endpoint page. Check the scenario used by an endpoint in the details, and then delete records with the same scenario as the newly onboarded endpoint.
· Solution 2: Modify the maximum number of endpoints that can be bound to an account in the scenario.
The number of online endpoints in the current scenario has been reached
Symptom
Prompt message: The number of online endpoints reaches the maximum in the current scenario.
Solution
Possible causes
The number of online users for this user has reached the maximum number of online endpoints for an account set for this access scenario.
Recommended actions
Edit the maximum number of online endpoints for an account in the access scenario.
The online duration today has reached the daily maximum online duration set in the access service
Symptom
Prompt message: The online duration today has already reached the Daily Max. Online Duration configured for the access service.
Solution
Possible causes
The daily maximum online duration is set in the access service. The total duration for which the account uses the service to access the network has reached this limit.
Recommended actions
You can use the account to access the network through other services. Alternatively, set the maximum daily online duration to a greater value or 0 in the access service.
The number of endpoint records exceeds the server's maximum capacity
Symptom
Prompt message: Endpoint record count exceeded the upper limit of the server.
Solution
Possible causes
The number of endpoint records added to the server exceeds the maximum endpoint limit set on the server.
Recommended actions
Delete some endpoint records.
Failed to install the DHCP agent or the installed DHCP agent does not operate correctly
Symptom
Failed to install the DHCP agent or the installed DHCP agent does not work correctly.
Solution
Possible causes
The DHCP agent is incompatible with certain versions of Microsoft DHCP servers.
Recommended actions
As a best practice, use the following Microsoft DHCP server versions that passed the test:
· Window Server 2003 R2 32bit/64bit
· Windows Server 2008 with Service Pack 1 64bit
· Windows Server 2008 R2 X64 DataCenter 64bit
· Windows Server 2012 64bit
The DHCP agent failed to start the DHCP server
Symptom
Windows 2016: The DHCP agent failed to start the DHCP server.
Solution
Possible causes
The DHCP server lacks sufficient registry permissions.
Recommended actions
The DHCP server has full control permissions for the following registry path.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
Figure 24 Registry
If nodes in a cluster experience server hardware failure and cannot be recovered, you must replace the node servers
Symptom
If a node in a cluster experiences server hardware failure and cannot be recovered, you must replace the node server.
Solution
If a node in a cluster experiences server hardware failure and cannot be recovered, you must replace the node server as follows:
1. Before resolving hardware issues on a faulty node, disconnect it from the network (for example, unplug the network cable). This prevents pods (such as PXC pods of Unified Platform and service components) on the node from failing to rejoin the cluster during troubleshooting, which could disrupt services.
2. Configure the replacement node server to match the original failed node exactly in host name, NIC name, node IP address, username, password, RAID mode, and disk partition.
3. Install the same version of Matrix software on the replacement node server as the cluster node. For more information, see Unified Platform Deployment Guide.
4. Log in to Matrix. On the Deploy > Cluster page, click the 
icon in the upper right corner of the faulty node. Select the Rebuild option to rebuild the node and complete the
server replacement.
|
|
NOTE: For more troubleshooting steps on cluster node exceptions, see H3C Unified Platform Troubleshooting Guide. |
Troubleshoot common issues with transparent portal authentication
User authentication fails and the system prompts "Failed to check IP or MAC address binding"
Symptom
User authentication fails when Layer 3 portal is used for transparent authentication, and the system prompts a message that "Failed to check IP or MAC address binding."
Solution
Possible causes
If Layer 3 portal fails to obtain the endpoint's MAC address, capture packets on the server to identify whether the MAC address is uploaded.
Recommended actions
Do not use Layer 3 portal authentication.
Collect logs
|
|
TIP: If the preceding steps do not resolve the issue, follow the steps in this section to collect EIA logs and contact Technical Support. |
The EIA component failure scenarios cover a wide range. To help you quickly collect failure logs, this section provides targeted steps for collecting logs in common scenarios.
As a best practice to ensure log collection integrity if you cannot identify the fault scenario, see "Collect all logs related to the EAD Endpoint Intelligent Access (EIA) module" for how to collect logs.
|
|
NOTE: Log collection involves changing the log severity level. · For the log severity level change to take effect, wait one minute after the change. · Changing the log severity level to Debugging might affect the system efficiency. |
Collect logs in common issue scenarios
Collect logs for troubleshooting user login and policy service failures
1. To adjust the log severity levels:
2. 1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page.
3. 2. Set the log severity level to Debugging for the security policy service, RADIUS authentication service, and EIA Web service, as shown in the following figure.
Figure 25 Adjust the log severity levels
4. Collect logs after reproducing the issue. 1. Access the System > Log Management > Running Logs page.
5. 2. Select EIA-POLICY, EIA-DM, and EIA-RS one by one from the Directory (Relative Path) list, enter the start date and end date, and then collect logs, as shown in the following figure.
6. Select the files you want to download, and then click Export to save them locally.
Collect logs for troubleshooting third-party issues
1. To adjust the log severity levels:
2. 1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page.
3. 2. Set the log severity level to Debugging for the RADIUS authentication service and third-party authentication service, as shown in the following figure.
Figure 27 Adjust the log severity levels
4. Collect logs after reproducing the issue. 1. Access the System > Log Management > Running Logs page.
5. 2. Select EIA-DM and EIA-THIRD one by one from the Directory (Relative Path) list, enter the start date and end date, and then collect logs, as shown in the following figure.
6. Select the files you want to download, and then click Export to save them locally.
Collect logs for troubleshooting page prompts
1. Adjust the log severity level. To adjust the log severity levels:
2. 1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page.
3. 2. Set the log severity level to Debugging for the EIA Web service, as shown in the following figure.
Figure 29 Adjust the log severity levels
4. Collect logs after reproducing the issue. 1. Access the System > Log Management > Running Logs page.
5. 2. Select EIA-RS from the Directory (Relative Path) list, enter the start date and end date, and then collect logs, as shown in the following figure.
6. Select the files you want to download, and then click Export to save them locally.
Collect logs for troubleshooting MAC portal authentication issues
1. Adjust the log severity levels. To adjust the log severity levels:
2. 1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page.
3. 2. Set the log severity level to Debugging for the MAC portal authentication service, as shown in the following figure.
Figure 31 Adjust the log severity levels
4. Collect logs after reproducing the issue. 1. Access the System > Log Management > Running Logs page.
5. 2. Select EIA-BYOD-RS and EIA-BYOD-SERVER one by one from the Directory (Relative Path) list, enter the start date and end date, and then collect logs, as shown in the following figure.
6. Select the files you want to download, and then click Export to save them locally.
Collect logs for troubleshooting portal authentication issues
1. Adjust the log severity levels. To adjust the log severity levels:
2. 1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page.
3. 2. Set the log severity level to Debugging for the portal authentication service, as shown in the following figure.
Figure 33 Adjust the log severity levels
4. Collect logs after reproducing the issue. 1. Access the System > Log Management > Running Logs page.
5. 2. Select EIA-PORTALSERVER and EIA-PORTALWEB from the Directory (Relative Path) list separately, enter the start date and end date, and then collect logs, as shown in the following figure.
6. Select the files you want to download, and then click Export to save them locally.
Collect all logs related to the EAD Endpoint Intelligent Access (EIA) module
1. To adjust the log severity levels:
2. 1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page.
3. 2. Set the log severity level to Debugging for all EIA-related applications, as shown in the following figure.
Figure 35 Adjust the log severity levels
4. Collect logs after reproducing the issue. 1. Access the System > Log Management > Running Logs page.
5. 2. Select EIA from the Directory (Relative Path) list, enter the start date and end date, and then collect logs, as shown in the following figure.
6. Select the files you want to download, and then click Export to save them locally.
Endpoint compliance management module
Collect logs for the EAD endpoint compliance management module
Collect EAD logs
1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page. Set the log severity level to Debugging for the security policy service and EAD Web service.
Figure 37 Running logs settings
2. If a failure occurs, navigate to the System > Log Management > Running Logs page, set the start date and end date, enter ead-rs for the file or directory name, select the relevant records, and click Export to export the records.
Figure 38 Running logs
Enter uam-policy for the file or directory name, select the corresponding records, and click Export to export the records.
Figure 39 Running logs
Collect DAM logs
1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Running Logs Settings page. Set the log severity level to Debugging for the DAM service.
Figure 40 DAM service
2. If a failure occurs, navigate to the System > Log Management > Running Logs page, set the start date and end date, enter dam-server for the file or directory name, select the relevant records, and click Export to export the records.
Figure 41 Running logs
Enter dam-rs for the file or directory name, select the corresponding records, and click Export to export the records.
Figure 42 Running logs
Collect client logs
1. Open the iNode client, select Log Management, and set the log severity level to Debugging.
Figure 43 Set the log level
2. Click the Set button after the Set debugging environments option to apply the configuration.
3. If a failure occurs, click Collect to automatically package the logs.
Figure 44 Collect logs
FAQ
An endpoint skips the security check
Symptom
The system has security policies configured, but an endpoints skips the security check during login.
Solution
Possible causes
The policy server is not enabled.
Solution
1. Navigate to the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Policy Server Parameters page. Select the Enable Policy Server option.
Figure 45 Configure policy server parameters
2. The endpoint logs in and comes online after re-authentication through iNode.
The iNode client goes offline because it does not receive a response from the policy server
Symptom
The system prompts that it did not receive a response from the policy server.
Solution
Possible causes
A firewall exists between the policy server and iNode, or the intermediate devices limit the maximum packet size.
Solution
1. Capture packets on the policy server, intermediate devices, and iNode side to check for packet loss.
2. When you set the maximum packet length limit, select to enable packet compression and encryption on the Automation > Network Access > Access Management > Parameter Management > System Diagnosis and Maintenance > Policy Server Parameters page. This feature compresses policy server packets to reduce their length. If intermediate devices still restrict the packet length after you enable this parameter, adjust the restriction rules on the intermediate devices.
Figure 46 Packet compression and encryption
iNode prompts that the server requests the user to go offline
Symptom
After a user passes the security check, iNode prompts that the security check proxy server requests the user to go offline.
Solution
Possible causes
This issue usually occurs in wireless authentication scenarios. It might occur because the AP switchover changes the online users in the EAD Endpoint Intelligent Access (EIA) module.
Solution
1. Navigate to the Automation > Network Access > Access Management > Online User > Local page, clear the current user information, and kick off the users.
2. Use iNode to log in again for re-authentication.
The policy server returns syncUserError
Symptom
The iNode client fails authentication and prompts that the policy server returns the syncUserError message.
Solution
Possible causes
Syncusererror indicates a user synchronization failure. This error typically occurs when the EAD endpoint compliance management module queries the EAD endpoint intelligent access (EIA) module for a user, but the EIA module reports that the user does not exist. The issue might occur because the device reauthentication changes the user's onlineid.
Solution
1. Navigate to the Automation > Network Access > Access Management > Online User > Local page, clear the current user information, and kick off the users.
2. Use iNode to log in again for re-authentication.
Hierarchical management issues
Symptom
Lower-level EAD nodes cannot synchronize the access services or policies from the upper-level node.
Solution
Possible causes
The lower-level nodes of the EAD endpoint compliance management module contain self-configured access services or policies.
Solution
1. Delete the access services and access policies from the lower-level nodes.
2. The lower-level nodes resynchronize the policies from the upper-level node.
The EAD endpoint compliance management module fails to collaborate with the WSUS server
Symptom
Add a WSUS patch server. When you click the Detect button, an error message appears.
Solution
Possible causes
The WSUS server is misconfigured, and a firewall exists in the network.
Solution
1. Identify whether a firewall exists between the EAD endpoint compliance management server and the WSUS server. Identify whether the round-trip network traffic flows normally.
2. Identify whether the WSUS server has missing dependency packages. Make sure the VC++ 2010 package is included on Control Panel > Programs page.
Figure 47
3. Verify that you have logged in to the WSUS server with an administrator account.
4. Restart the WSUS proxy agent, and then click the Detect button again when adding the WSUS server to the EAD endpoint compliance management server.
Common issues in direct connection scenarios
Symptom
In a direct connection scenario, the ACL policy configured in the security policy triggers the policy server to force the endpoints to go offline.
Solution
Possible causes
In a direct connection scenario, traffic does not pass through switches. The ACL policy is directly applied to the device, so no configuration is needed.
Solution
1. Delete the ACL policy from the security policy.
2. Use iNode to log in again for re-authentication.
After iNode passes the security check, the security log does not record it
Symptom
After iNode passes the security check, the security log does not record it.
Solution
Possible causes
After iNode passes the security check, the security log does not record it by default.
Solution
1. Navigate to the Automation > Network Access > Security Management > Parameter Management page, and select the Generate logs after the security check is passed option.
Figure 48 Generate logs after the security check is passed
2. The iNode performs authentication and security check again.
No window opens when an asset is manually registered to come online in iNode
Symptom
After you manually register an asset to come online, no window opens.
Solution
Possible causes
The asset has been registered to come online in iNode and has been saved in the asset records of DAM, so this online attempt failed.
Solution
Delete the corresponding asset record in DAM. Create an unmanaged asset record and use its asset ID to register and onboard the asset.
The iNode log shows error code 10051
Symptom
DAM has asset records. iNode sends a packet numbered 0x1001 and receives error code 10051.
Solution
Possible causes
The iNode client cannot connect to the DAM server.
Solution
Make sure the iNode client communicates correctly with the DAM server.
Garbled characters appear on the page after you import assets on DAM
Symptom
After asset information is imported into DAM from text files, garbled characters appear on both the page and in the database.
Solution
Possible causes
The encoding of the import file does not match that of the database.
Recommended actions
Check the encoding of the DAM database, and then change the encoding of the import file to match it.
The system prompts an invalid asset ID when you manually register an asset in iNode
Symptom
The iNode client prompts an invalid asset ID after you enter the asset ID in the window that opens from the iNode client.
Solution
Possible causes
1. The DAM server has no record of this asset.
2. The iNode client currently connects to the DAM server that uses a manually configured IP rather than the IP assigned after EAD authentication. The DAM server has no record for this asset.
Recommended actions
Reconfigure the iNode client with the DAM IP as the server IP. Make sure the server has unmanaged asset records.
The asset name changes frequently
Symptom
On the asset record details page, click Refresh on the right. The asset names change frequently or multiple assets share one record.
Solution
Possible causes
Cloning the environment causes different PCs installed from the same template to share the same asset record in DAM, leading to asset content changes.
Recommended actions
1. When the cloned environment contains physical machines
When you customize iNode in the template system, configure the desktop asset fingerprint settings as follows in the DAM configuration item:
- Select the disk serial number and MAC address.
- Prioritize the MAC address. Navigate to the Automation > Network Access > Desktop Asset Manager > System Management > System Parameters page, and set the Check MAC Address of Online Assets to Yes.
Figure 49 Check MAC address of online assets
2. When the cloned environment contains virtual machines
When you customize iNode in the template system, configure the desktop asset fingerprint settings as follows in the DAM configuration item:
- Select the disk serial number and MAC address.
- Prioritize the MAC address. Navigate to the Automation > Network Access > Desktop Asset Manager > System Management > System Parameters page, and set the Identifies an Asset Only by Disk Serial Number option to Disable.
Figure 50 Identifies an asset only by disk serial number
3. If re-customizing the template is not allowed, execute the following script on faulty assets to clear their asset IDs. This action will trigger clients to regenerate client IDs and restart the registration process.
|
|
NOTE: The preceding script does not take effect. To obtain a valid script, contact Technical Support. |
Software distribution failed in DAM
Symptom
Software distribution failed in DAM.
Solution
Possible causes
Software name configuration error
Recommended actions
1. Make sure the software name matches the name in the Add or Remove Programs window of the Windows control panel.
2. Make sure the software version matches the version in the Add or Remove Programs window of the Windows control panel. Click the Click here for support information link in the Add or Remove Programs window to check the software version.
DAM asset owner change issues
Symptom
When the owner of a registered asset in DAM changes, the endpoint asset owner is not updated in the asset details.
Solution
Possible causes
DAM does not automatically update the owners for assets by default.
Recommended actions
1. Navigate to the Automation > Network Access > Desktop Asset Manager > Argument Management > System Parameters page, and set the Update Responsible Person option to Enable.
Figure 51 Update responsible person
2. Restart the client operating system to trigger the asset onboarding process.