[IAG] After configuring 802.1X authentication, you can change your password through the authentication assistant and still authenticate and log in with an incorrect account and password.
Problem Description
After configuring 802.1X authentication, you can change your password through the authentication assistant and log in with an incorrect account and password.
Effective troubleshooting steps
- Confirm that the entered password is incorrect, but you can still log in normally by clicking Login, but you cannot go online on IAG
- Check the configuration and find that 802.1X authentication redirection is enabled on the IAG and confirm that the switch is configured with guest VLAN
- Check the online IP of IAG. The guest VLAN-IP obtained by PC can be online without authentication.
- Check the customer's authentication policy. If no configuration is done, it is a default policy that does not require authentication.
Root cause
After configuring the guest VLAN scenario, if the client logs in with an incorrect password, the 802.1X login will fail (it cannot switch to 802.1X authentication and obtain the IP of the 802.1X authentication network segment). Then, the guest VLAN IP is matched to the device's authentication-free policy to go online.
solution
Authentication strategy solution for configuring password authentication for guest VLAN segment
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=25606&isOpen=true