Network Troubleshooting
For detailed RADIUS and Agent troubleshooting, see the Network Access Troubleshooting page. This page provides a quick reference for the most common issues.
Quick diagnostic checklist
| Symptom | First check |
|---|---|
| Visitors can't connect to WiFi | Is the Agent running and connected? (docker ps, dashboard agent status) |
| Agent shows "Disconnected" | Can the Agent reach the Atrium server? (network, TLS certs, WebSocket URL) |
| RADIUS rejects valid credentials | Shared secret match? Voucher exists on Agent? |
| Session not terminated on check-out | Firewall adapter configured? Firewall reachable from Agent? |
| Credentials shown but don't work | Agent connected? WiFi controller pointing to Agent's RADIUS? |
"No Agent connected" in dashboard
The site doesn't have an active Agent WebSocket connection. This means:
- WiFi vouchers can't be pushed to the Agent.
- Session termination commands can't be sent.
- Credentials are still generated and displayed, but they won't authenticate.
Fix: Deploy an Agent for this site, or check the existing Agent's connectivity. See Agent Deployment.
Visitors get credentials but WiFi doesn't work
Credentials are generated by the Atrium server, not by the Agent. If credentials are displayed but don't authenticate:
- Agent not connected: Vouchers never reached the RADIUS store.
- WiFi controller misconfigured: Not pointing to the Agent's IP/port.
- Shared secret mismatch: RADIUS exchanges fail silently.
- Voucher expired: Check the "valid until" time on the credentials.
Session termination FAQ
Q: Why does Atrium say termination is "best-effort"? Because firewall vendors implement CoA/DM inconsistently. Atrium sends the command and tracks the result, but can't guarantee the firewall complies. The credential revocation (RADIUS reject for new connections) is reliable; the active session teardown is best-effort.
Q: What happens if termination fails? The visitor can't establish new WiFi connections (credential is revoked). The existing session will time out via the firewall's own session timeout (typically 30–60 minutes). The failure is logged and visible in the dashboard.