Wrong “servive-type” parameter is generated, while mac authentication

Publication Date:  2016-06-30 Views:  466 Downloads:  0
Issue Description

S5720EI  V2R7 Unified mode

We use interface config:

[HUAWEI-GigabitEthernet0/0/21]di th

#

interface GigabitEthernet0/0/21

port link-type hybrid

voice-vlan 715 enable

port hybrid pvid vlan 711

port hybrid tagged vlan 715

port hybrid untagged vlan 711

authentication mac-authen

authentication mode single-voice-with-data

dot1x reauthenticate

dot1x timer reauthenticate-period 60

dot1x authentication-method eap

 

We added mac address of VoIP phone to ISE  1.3 Patch6, but authentication  failed each time.

Alarm Information

 

 

 

 

Handling Process

When did trace object by VoIP phone mac-address,  I saw that radius attribute, which goes to C ISE

trace object mac-address 001a-e85b-f394

trace enable

[BTRACE][2016/05/12 19:03:55][RADIUS][001a-e85b-f394]:

  Send a authentication request packet to radius server( server ip = 10.115.202.4).

[BTRACE][2016/05/12 19:03:55][RADIUS][001a-e85b-f394]:

  Server Template: 0

  Server IP   : 10.115.202.4

  Protocol: Standard

  Code    : 1

  Len     : 276

  ID      : 201

  [User-Name                           ] [14] [001ae85bf394]

  [User-Password                      ] [18] [7f 5e 62 36 b2 59 03 6a 74 91 96 c9 27 46 6b 7d ]

  [NAS-Port                           ] [6 ] [86731]

  [Service-Type                       ] [6 ] [2]

  [Framed-Protocol                    ] [6 ] [1]

  [Calling-Station-Id                 ] [16] [30 30 31 61 2D 65 38 35 62 2D 66 33 39 34 ]

  [NAS-Identifier                     ] [8 ] [HUAWEI]

  [NAS-Port-Type                      ] [6 ] [15]

 

 

  [Service-Type                       ] [6 ] [2]

 

From Hedex:

In case of mac-auth device should send  10 (Call Check).

Root Cause

At ISE customer has policy where Service-Type    is cheched and should be 10.  

 

 

  But Huawei switch sends always 6-2 attribute, not matter 802.1x or mac-auth is used, or mac-bypass.

Solution

V2R6V2R7V2R8 have this bug , V200R005C00SPC500 fixed this bug.

latest version is V2R9 , in this version it will solve this bug.

Now V2R9  is controlled and  not for general use.

Next mouth around middle June will release the new V2R9 version according the plan.

Nest patch also will solve this bug , it will release around July .

Suggestions

Before patch release, we can use two separate domain with different auth mode.

One for 802.1x, another for mac-auth.  At mac-auth manually set service-type attribute.

Example for 802.1x with mac-bypass:


!Software Version V200R007C00SPC500

#

sysname HUAWEI

#

vlan batch XXX

#

domain mab mac-authen force

#

domain sbrf

#

dot1x authentication-method eap

#

lldp enable

#

clock timezone msk add 03:00:00

#

diffserv domain default

#

radius-server template huawei

 radius-server shared-key cipher XXX

 radius-server authentication XXX 1812 weight 80

 undo radius-server user-name domain-included

 radius-server detect-server interval 10 

 

radius-server template huawei-mac

 radius-server shared-key cipher XXX

 radius-server authentication XXX 1812 weight 80

 undo radius-server user-name domain-included

 radius-server detect-server interval 10

 radius-attribute set Service-Type 10

drop-profile default

#

aaa

 authentication-scheme default

 authentication-scheme huawei

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 accounting-scheme huawei

  accounting-mode radius

  accounting realtime 1

 domain default

 domain default_admin

 domain sbrf

  authentication-scheme huawei           

  accounting-scheme huawei

  radius-server huawei

  statistic enable

 domain mab

  authentication-scheme huawei

  accounting-scheme huawei

  radius-server huawei-mac

  statistic enable

#

interface GigabitEthernet0/0/21

 port link-type hybrid

 voice-vlan 715 enable

 port hybrid pvid vlan 711

 port hybrid tagged vlan 715

 port hybrid untagged vlan 711

 authentication dot1x mac-authen

dot1x authentication-method eap

 mac-authen username macaddress format with-hyphen

 

END