No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

1469022

Publication Date:  2017-11-09 Views:  276 Downloads:  0
Issue Description

After add one Hub between dot1x client and authenticate device , all dot1x user cannot be authenticate success .

Topology as below:



Alarm Information

we checked the aaa online-fail-record , found below information:

  User name               : b025aa0bb148
  Domain name             : default
  User MAC                : b025-aa0b-b148
  User access type        : None
  User access interface   : GigabitEthernet0/0/12
  Qinq vlan/User vlan     : 0/111
  User IP address         : 10.64.115.50
  User IPV6 address       : FE80::C9DE:EF4C:B85D:35EA
  User ID                 : 36
  User login time         : 2017/11/08 20:21:27
  User online fail reason : Radius authentication reject
  Authen reply message    : Authentication fail

Handling Process

1-      We need to know the dot1x authentication process .

2-      We checked dot1x statistics , there is no any received packets for dot1x clients .

3-      We request make capture on the port g0/0/12 which interface connected HUB. so that we can confirm whether the dot1x client or HUB send EAP packets to device.

Capture1: normal EAP authenticate process. dot1x client connected authenticate device directly. We can see there are total 10 packets , from start to success.

Capture2: abnormal EAP process ,dot1x client connected to HUB and HUB connected to authenticate device interface g0/0/12 .

Captuure3:abnormal EAP process

from capture 1 2 3 , we can see all EAP packets send by authenticate device , there is no any response packets from dot1x clients .







 



 







 



 







 







 



Root Cause

EAP is BPDU packets , it will send to CPU process not L2 transfer , so if dot1x client and authenticate device middle has one another L2 device , it need permit these EAP packets .

about how to configure l2protocol-tunnel , please refer to below link:

http://support.huawei.com/hedex/pages/EDOC1000135317AEG0221R/04/EDOC1000135317AEG0221R/04/resources/dc/l2protocol_transport_commands.html?ft=0&fe=10&hib=14.1.6.17&id=l2protocol_transport_commands&text=Layer%25202%2520Protocol%2520Transparent%2520Transmission%2520Commands&docid=EDOC1000135317



Suggestions

When Layer 2 protocol packets with a specified multicast destination MAC address need to be transparently transmitted on an ISP network, you can define characteristic information about the Layer 2 protocol on devices on the ISP network.

END