802.1X fails to pass authentication at MA5200F because of “uploading IP” configuration at client

Publication Date:  2012-07-27 Views:  94 Downloads:  0
Issue Description

 Version: MA2.130-7135 (Independent of versions)
Client Version: HUAWEI 2.10 (Independent of versions) 
Install HUAWEI 802.1x dial-in client at PC. In dial-in authentication, it always prompts failure, and users cannot access network.


Alarm Information

Turn on the switch of debug radius packet for MA5200F. When the domain is configured with eap-end pap, it shows the user name is irrecognizable, as follows:
* [2005/08/02 19:55:22-] RDS-8-02033000:
  Radius Sent a Packet
  Server Group: 1
  Server IP   :
  Protocol: IPhotel
  Code    : 1
  Len     : 203
  ID      : 17
  [User-name(1)                       ] [4 ] []
  [Password(2)                        ] [18] [0ab541de64bebb4d6f06e15f08246a3b]
  [NAS-Port(5)                        ] [6 ] [102420]
When the domain is configured to eap-end chap, we could see the correct user name, but it prompts failure of authentication, being rejected by RADIUS. 

Handling Process

1. Turn on the switch of debug radius packet for MA5200F. When using PAP authentication, MA5200 shows that the user name at RADIUS is unrecognizable;
2. Capture packets at client. It is found that the user name sent by a client is unrecognizable, so we could ascertain that the client is problematic;
3. Check the options selected at client. “Upload the IP of client”  is marked. As soon as the option is removed, services are resumed normally.

Root Cause

The problem roots in that the client selects “Upload the IP of client” option, so when the client uses PAP authentication, it uploads false user name . MA5200 does not regard the user name as ASCII, resulting in failure of authentication of the user. Perhaps different options at client do not work well with OS, causing the user name sent by the client to be error.