Agile Controller dot1x VLAN assignment fail issue

Publication Date:  2016-05-23 Views:  586 Downloads:  0
Issue Description

Customers plan to use dot1x VLAN assignment for the wireless user to distribution address, but after configued dot1x VLAN assignment, they found the terminal can be assigned to the VLAN, but can not get the address. HUAWEI GTAC engineers analyzed and found that the root cause of the problem is that the share-key between AC and Agile Controller is different from the share-key between Agile Controller and Radius server. This problem is solved by unify the share-key.

ACU2 version: V200R006C10SPC100

Agile Controller version: V100R001C00SPC300

Alarm Information

ACU2 on the display terminal has been linked to the target VLAN, but did not get the address, the situation repeated.


[ACU2]dis access-user mac-address 502e-5cef-c197


Basic:

  User ID                         : 20832

  User name                       : accessscanner

  User MAC                        : 502e-5cef-c197

  User IP address                 : -

  User IPv6 address               : -

  User access Interface           : Wlan-Dbss1582

  User vlan event                 : Success

  QinQVlan/UserVlan               : 0/619

  User access time                : 2016/04/28 12:45:56

  User accounting session ID      : AC-VIP-00000000000619761959020832

  Option82 information            : -

  User access type                : 802.1x

  AP name                         : AP-MB2-19

  Radio ID                        : 0

  AP MAC                          : f84a-bf5a-4640

  SSID                            : ArenA1

  Online time                     : 1(s)

  Dynamic VLAN ID                 : 619

  Dynamic service scheme          : ******


By analyzing the debug,EAP packet was sent to user successfully,

<ACU2>

Apr 28 2016 10:46:21.92.6+01:00 AC-VIP-Master DOT1X/7/DEBUG:

[EAPOL-packet] Send EAP packet to user successfully. (type:4, packet length:26, output interface:Wlan-Dbss1582, VLAN:619, return:0)

Handling Process

By analyzing the Agile Controller log, found that Agile Controller is runing Radius proxy, the real Radius server is Cisco ISE


501 Receive an authentication packet 2016-04-28 13:51:26 781

508 Match the authentication rule-******

509 Match the authentication data source-****** LAN

616 Use the RADIUS proxy to process request packets from the switch

618 Create a Proxy session with the ID 00 00 01 54 5C B5 9E 39 00 00 01 54 5C B5 9E 39 

619 Forward the authentication request packet to the external RADIUS server 2016-04-28 13:51:26 781


501 Receive an authentication packet 2016-04-28 13:51:26 797

617 Use the RADIUS proxy to process response packets from the external RADIUS server

620 Forward the authentication response packet to the switch 2016-04-28 13:51:26 797

Root Cause

Finally, by tracing the terminal, found the 4 - handshake - way establish fail,


[15:29:34] [EAPoL] [502e—5cef—c197] :Send EAP request packet to user successfully. (Index6O7) 

[15:29:38] [WLAN AC] [502e—5cef—c197]: [WSEC]4—way—handshake failed (Code:00000502). 

[15:29:38] [WLAN AC] [502e—Scef—c197J: [WSTA] Process 5Th aUthentication done reques 

[15:29:38] [WLAN AC] [502e—Scef—c197]: [WSTA] User was (QtJJ Type:1, QflJjj code:128 

[15:29:38] [WLAN_AC] [502e—Scef—c197]: [WSTA] Process delete STA request message(ApName:AP—MB2—1 


Further analysis the root cause may be the share-key between AC and Agile Controller is different from the share-key between Agile Controller and Radius server. Customer also confirmed that such condition is indeed the case.

Solution

This problem is solved by unify the share-key.

Suggestions

When Agile Controller runing Radius proxy, to the difference of  the share-key will cause such case, so it's better to unify it by default or by prompt.

END