An active/standby switchover between RADIUS servers is triggered when the master RADIUS server does not respond or the number of retransmitted request packets reaches the maximum value.

An active/standby switchover between HWTACACS servers is triggered when the request packet fails to be sent to the master server, the master server does not respond, the master server requests re-authentication, or the master server considers the request packet invalid.

Users fail to log in because accounting fails. The switch is configured with authentication and accounting, but does not support accounting. To solve the problem,

run the accounting start-fail online command in the accounting scheme view to configure the switch to keep users online after accounting fails. All fixed switches of V100R003 must have V100R003SPH005 or later installed.

Run the debugging aaa all command to enable the debugging of the AAA module and check whether the command output contains the following information:

status:AUTHEN_STATUS_GETPASS

status:AUTHEN_STATUS_FAIL

This problem occurs because the user name contains the domain name. Check whether the user name contains the domain server on the authentication server.

• If the user name contains the domain name, run the radius-server user-name domain-included command in the RADIUS server template view or the hwtacacs-server user-name domain-included command in the HWTACACS server template view.
• If the user name does not contain the domain name, run the undo radius-server user-name domain-included command in the RADIUS server template view or the undo hwtacacs-server user-name domain-included command in the HWTACACS server template view.

The RADIUS server judges whether a user is online by the enabling of the accounting function rather than the success of authentication. If the user succeeds in authentication but does not perform accounting, the RADIUS server considers that the user is offline. Therefore, check whether the accounting function is correctly enabled in the scenario where the accounting function is applied.

The S2700 running V100R006 does not support the NAS-IP-Address attribute for RADIUS authentication.

If port-based 802.1X authentication is configured on a port, the function of triggering authentication by multicast packets is automatically enabled. This function is used for the clients that cannot send EAPOL-Start packets initiatively. If a guest VLAN is configured and the configuration takes effect, the port is added to the guest VLAN after the attempts to trigger authentication by multicast packets fail six times. Then multicast-triggered authentication is disabled temporarily.

In port-based 802.1X authentication mode, multicast-triggered authentication is enabled again when the user on the port goes offline.

If the port has been Down for more than 10 seconds, multicast-triggered authentication is enabled again when the port becomes Up.

After 802.1X authentication is enabled globally and on an interface, non-authentication can be implemented for specific users according to the MAC addresses of users.

To implement this function, set the MAC address of the interface for users to access to the static MAC address of the specified VLAN.

Traffic-based accounting is based on the packet statistics collected on ports. Clearing the packet statistics on a port affects traffic-based accounting on the port. Therefore, do not clear the packet statistics on a port by using the reset counters interface command unless necessary in a normal application environment.

When an HWTACACS server template is configured, the authorization server must be specified for the switch even if non-authorization is configured. Otherwise, HWTACACS authentication fails.

The authentication method configured on the switch is incorrect. Run the dot1x authentication-method eap command to configure EAP authentication for 802.1X users.

If no IP address has been assigned to the VLANIF interface of the VLAN to which a user's MAC address belongs in V200R003 and later versions, ARP probe may fail due to the following reasons and the user who passes MAC address authentication may be disconnected:

• The switch sends an ARP probe packet using the broadcast address 255.255.255.255 as the destination address, but the user terminal does not reply to the ARP request packet.
• The switch sends an ARP probe packet using the broadcast address 255.255.255.255 as the destination address, but the user terminal replies to the ARP request packet with an incorrect IP address.

To ensure that a user using MAC address authentication is online, the switch periodically sends ARP offline probe packets to the user terminal. If the user terminal does not respond within the offline detection interval, the switch considers that the user has gone offline.

To configure the offline detection interval, run the mac-authen timer offline-detect offline-detect-value command in the system view. By default, the offline detection interval is 300 seconds.

If the VLAN to which a user terminal passing MAC address authentication belongs does not have a corresponding VLANIF interface or no IP address has been assigned to the corresponding VLANIF interface, run the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command to set a source IP address for ARP offline probe packets, so that the switch can send ARP offline probe packets to the terminal.

The access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command only applies to MAC address authentication users connected to Layer 2 Ethernet interfaces.

The source MAC addresses of ARP offline probe packets must be unicast MAC addresses.

You are advised to configure the source addresses of ARP offline probe packets to the gateway's IP address and its corresponding MAC address.

If a user connected to the physical interface is online, this command takes effect for the user only after the user goes online again or the switch re-authenticates the user.

The V200R001 encrypts passwords using the new encryption algorithm, which is incompatible with that in the old version. Therefore, the old password cannot be used after the version is rolled back. To log in to the device using the original user name and password, configure them on the device again.

When an 802.1X enabled device has the guest VLAN configured:

• If users connect to an access interface, they are allowed to access the guest VLAN before authenticated.

  When you run the display this command on the interface, you will find that the interface is not in the guest VLAN. However, the device still adds the guest VLAN tag on the packets from these users. Therefore, these users are allowed to access the guest VLAN.

• If users connect to a trunk interface, the device changes the VLAN tag in user packets to the guest VLAN tag only when the VLAN tag in user packets is the same as the interface PVID. Then the device allows these users to access the guest VLAN.

The device sends an ARP probe packet to check the status of a user. If the user does not respond within a detection period, the device determines that the user is offline.

The device uses 255.255.255.255 as the source IP address of offline detection packets by default in versions earlier than V200R011C10. The device uses 0.0.0.0 as the source IP address of offline detection packets by default in V200R011C10 and later versions. If a user does not respond to the ARP probe packet with the default source IP address, the client does not respond to the ARP probe packet. In this case, the administrator can run the access-user arp-detect default ip-address ip-address command to change the default source IP address of the ARP probe packet, or run the access-user arp-detect vlan vlan-id ip-address ip-address mac-address mac-address command to specify the source IP address and source MAC address of the offline detection packet in a VLAN.

When an aggregation switch performs 802.1X authentication, configure transparent transmission of EAP packets on an access switch; otherwise, the access switch will terminate the EAP packets.

Figure 20-111 Networking diagram of 802.1X authentication

Configure the access switch to transparently transmit 802.1X packets. The following uses the configuration of the uplink interface GE0/0/1 and downlink interface GE0/0/2 as an example. The configurations of other downlink interfaces (GE0/0/3 to GE0/0/n) are similar to the configuration of GE0/0/2, and are not mentioned here.

[SwitchB] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 group-mac 0100-0000-0002   
[SwitchB] interface gigabitethernet 0/0/2   
[SwitchB-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X enable   
[SwitchB-GigabitEthernet0/0/2] bpdu enable   
[SwitchB-GigabitEthernet0/0/2] quit   
[SwitchB] interface gigabitethernet 0/0/1   
[SwitchB-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable   
[SwitchB-GigabitEthernet0/0/1] bpdu enable   
[SwitchB-GigabitEthernet0/0/1] quit

In the 802.1X network deployment, if the 802.1X client software is downloaded and upgraded for each access user, the administrator has huge workload when there are a large number of access users. You can configure an authentication-free subnet and a redirect-to URL for a user to implement fast deployment of the 802.1X client.

Before the access user passes 802.1X authentication, the user can access the network resources in an authentication-free subnet if the authentication-free subnet is configured. If a redirect-to URL is configured for the 802.1X authentication user and the user accesses a network with a browser, the device redirects the URL that the user attempts to access to the configured URL (for example, to the 802.1X client download web page). In this way, the web page preset by the administrator is displayed when the user starts the browser. The server that provides the redirect-to URL must be located in the authentication-free subnet of the user.

Configuration commands:

• Configuring an authentication-free subnet:
  • In NAC common mode, run the dot1x free-ip ip-address { mask-length | mask-address } command in the system view to configure resources that users can access before being authenticated. When this command is configured, DHCP packets of users are allowed to pass through.
  • In NAC unified mode on a switch running a version earlier than V200R009C00, run the authentication free-rule rule-id { destination { any | ip { ip-address mask { mask-length | ip-mask } | any } } | source { any | { interface interface-type interface-number | ip { ip-address mask { mask-length | ip-mask } | any } | vlan vlan-id } ^* } } ^* command in the system view to configure an NAC authentication-free rule for users.
  • In NAC unified mode on a switch running the version of V200R009C00 or later, configure an authentication-free rule in the authentication-free rule profile to specify the resources that users can access before being authenticated. For details about the configuration, see "Configuration" > "User Access and Authentication Configuration" > "NAC Configuration (Unified Mode)" > "Configuring Authorization Information for Authentication-free Users."
• Configuring a redirect-to URL: Run the dot1x url url-string command in the system view to configure the 802.1X client download web URL as the redirect-to URL. When a user uses a browser to access resources not in the authentication-free subnet, the device redirects the URL that the user attempts to access to the 802.1X client download web URL after the device receives HTTP packets from the user. The user then can download and install the 802.1X client.

[Answer]

The identity authentication mode for 802.1X authentication on the PC is User authentication. When a remote desktop is connected to and accesses a Windows PC that has passed 802.1X authentication, the access persists for 2 minutes, and then the connection is lost. As a result, 802.1X authentication fails.

[Solution]

Change the identity authentication mode of 802.1X authentication on the PC to User or computer authentication or Computer authentication. The change method is as follows: Choose Control Panel > Network and Internet > Network Connections, right-click the current network connection, and the Properties dialog box is displayed. Choose Authentication > Additional Settings. Set Specify authentication mode to User or computer authentication or Computer authentication.

1. If an authentication profile has been bound to an interface, run the port-security max-mac-num max-number command to set the maximum number of secure MAC addresses learned by the interface to be greater than or equal to the number of online users on the interface, and then run the port-security enable command to enable port security. In this case, authenticated users will not be affected.
2. If the maximum number of secure MAC addresses to be learned is not configured on the interface but port security is enabled, the number of MAC addresses to be learned by the interface defaults to 1, and only one authenticated user on the interface remains online.

• The interface that has the dynamic VLAN authorized is an access interface, which does not support authorized VLANs.
• Run the display vlan summary or display vlan vlan-id command to check whether the corresponding VLAN is created.
• The number of authorized VLAN attributes is incorrect. When delivering dynamic VLANs, the server needs to deliver three attributes: Tunnel-Type 64 (integer type with a fixed value of 13), Tunnel-Medium-Type 65 (integer type with a fixed value of 6), and Tunnel-Private-Group-Id 81 (string type, which is a specific VLAN or the description of a VLAN created on the device).
• Tunnel-Private-Group-Id 81 is a string, but some servers deliver a hexadecimal number, which does not comply with RFC specifications. As a result, the device cannot identify this attribute.

Layer 2 Portal authentication does not support secondary addresses.

Layer 3 Portal authentication supports secondary addresses. When the authentication point is on an upper-layer device, the gateway configured with a secondary address is unaware of Portal authentication, and the authentication device is unaware of whether the user address is a primary or secondary address.

Command Format

local-useruser-name { password { cipher | irreversible-cipher } password [ old-passwordold-password ] | access-limitmax-number | ftp-directorydirectory | idle-timeoutminutes [ seconds ] | privilegelevellevel | state { block | active } | user-groupgroup-name } ^*

password { cipher | irreversible-cipher } password specifies the login password of a local user.

• cipher indicates that the user password is encrypted using the reversible algorithm AES256 with a random IV. Unauthorized users can obtain the plaintext password by using the corresponding decryption algorithm, leading to low security.
• irreversible-cipher indicates that the user password is encrypted using the irreversible algorithm SCRYPT. This algorithm uses PBKDF2 and the pseudo-random function HMAC-SHA256. Unauthorized users cannot obtain the plaintext password using decryption algorithms, providing higher security.

In an accounting scheme, specify a policy for accounting-start failures: If accounting-start fails, users are allowed to go online.

[Switch-aaa] accounting-scheme xxx
[Switch-aaa-accounting-xxx] accounting start-fail online

In addition, if the accounting server does not respond and the authenticated user is online, the user will not go offline. New users may go online and offline repeatedly.

Similarities: The user names and passwords are determined by the device and do not need to be manually entered.

Differences: The two authentication modes are triggered by different types of packet. Wired MAC address authentication can be triggered by ARP, DHCP, ND, and DHCPv6 packets, whereas wireless MAC address authentication is triggered by association of STAs.

Remarks:

Due to different triggering means, MAC address-prioritized Portal authentication applies only to wireless scenarios. This is because MAC address authentication is triggered as soon as a STA associates with the network. In wired scenarios, a combination of MAC address authentication and Portal authentication can be used, and which authentication mode will be triggered first depends on the type of packets arriving earlier. That is, if the device receives an ARP or DHCP packet earlier, it performs MAC address authentication first; if the device receives an HTTP packet earlier, it displays the Portal page for Portal authentication.

Check the AuthenticationMethod field in the logs, for example, AuthenticationMethod="Local-user".

Aug 29 2023 06:57:07+08:00SW %%01CLI/5/LOGIN(s):CID=0x80ca2713;The user succeeded in logging in to VTY0. (UserType=SSH, UserName=test, AuthenticationMethod="Local-user", RemoteIp=192.168.1.254, VpnName=_public_, LocalIp=192.168.1.37)

In OSPF, a blackhole route can be generated only after the generate-null0-route command is run. In OSPFv3, blackhole routes can only be configured.

1. The configuration file of Switch_1 contains the following configuration according to Example for Configuring Policy Association:

   as access interface vlanif 20

2. When policy association is deployed, the as access interface vlanif 20 command fails to be delivered on the device that can function as an AS.

   [Switch_1] as ?
              ^   
   Error:Ambiguous command found at '^' position.
   [Switch_1] as access interface vlanif 20
   Error: Unrecognized command found

3. It is found that Switch_1 needs to work in authentication access mode according to the networking requirements in the configuration example.
4. As described in feature limitations of Licensing Requirements and Limitations for Policy Association:
   • By default, the S5731-H (except the S5731-H24HB4XZ and S5731-H48HB4XZ), S5731-H-K, S5731S-H (except the S5731S-H24HB4XZ-A and S5731S-H48HB4XZ-A), S5732-H24S6Q, S5732-H48S6Q, S5732-H24S6Q-K, S5732-H48S6Q-K, S6730-H-K, S6730S-H, S6730-H, and S5531-H work in authentication control device mode, and the S5731-H24HB4XZ, S5731-H48HB4XZ, S5731S-H24HB4XZ-A, S5731S-H48HB4XZ-A, S5732-H24UM2CC, S5732-H48UM2CC, S5732-H24UM2C-K, S5732-H48UM2C-K, S5732-H48XUM2CC, S6730-S, S6730S-S, S6720-SI, S6720S-S, and S6735-S work in authentication access device mode. The preceding models can function as both authentication control devices and authentication access devices. You can run the [ undo ] as-mode disable command to switch the working mode. When the device that supports the WLAN function works in authentication access device mode, the WLAN function is unavailable.
5. It is found that Switch_1 works in parent mode.

   [Switch_1] display as access configuration   
       AS mode                             : disable
       Access interface                    : --      
       Access controller configuration     : -- 
       Current connected access controller : --   
       Access management MAC               : --    
       Access system MAC                   : 
       Current connected state             :  
   [Switch_1]

6. Manually change the working mode of the switch to AS.

   [Switch_1] undo as-mode disable 

7. After the device is restarted and switched to the AS mode, the policy association AS configuration can be delivered.

   [Switch_1] as ?  
     access  Access  
   
   [Switch_1] as access interface vlanif 20     
   Warning: Ensure that the management VLAN and service VLAN are different. Otherwise, services may be interrupted.  

By default, the network access control function is disabled for IPv6 users on a switch.

For details about how different models process IPv6 packets of users in different authentication states, see authentication ipv6-control enable.

• Method 1

  Disable authentication on APs in an authentication profile.

  [HUAWEI-authen-profile-test] lldp sensor-ap authentication disable

• Method 2

  # Create the AAA authentication scheme noauthen, and set the authentication mode to non-authentication.

  [SwitchA] aaa
  [SwitchA-aaa] authentication-scheme noauthen
  [SwitchA-aaa-authen-noauthen] authentication-mode none
  [SwitchA-aaa-authen-noauthen] quit

  # Create an authentication domain for the AP.

  [SwitchA-aaa] domain ap_noauthen
  [SwitchA-aaa-domain-ap_noauthen] authentication-scheme noauthen
  [SwitchA-aaa-domain-ap_noauthen] quit
  [SwitchA-aaa] quit

  # Configure non-authentication for the AP using either of the following methods.

  • Specify an AP authentication domain based on the MAC address prefix.

    [SwitchA] domain ap_noauthen mac-authen force mac-address 00e0-fc74-9640 mask ffff-ffff-ff00

  • Configure the user context identification function.

    [SwitchA] access-context profile enable
    [SwitchA] access-context profile name ap_access   
    [SwitchA-access-context-ap_access] if-match vlan-id 100   
    [SwitchA-access-context-ap_access] quit
    [SwitchA] access-author policy name ap_noauthen   
    [SwitchA-access-author-ap_noauthen] match access-context-profile ap_access action access-domain ap_noauthen force
    [SwitchA-access-author-ap_noauthen] quit
    [SwitchA] access-author policy ap_noauthen global

  For details, see Example for Configuring MAC Address-Prioritized Portal Authentication in a Wireless-to-Wired Scenario.

The Edge browser displays http://edge-http.microsoft.com/captiveportal/generate_204 first and then switches to the authentication page. As a result, the authentication page is displayed slowly.