No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Case Study: The AC Fails to Disconnect STAs Because It Cannot Identify the MAC Address Format in the Calling-Station-Id Attribute of DM Packets Delivered by the RADIUS Server

Case Study: The AC Fails to Disconnect STAs Because It Cannot Identify the MAC Address Format in the Calling-Station-Id Attribute of DM Packets Delivered by the RADIUS Server

Symptom

When 802.1X authentication and RADIUS authentication are configured on an AC, the RADIUS server fails to disconnect STAs.

Relevant Alarms and Logs

None

Cause Analysis

The MAC address format in the Calling-Station-Id attribute of DM packets delivered by the RADIUS server does not match the default MAC address format supported by the AC. As a result, the AC cannot identify the MAC address.

Procedure

  1. Reproduce the fault and use the trace function to check the authentication packet exchange process. No DM or CoA packet exchange process is found.

    [AC] trace object mac-address sta-mac
[AC] trace enable

  2. Check the RADIUS packet exchange process through the debugging function.

    <AC> debug radius all
<AC> terminal debugging
<AC> terminal monitor

    The command output shows that the calling-station-id format is incorrect and the AC cannot identify the calling-station-id.

    Mar 22 2021 18:00:55.200.2+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
[RDS(Evt):] Receive a packet(IP:x.x.x.x,Port:1812,Code:disconnect request,ID:16 )
<AC-Active>
Mar 22 2021 18:00:55.200.3+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
RADIUS Received a Packet.
<AC-Active>
Mar 22 2021 18:00:55.200.7+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=7;
[RDS(Evt):] Decoding mac according to global configuration: 0 3 1
<AC-Active>
Mar 22 2021 18:00:55.200.4+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
Server Template: 0
Server IP   : x.x.x.x
Server Port : 1812
Protocol: Standard
Code    : 40
Len     : 54
ID      : 16
[User-Name                          ] [15] [XXXXX]
[Calling-Station-Id                 ] [19] [XX-XX-XX-XX-55-FB]
<AC-Active>
Mar 22 2021 18:00:55.200.5+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
[RDS(Evt):] Decoding mac for coa or dm packet
<AC-Active>
Mar 22 2021 18:00:55.200.6+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
[RDS(Evt):] Decoding mac according to global configuration: 0 3 1
<AC-Active>
Mar 22 2021 18:00:55.200.8+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=7;
[RDS(Err):] attribute length: 17, decoding mac as unformatted ascii error.
<AC-Active>
Mar 22 2021 18:00:55.200.7+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
[RDS(Err):] attribute length: 17, decoding mac as unformatted ascii error.
<AC-Active>
Mar 22 2021 18:00:55.200.8+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;Attr decode err. (Calling-Station-Id(31)).
<AC-Active>
Mar 22 2021 18:00:55.200.9+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=7;Attr decode err. (Calling-Station-Id(31)).
<AC-Active>
Mar 22 2021 18:00:55.200.9+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=6;
[RDS(Err):] Disconnect request attribute decode error,send nak packet.
<AC-Active>
Mar 22 2021 18:00:55.200.10+08:00 AC-Active RDS/7/DEBUG:Slot=0,Vcpu=7;
[RDS(Err):] Disconnect request attribute decode error,send nak packet.

  3. Use the packet obtaining tool to obtain packets and analyze the obtained packets. It is found that the MAC address in the calling-station-id attribute of the DM-Request packet sent by the server is XX-XX-XX-XX-XX-XX (uppercase). By default, the MAC address format in the calling-station-id attribute that can be identified by the AC is xxxx-xxxx-xxxx, in lowercase. Therefore, the AC cannot identify the MAC address format sent by the RADIUS server.

    DM logout packet exchange:

    The calling-station-id attribute carried in the DM message is as follows:

  4. There are two methods to solve the preceding problem.

    • Method 1: On the RADIUS server, change the MAC address format in the calling-station-id attribute to xxxx-xxxx-xxxx, in lowercase. This method is recommended when the AC connects to multiple RADIUS servers.
    • Method 2: Change the MAC address format in the calling-station-id field on the AC to the format supported by the RADIUS server.
      <AC> system-view 
[AC] radius-server template test 
[AC-radius-test] calling-station-id mac-format dot-split mode2 uppercase

    When the AC connects to multiple RADIUS servers, method 1 is recommended. When the AC connects to a single RADIUS server, method 2 is recommended. If the AC is connected to multiple RADIUS servers and the RADIUS servers do not support MAC address format modification, you are advised to use method 2 to customize the MAC address format for each RADIUS server.

Translation
简体中文
Download
Updated: 2023-06-02

Document ID: EDOC1000060368

Views: 1919553

Downloads: 6002

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :