Cases

Fault Description

The authorization information configured on the RADIUS server does not match that on the device. As a result, users cannot pass 802.1x authentication and fail to go online.

Fault Analysis

The authorization information configured on the RADIUS server does not match that on the device. As a result, users fail to pass 802.1x authentication.

Procedure

1. Check the packets exchanged between the RADIUS server and device. An EAP failure occurs during the TLS exchange.
2. Check the authorization information on the RADIUS server. The authorization information name or ID displayed in Filter-Id is 3001.

   Change the authorization information on the device to the same as that on the RADIUS server.

Fault Description

Initial MAC address authentication fails, because the user name and password have not been added to the server. After the user name and password are added to the server, MAC address authentication still fails.

Fault Analysis

The trace information shows that the STA enters the quiet state. After the trace operation is performed, the system displays the message "User is still in quiet status", indicating that the STA fails to be authenticated for multiple times and enters the quiet state.

Procedure

Disassociate the STA. After the quiet period ends, reassociate the STA with the AP.

Related Commands

display mac-authen: displays MAC address authentication configuration.

mac-authen timer quiet-period quiet-period-times: configures the quiet period.

mac-authen quiet-times fail-times: configures the maximum number of authentication failures within 60 seconds before a MAC address authentication user enters the quiet state.

By default, the quiet function for MAC address authentication is enabled on the device. When the maximum number of authentication failures within 60 seconds exceeds 1, the device quiets a MAC authentication user for a period of time and does not process authentication requests from the user. This function reduces impact on the system caused by attackers.

Fault Description

The server fails to be pinged after a user is successfully authenticated.

Fault Analysis

The server IP address is added to the ACL deny rule delivered when the user is authenticated.

Procedure

Add the server IP address to the ACL permit rule.

Fault Description

The device fails to connect to a third-party Portal server.

Procedure

1. Check whether the third-party Portal server supports the Portal protocol.

   The Portal protocol is a Huawei proprietary protocol. Most vendors in China support this protocol, but most vendors outside of China do not support this protocol.

2. Check whether the Portal protocol version on the device is the same as that on the Portal server (Currently, Huawei devices use Portal V2.)
3. Check whether the device IP address is added to the Portal server. (The device IP address can be configured using the source-ip command on the device. The default IP address is the IP address of the outbound interface.)
4. Check whether the shared key on the device is the same as that on the Portal server.
5. Check whether the IP address segment of STAs are added to the Portal server.
6. Check whether the Portal server sends req-info packets before the device sends authentication request packets. (The device does not reply to req-info packets from the Portal server before authentication succeeds.)

Fault Description

Active and standby Portal servers are configured. When the active Portal server fails, the device still sends authentication requests to the active Portal server instead of the standby one.

Fault Analysis

The Portal server detection function is enabled on the device. The heartbeat function is disabled on the Portal server, so the device cannot receive heartbeat packets from the Portal server within the detection period. Therefore, the device considers that both active and standby Portal servers are Down, and still selects the active Portal server for authentication.

Additional Information

The Portal server detection function needs to be enabled on the device, and the heartbeat function needs to be enabled on the Portal server. Then the Portal server sends heartbeat packets to the device. If the device does not receive heartbeat packets from the Portal server within the detection period, it considers that the Portal server is Down. When the device receives heartbeat packets from the Portal server, it changes the Portal server state from Down to Up.

Related commands:

• Command for enabling the Portal server detection function:

  [HUAWEI] web-auth-server abc
  [HUAWEI-web-auth-server-abc] server-detect action log

• Command for checking Portal server status:

  [HUAWEI] display server-detect state

Fault Analysis

• The Cisco server requires that the value of the RADIUS attribute carried in the authentication request packets be 10, whereas the value is 2 on Huawei device by default.
• The Huawei device only supports the following user name formats in MAC address authentication: xxxxxxxxxxxx and xxxx-xxxx-xxxx. The user name formats for MAC address authentication supported by the Cisco ACS and Cisco ISE are xx-xx-xx-xx-xx-xx and xx:xx:xx:xx:xx:xx, respectively.

Procedure

1. Run the radius-attribute set command on the Huawei device to change the value of the RADIUS attribute to 10.

   [HUAWEI] radius-server template temp1
   [HUAWEI-radius-temp1] radius-attribute set service-type 10

2. Add MAC address authentication users in common user name format on the Cisco server.

   If passwords in the authentication request packets fail the password strength check, disable the check.