No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MAC Address Authentication of a User Fails

MAC Address Authentication of a User Fails

Common Causes

This fault is commonly caused by one of the following:
  • Some parameters are set incorrectly or not set, such as the parameters of MAC address authentication, authentication domain, authentication server, and authentication server template.
  • The number of online users reaches the maximum.

Troubleshooting Flowchart

A user fails to pass the MAC address authentication.

Figure 22-4 shows the troubleshooting flowchart.

Figure 22-4  Troubleshooting flowchart for MAC address authentication failure

Troubleshooting Procedure

Context

When MAC address authentication is used, users do not need the dial-up software. The authentication information such as the user name and password is generated according to the MAC addresses of users. Similar to 802.1x authentication troubleshooting, when troubleshooting MAC address authentication, check whether the user name and password on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 are same as those on the authentication server and whether the domain name in the user name is correct.

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Check that MAC address authentication is enabled on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

    Run the display mac-authen command to check whether MAC address authentication is enabled globally or on the user-side interface. If MAC address authentication is enabled is not displayed, MAC address authentication is not enabled. Run the mac-authen command to enable MAC address authentication globally and on the user-side interface.

    802.1x authentication and MAC address authentication cannot be enabled on the same interface. If 802.1x authentication is enabled on the interface, the system displays an error message when you run the mac-authen command.

  2. Check the configuration of the user name for MAC address authentication.

    Run the display this command in the interface view to check the configuration of MAC address authentication on the interface. If MAC address authentication is not configured on the interface, the global configuration is used. Run the display mac-authen command to check the configuration of global MAC address authentication.

    MAC address authentication supports two user name formats: fixed user name and MAC address.

    • If the user MAC address is used as the user name, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 sends the MAC address of the user terminal as the user name and password to the authentication server. The authentication domain is configured by the mac-authen domain command. If no authentication domain is configured, the default domain is used.
    • When the fixed user name contains a domain name, this domain is used as the authentication domain. If the fixed user name does not contain a domain name, the default domain is used as the authentication domain.
    NOTE:

    A MAC address may contain or not contain the delimiter (-). By default, a MAC address does not contain the delimiter. You can use the mac-authen username macaddress format with-hyphen command to add delimiters to a MAC address. During authentication, ensure that the format of the MAC address you entered is the same as the MAC address format configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

    Check the authentication server template and AAA schemes bound to the authentication domain. Go to step 3.

  3. Check the AAA configuration.

    1. Check the configuration of the authentication server template bound to the domain. Ensure that the IP address and port of the authentication server are set correctly in the template, and that the user name format and shared key specified in the template are the same as those on the authentication server.

    2. Check the authentication scheme applied to the user domain on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

      • If RADIUS or HWTACACS authentication is configured for the user domain, check whether the user account and the user attributes are created on the authentication server. For details on RADIUS troubleshooting and HWTACACS troubleshooting, see RADIUS Authentication Fails and HWTACACS Authentication Fails. For details on checking the authentication server, go to step 4.
      • If local authentication is configured for the user domain, run the display local-user command to check whether the local user name and password are created on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600. If not, run the local-user command to create the local user name and password.
      • If the authentication scheme is none, go to step 5.
    3. Run the display accounting-scheme command to check the accounting scheme. If accounting is configured on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 but the authentication server does not support accounting, the user will be forced offline after going online. To allow the user to go online, disable the accounting function in the user domain or run the accounting start-fail online command in the accounting scheme view to configure the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to keep the user online after the accounting fails.

  4. Check the configuration of the authentication server.

    • If the user information does not exist on the authentication server, create the user name and password on the authentication server.
    • If user attributes on the authentication server contain VLAN authorization information but the VLAN is not created on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600, user authorization fails. To rectify the fault, create the VLAN.
    • If user attributes on the authentication server contain ACL authorization information (ACL number or ACL content), but the ACL is not created on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 or the ACL format is different from that required by the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600, user authorization fails. To rectify the fault, create the ACL. Ensure that the ACL format used by the authentication server is the same as that required by the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

      NOTE:
      The AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 requires the following ACL format in the user attributes:
      acl acl-num key1 key-value1... keyN key-valueN permit/deny
      If the display access-user user-id command output contains the user IP address and Dynamic ACL desc (Effective), the ACL specified in the user attribute takes effect.
      Table 22-2  Description
      Field Description Field Description
      acl Delivers the ACL content. acl-num Specifies the ACL number. The value ranges from 10000 to 10999.
      permit Allows users matching the rules to access the network. deny Prohibits users matching the rules from accessing the network.
      keyM (1 ≤ M ≤ N) ndicates a keyword in the ACL, including src-ip (source IP address), src-ipmask (mask of source IP address), and tcp-srcport (source TCP port number). key-valueM (1 < M < N) Specifies the value of a keyword, which can be an IP address, a mask, or a port number.

    If the configurations of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 and the authentication server are correct, go to step 5.

  5. Run the display mac-authen interface interface-type interface-number command on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to check whether the number of online MAC address authentication users has reached the maximum.

    If the number of online MAC address authentication users has reached the maximum, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 does not trigger authentication for subsequent users, and they cannot go online.

  6. If the fault persists, collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 451115

Downloads: 4309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next