No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

PEAP-MSCHAPV2 authentication problem on ACU2

Publication Date:  2019-07-10  |   Views:  3427  |   Downloads:  0  |   Author:  s84075117  |   Document ID:  EKB1000704267

Contents

Issue Description

Fault symptom: The user who connects to a Huawei AP 6050DN model and further to ACU2 is failing to be authenticated using FreeRadius Server, even if with Aruba equipment the user could be authenticated. From the analyze packet heads  we noticed that the AC sent authentication request for 3 times, but Radius server didn’t response. 

Networking overview: 
The interesting area includes ACU2 and FreeRadius, these was the point were the whole process was problematic.

Related devices: ACU2, AP 6050DN, FreeRadius

Topology: 


Handling Process

1) Checked the configuration on ACU2 to be suitable for this scenario.

2) Performed a trace to see if the AC sent authentication requests and the offile records :
     
<ACU2> system-view

    [ACU2] trace enable brief

    [ACU2]trace object mac-address mac-address [ output { command-line | file file-name | syslog-server syslog-server-ip } ]

   [ACU2] display aaa { offline-record | abnormal-offline-record | online-fail-record } mac xxx.xxx.xxx

Based on these we first discovered that  
the AC sent authentication request for 3 times, but Radius server didn’t response.

The offline reason also tell us that Radius server is up but he didn’t response :


3) Checked which parameter does the Radius sends and receive :
The Radius only sends for the exterior the following attributes:

        Message-Authenticator =* ANY,
        EAP-Message =* ANY,
        Proxy-State =* ANY,

        MS-MPPE-Encryption-Policy =* ANY,
        MS-MPPE-Encryption-Types =* ANY,

        MS-MPPE-Recv-Key =* ANY,
        MS-MPPE-Send-Key =* ANY,
        State =* ANY
       Reply-Message =* ANY


And only accepts the following attributes from abroad:


        User-Name =* ANY,
        User-Password=* ANY,
        Calling-Station-Id=* ANY,

        Service-Type =* ANY,
        Framed-MTU =* ANY,
        NAS-Port-Type =* ANY,

        Message-Authenticator =* ANY,
        EAP-Message =* ANY,
        Proxy-State =* ANY,
        State =* ANY

4)
Based on theanalyze packet heads ,  we found that all the attributes our device sends are in the list:

Root Cause

From the analyze packet heads  we found that the size of the packages was different. It was changed from MTU = 1500 to MTU = 1100. Tests were performed and the correct authentication was confirmed after the change:
The commands executed:


radius-server template probasusc
radius-attribute set Framed-Mtu 1100 

Solution

Change the MTU to 1500 so that the RADIUS don't drop the large packets.

The commands executed:


radius-server template probasusc 
radius-attribute set Framed-Mtu 1100 

Suggestions

Use a proper MTU for every scenario.