No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Configure 802.1X on AR is not working

Publication Date:  2019-07-22  |   Views:  612  |   Downloads:  0  |   Author:  a84069511  |   Document ID:  EKB1000829863

Contents

Issue Description

The customer is trying to configure 802.1X on the router and this currently isn’t working.

Handling Process

After analyzing the diagnostic file, our suggestion for the configuration was to undo this command: “dot1x port-control unauthorized-force” because this command will affect the authentication or the traffic of the client.
dot1x port-control { auto| authorized-force| unauthorized-force}”

I also asked the client what authentication-method of the client is he using?

What I suggested  him was to use the EAP authentication method and to do a test:

“dot1x authentication-method eap”

If still wasn't working, I asked him to provide us the full output of the below commands:


[Huawei]trace object mac-address xxxx-xxxx-xxxx    // xxxx-xxxx-xxxx this is the client mac address

<Huawei>debugging dot1x all

<Huawei>debugging aaa all

<Huawei>debugging radius all

<Huawei>debugging cm all

<Huawei>terminal debugging

<Huawei>terminal monitor

After finish the test, please undo the debugging

<Huawei>undo debugging all

<Huawei>undo terminal debugging

<Huawei>undo terminal monitor


After this, the client says that it's still not working and that he would like to use mac authentication first and then user authentication (EAP).

Solution

In the configuration provided he must configure the following command dot1x mac-bypass must be configured.

If this command isn’t configured, MAC authentication won’t be done. 
 

  1.         
         The first step is to enable MAC authentication, so the command
    dot1x mac-bypass must
         be configured
    .

  2.          Secondly, you have
         to enable
    dot1x mac-bypass mac-auth-first, then MAC authentication will be done first

The client should configure both commands under the interface view as below:

[Huawei-interface eth 0/0/2] dot1x mac-bypass

[Huawei-interface eth 0/0/2] dot1x mac-bypass mac-auth-first