No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An EAP Response Has Been Sent to an ME60 Functioning as an 802.1X Authentication Relay, but the ME60 Fails to Receive It

Publication Date:  2019-04-24 Views:  20 Downloads:  0
Issue Description

An EAP response has been sent to an ME60 functioning as an 802.1X authentication relay, but the ME60 fails to receive it.

Routes are reachable between the ME60 and SAM. The core switch S12708 and access switch transparently transmit packets to an ME60 subinterface through a VLAN. The SAM is configured to trust the ME60.

For details about the ME60 configuration, visit the following URL to download the product document:

http://support.huawei.com/ehedex/hdx.do?lib=DOC100003434930003808&docid=DOC1000034349&v=01&tocLib=DOC100003434930003808&tocV=01&id=30003808_01_18817&tocURL=resources%2FPublic_me60%2528all%2529%2Fne%2Fdc_ne_cfg_013593.html&p=t&fe=1&ui=3&keyword=1x&clientWidth=1350&browseTime=1490863578850

Networking diagram:

Alarm Information

Debugging information on the ME60 is as follows:

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:42:18.350.3 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][UCM][user info:

  MAC Address    : 0026-2DF6-4E0B

  IP Address     : 255.255.255.255 

  Interface      : GigabitEthernet2/0/1.2001

  PE VLAN ID     : 2001]

[trace info:[CM State]Cib:59688 Event:CONN_REQ State From IDLE BUTT To ALLOC BUTT]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:42:18.350.4 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][UCM][user info:

  MAC Address    : 0026-2DF6-4E0B

  IP Address     : 255.255.255.255 

  Interface      : GigabitEthernet2/0/1.2001

  PE VLAN ID     : 2001]

[trace info:UCM send a connection ACK to Channel:221.]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:42:18.350.5 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=2][EAPOL][user info:

  MAC Address    : 0026-2DF6-4E0B

  Interface      : GigabitEthernet2/0/1.2001

  CE VLAN ID     : 2001]

[trace info:EAPoL receive CIB ack message from CM and request CIB successfully(Dot1x index = 47797)]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:42:18.350.6 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=2][EAPOL][user info:

  MAC Address    : 0026-2DF6-4E0B

  Interface      : GigabitEthernet2/0/1.2001

  CE VLAN ID     : 2001]

[trace info:EAPoL send EAPOL-request/id packet to PAE and set timer(Dot1x index = 47797)]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:42:38.350.1 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=2][EAPOL][user info:

  MAC Address    : 0026-2DF6-4E0B

  Interface      : GigabitEthernet2/0/1.2001

  CE VLAN ID     : 2001]

[trace info:EAPoL resend EAPOL_request packet to PAE and set timer(Dot1x index = 47797)]


<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:42:58.350.1 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=2][EAPOL][user info:

  MAC Address    : 0026-2DF6-4E0B

  Interface      : GigabitEthernet2/0/1.2001

  CE VLAN ID     : 2001]

[trace info:EAPoL resend EAPOL_request packet to PAE and set timer(Dot1x index = 47797)]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:43:18.350.1 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=0][UCM][user info:

  MAC Address    : 0026-2DF6-4E0B

  IP Address     : 255.255.255.255 

  Interface      : GigabitEthernet2/0/1.2001

  PE VLAN ID     : 2001]

[trace info:[CM State]Cib:59688 Event:CONN_DOWN State From ALLOC BUTT To DELETING BUTT]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:43:18.350.2 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=2][EAPOL][user info:

  MAC Address    : 0026-2DF6-4E0B

  Interface      : GigabitEthernet2/0/1.2001

  CE VLAN ID     : 2001]

[trace info:EAPoL resend EAPOL_request packet to PAE and set timer(Dot1x index = 47797)]

<HUEL-A-MC-BAS01-ME60>

Mar  8 2017 14:43:18.350.3 HUEL-A-MC-BAS01-ME60 BTRC/7/BTRC_TraceInfo:[objectID=1][slotID=2][EAPOL][user info:

  MAC Address    : 0026-2DF6-4E0B

  Interface      : GigabitEthernet2/0/1.2001

  CE VLAN ID     : 2001]

[trace info:EAPoL send cutting user request to CM and set timer(Dot1x index = 47797)]

The obtained packet header information on the client is as follows:

Handling Process

1. Obtain packet header information on the client and analyze the packet header information. It is found that the EAP authentication packet sent by the client is normal.

2. Enable debugging on the ME60 and check the debugging information on the ME60. It is found that the ME60 has not received the EAP response.

Root Cause

The fault is on S12708 on the intermediate link.

The following is the description in the S12708 product document:

The EAP packet in 802.1x authentication is a bridge protocol data unit (BPDU). By default, Huawei switches do not perform Layer 2 forwarding for BPDUs. If a Layer switch still exists between the 802.1x-enabled device and a user, Layer 2 transparent transmission must be configured on the switch. Otherwise, the EAP packet sent by the user cannot reach the authentication device and the user cannot pass authentication.

To download the S12708 product document, visit the following URL:

http://support.huawei.com/ehedex/hdx.do?lib=DOC100005799331188138&docid=DOC1000057993&v=04&tocLib=DOC100005799331188138&tocV=04&id=dc_cfg_nac_2003u_5&tocURL=resources%2Fdc%2Fdc_s_fuc_nac_003.html&p=t&fe=1&ui=3&keyword=1x&clientWidth=1350&browseTime=1490867576990

Solution

1. Run the following command in the system view of S12708:

l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002

2. Run the following command on the downstream interface connecting the S12708 to the access switch:

l2protocol-tunnel user-defined-protocol dot1x enable

Suggestions

During debugging of 802.1X authentication, engineers need to get familiar with Huawei devices' features, especially the features of the devices over which authentication packets are transmitted.

END