• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 全部
  • 全部
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
高级搜索

S5130S-HI series switch wired 802.1X using windows self-client authentication abnormality experience cases

2020-09-27 Published
  • 0关注
  • 0收藏,499浏览
粉丝:1人 关注:0人

Network Topology

null

Problem Description

We use S5130S-HI series switch, combined with a third-party RADIUS server, for 802.1X certification of the terminal computer, the computer is directly connected to the switch for certification, but found that the computer can't access the Internet normally after the certification, the computer is using the windows client to authenticate.

Process analysis

First of all, we check the 802.1X configuration on the device side, we can see that the device is in EAP relay mode, but there is no obvious problem in the configuration, and the switch can communicate with the RADIUS server by pinging each other.  Collect debugging dot1x all and debugging radius all information, check the debug information, and observe if the server's problem causes the authentication failure.

 

#

 

 dot1x

 

 dot1x authentication-method eap

 

#

 

radius scheme sensetimeradius

 

 primary authentication 10.151.1.248

 

 primary accounting 10.151.1.248

 

 key authentication cipher $c$3$VlUaBXvVhtV5Nna57g9popb7m+8SQ4MhU4Kxp8hnsQ==.

 

 key accounting cipher $c$3$DhTobwxPpFz1WP1ZPkMr5nrNt0XxWRUD64W0P+edAQ===

 

 user-name-format without-domain

 

#            

 

domain sensetimeradius

 

 authentication lan-access radius-scheme sensetimeradius

 

 authorization lan-access radius-scheme sensetimeradius

 

 accounting lan-access radius-scheme sensetimeradius

 

#

 

interface GigabitEthernet1/0/6

 

 stp edged-port

 

 dot1x

 

 dot1x mandatory-domain sensetimeradius

 

 dot1x port-method portbased

 

#

 

Looking at the debug message, we can see that the switch has sent EAP messages and has received a response from the terminal.

 

*Aug 19 16:58:09:617 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF DOT1X/7/EVENT: Sending EAP packet: Identifier=2, type=1.

 

*Aug 19 16:58:09:618 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF DOT1X/7/PACKET:

 

Transmitted a packet on interface GigabitEthernet1/0/6.

 

Destination Mac Address=c8f7-503f-f1be

 

Source Mac Address=743a-208a-f02f

 

VLAN ID=1

 

Mac Frame Type=888e

 

Protocol Version ID=1

 

Packet Type=0

 

Packet Length=5.

 

-----Packet Body -----

 

Code=1

 

Identifier=2

 

Length=5.

 

*The following table shows the number of packets that have been received on the interface GigabitEthernet:

 

Received a packet on interface GigabitEthernet1/0/6.

 

Destination Mac Address=0180-c200-0003

 

Source Mac Address=c8f7-503f-f1be

 

Mac Frame Type=888e

 

Protocol Version ID=1

 

Packet Type=0

 

Packet Length=15.

 

-----Packet Body -----

 

Code=2

 

Identifier=2

 

Length=15.

 

 

Review the RADIUS and switch interaction process and find that the switch successfully send authentication request messages to the RADIUS server.

 

*Aug 19 16:58:17:173 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/PACKET:

 

    User-Name="zhangyibin"

 

    NAS-Identifier="ASCNHZTR-AS-S5130S-29FA-02-IRF"

 

    EAP-Message=0x0202000f017a68616e67796962696e

 

    Message -Authenticator=0x00000000000000000000000000000000000000000000

 

    Framed-MTU=1450

 

    Framed-Protocol=PPP

 

    Called-Station-

 

    NAS-Port-Type=Ethernet

 

    H3c-Ip-Host-Addr="0.0.0.0 c8:f7:50:3f:f1:be"

 

    Calling-Station-

 

    H3C-NAS-Port-Name="GigabitEthernet1/0/6"

 

    NAS-Port=16801793

 

    NAS-Port-

 

    H3c-AVPair="nas:ifindex=6"

 

    Acct-Session-

 

    Service-Type=Framed-User

 

    NAS-IP-Address=10.156.1.5

 

    H3c-Product-

 

    H3c-Nas-Startup-Timestamp=1597820936

 

*Aug 19 16:58:17:175 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF DOT1X/7/EVENT: AAA processed authentication request: Result=Processing, UserMAC=c8f7-503f-f1be, VLANID=1, Interface=GigabitEthernet1/0/6.

 

*Aug 19 16:58:17:175 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Sent request packet successfully.

 

 

Then devices have successfully received response packets from the RADIUS server.

 

*Aug 19 16:58:17:177 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Sent request packet and create request context RADIUS/7/EVENT: Added request context to global table successfully.

 

*Aug 19 16:58:17:177 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Added request context to global table successfully.

 

*Aug 19 16:58:17:177 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Processing AAA request data.

 

*Aug 19 16:58:17:211 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Reply SocketFd recieved EPOLLIN event.

 

*Aug 19 16:58:17:212 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Received reply packet succuessfully.

 

*Aug 19 16:58:17:212 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Found request context, dstIP: 10.151.1.248, dstPort: 1812 , VPN instance: --(public), socketFd: 77, pktID: 127.

 

*Aug 19 16:58:17:212 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: The reply packet is valid.

 

*Aug 19 16:58:17:213 2020 ASCNHZTR-AS-S5130S-29FA-02-IRF RADIUS/7/EVENT: Decoded reply packet successfully.

 

So far, we found no obvious the error message in debug information, combined with the customer On-site test feedback, the use of inode client can be normal authentication, and the terminal has been able to access Internet normally, so we can conclude that is not configuration problems, but the windows client caused.

Solution

When the device is configured with 802.1X authentication, the online user handshake feature is enabled by default. When the online user handshake feature is enabled on the device, the device periodically (at intervals set by the command dot1x timer handshake-period) sends handshake-request messages (EAP-Request/ Identity) to periodically check the user's online status. If the device does not receive an answer message (EAP-Response/Identity) from the client multiple times in a row (set with the dot1x retry command), the user will be taken offline.


After undoing the dot1x handshake , the feedback from the customer on site is that the windows client can be authenticated normally and the customer does not go offline rapidly. This is because some 802.1X clients do not support handshake message interaction with the device, so it is recommended to disable the online user handshake in this case to avoid forcing the online user offline for not responding to the handshake message.

0 comments

No comments

Add Comments:

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +
<

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作