Identity and Policy Control
Reply
Contributor
eng_mahmood48@yahoo.com
Posts: 60
Registered: ‎06-23-2010
0

Do IC support for Huawei switches as 802.1x?

Hi

 

i have MAG2600 and want to setup it as a L2 802.1x with Huawei switch, and asking if it supported by the MAG (IC 4.1r1)??

 

i was not able to find Huawei in the list of supported Vendors on Radius client configuration page!

 

scenario:

the Huawei switch configured per to the Huawei admin Guide, but when connecting a user (having Odyssey installed and configured) to a dot1x enabled port, the agent asks for username and could not connect to the controller. but if i connected the user to a non dot1x port then i got authenticated and connected to the controller!

 

Regards

Myasin

Super Contributor
apaul
Posts: 161
Registered: ‎11-06-2009
0

Re: Do IC support for Huawei switches as 802.1x?

Hi,

 

IC in MAG 2600, supports RADIUS protocol as required for dot1.x  and will interoperate with any standard based dot1.x set up.You would only need to configure Huawei as a specific Vendor in IC, if you are planning to use vendor specific attributes for connecting to the Huawei switches.Otherwsie selecting  Standard radius should be good enough.Can you check the IC logs (User,Events, policy tracing) for these failed attempt and that should tell you what is going wrongs in your set up.

 

Thanks

Ashish Paul
Distinguished Expert
Raveen
Posts: 570
Registered: ‎04-15-2010
0

Re: Do IC support for Huawei switches as 802.1x?

MAG 2600 does not support complete feature set of IC in version 4.1.

Only from IC version 4.2, it functions as full blown IC.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
eng_mahmood48@yahoo.com
Posts: 60
Registered: ‎06-23-2010
0

Re: Do IC support for Huawei switches as 802.1x?

Hi

 

i upgraded to 4.2 and i got the same behaviour.

 

for the MAG logs;

i can see that the users authentication succeeded but the agent is displaying authentication failed and requesting authentication again

 

i think its Huawei switch issue, so wonder if any one had the same case.

 

Regards

Mahmoud

 

 

Distinguished Expert
Raveen
Posts: 570
Registered: ‎04-15-2010
0

Re: Do IC support for Huawei switches as 802.1x?

Can you attach tcp_dump and logs?

What is the supplicant that you are using?

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
eng_mahmood48@yahoo.com
Posts: 60
Registered: ‎06-23-2010
0

Re: Do IC support for Huawei switches as 802.1x?

Hello Attached is the TCP_Dump file.

 

Regards

Super Contributor
apaul
Posts: 161
Registered: ‎11-06-2009
0

Re: Do IC support for Huawei switches as 802.1x?

You are right, the IC/MAG is sending Auth Accept message to the Switch.This evident from the logs.Refer below

 

info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)-----------------------------------------------------------
info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)Authentication Response
info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)Packet : Code = 0x2 ID = 0x5a
|................|

info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)EAP-Message (Success, id=7) : Value =

Ashish Paul
Distinguished Expert
Raveen
Posts: 570
Registered: ‎04-15-2010
0

Re: Do IC support for Huawei switches as 802.1x?

Are you trying to put him in any dynamic VLAN?

Certain vendors do not use standard radius attributes for dynamic vlan assisgnment..

If so, you will have to check if they use any vendor-specific attribute!

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
eng_mahmood48@yahoo.com
Posts: 60
Registered: ‎06-23-2010
0

Re: Do IC support for Huawei switches as 802.1x?

the clients switch ports assigned a static VLAN and the MAG configured for a returne attribute to open the port if client authenticated.

 

Regards

Mahmoud

Distinguished Expert
Raveen
Posts: 570
Registered: ‎04-15-2010
0

Re: Do IC support for Huawei switches as 802.1x?

Alright, as Ashish pointed out IC is sending Access_Accept.

You have to check if switch is sending EAP-SUCCESS to the client.

 

Can you collect a sniffer capture on the switch-port?

OAC logs at level 5 also should help.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.