05-20-2012 10:00 AM
i have MAG2600 and want to setup it as a L2 802.1x with Huawei switch, and asking if it supported by the MAG (IC 4.1r1)??
i was not able to find Huawei in the list of supported Vendors on Radius client configuration page!
the Huawei switch configured per to the Huawei admin Guide, but when connecting a user (having Odyssey installed and configured) to a dot1x enabled port, the agent asks for username and could not connect to the controller. but if i connected the user to a non dot1x port then i got authenticated and connected to the controller!
05-20-2012 07:32 PM
IC in MAG 2600, supports RADIUS protocol as required for dot1.x and will interoperate with any standard based dot1.x set up.You would only need to configure Huawei as a specific Vendor in IC, if you are planning to use vendor specific attributes for connecting to the Huawei switches.Otherwsie selecting Standard radius should be good enough.Can you check the IC logs (User,Events, policy tracing) for these failed attempt and that should tell you what is going wrongs in your set up.
05-21-2012 04:40 AM
MAG 2600 does not support complete feature set of IC in version 4.1.
Only from IC version 4.2, it functions as full blown IC.
05-23-2012 05:45 AM
i upgraded to 4.2 and i got the same behaviour.
for the MAG logs;
i can see that the users authentication succeeded but the agent is displaying authentication failed and requesting authentication again
i think its Huawei switch issue, so wonder if any one had the same case.
05-23-2012 06:15 AM
Can you attach tcp_dump and logs?
What is the supplicant that you are using?
05-28-2012 10:39 PM
You are right, the IC/MAG is sending Auth Accept message to the Switch.This evident from the logs.Refer below
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)----------------------------------------
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)Authentication Response
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)Packet : Code = 0x2 ID = 0x5a
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)EAP-Message (Success, id=7) : Value =
05-28-2012 10:47 PM
Are you trying to put him in any dynamic VLAN?
Certain vendors do not use standard radius attributes for dynamic vlan assisgnment..
If so, you will have to check if they use any vendor-specific attribute!
05-28-2012 11:37 PM
Alright, as Ashish pointed out IC is sending Access_Accept.
You have to check if switch is sending EAP-SUCCESS to the client.
Can you collect a sniffer capture on the switch-port?
OAC logs at level 5 also should help.