Pulse Secure (formerly Identity and Policy Control)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Do IC support for Huawei switches as 802.1x?

Hi

 

i have MAG2600 and want to setup it as a L2 802.1x with Huawei switch, and asking if it supported by the MAG (IC 4.1r1)??

 

i was not able to find Huawei in the list of supported Vendors on Radius client configuration page!

 

scenario:

the Huawei switch configured per to the Huawei admin Guide, but when connecting a user (having Odyssey installed and configured) to a dot1x enabled port, the agent asks for username and could not connect to the controller. but if i connected the user to a non dot1x port then i got authenticated and connected to the controller!

 

Regards

Myasin

Super Contributor
Posts: 168
Registered: ‎11-06-2009
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hi,

 

IC in MAG 2600, supports RADIUS protocol as required for dot1.x  and will interoperate with any standard based dot1.x set up.You would only need to configure Huawei as a specific Vendor in IC, if you are planning to use vendor specific attributes for connecting to the Huawei switches.Otherwsie selecting  Standard radius should be good enough.Can you check the IC logs (User,Events, policy tracing) for these failed attempt and that should tell you what is going wrongs in your set up.

 

Thanks

Ashish Paul
Highlighted
Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

MAG 2600 does not support complete feature set of IC in version 4.1.

Only from IC version 4.2, it functions as full blown IC.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hi

 

i upgraded to 4.2 and i got the same behaviour.

 

for the MAG logs;

i can see that the users authentication succeeded but the agent is displaying authentication failed and requesting authentication again

 

i think its Huawei switch issue, so wonder if any one had the same case.

 

Regards

Mahmoud

 

 

Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Can you attach tcp_dump and logs?

What is the supplicant that you are using?

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hello Attached is the TCP_Dump file.

 

Regards

Super Contributor
Posts: 168
Registered: ‎11-06-2009
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

You are right, the IC/MAG is sending Auth Accept message to the Switch.This evident from the logs.Refer below

 

info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)-----------------------------------------------------------
info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)Authentication Response
info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)Packet : Code = 0x2 ID = 0x5a
|................|

info - [127.0.0.1] - System()[] - 2012/05/23 13:04:59 - (b0b5f250)EAP-Message (Success, id=7) : Value =

Ashish Paul
Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Are you trying to put him in any dynamic VLAN?

Certain vendors do not use standard radius attributes for dynamic vlan assisgnment..

If so, you will have to check if they use any vendor-specific attribute!

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

the clients switch ports assigned a static VLAN and the MAG configured for a returne attribute to open the port if client authenticated.

 

Regards

Mahmoud

Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Alright, as Ashish pointed out IC is sending Access_Accept.

You have to check if switch is sending EAP-SUCCESS to the client.

 

Can you collect a sniffer capture on the switch-port?

OAC logs at level 5 also should help.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hi

 

attached is the OAC log file.

 

Regards

Mahmoud

Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hi,

 

In OAC logs, I can see switch sending EAP-FAILURE.

Snippet..

--------------------------------------------------------------------------

00172,09 2012/06/03 13:07:24.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Discarding EAPOL packet: unknown packet type 1

...

00216,09 2012/06/03 13:07:26.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Cannot set master key: authentication not complete or method does not support session keys

...

00178,09 2012/06/03 13:07:30.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [NRM] Processing EAP-Failure: code = 4, id = 9, length = 7

00132,09 2012/06/03 13:07:30.046 4 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5428 - 'odService' STATE_Auth() 3

00156,09 2012/06/03 13:07:30.046 3 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5496 - 'odService' Supplicant state: authentication failed

---------------------------------------------------------------------------

 

This could be a switch issue! However, there is no synchronised logs provided(UAC, OAC, Sniffer capture taken together at the same time-stamp).

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

I was able to collect the logs from MAG, OAC, and the captured traffic from the switch and at the same time.

 

attached are the logs

 

Regards

Mahmoud

Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hi Mahmoud,

 

This looks like a switch issue, as it sends EAP-FAILURE, even after receiving ACCESS-ACCEPT.

 

Below are the snippet for reference:

------------------------------------------------------------------------------

User Access Log:

 

2012-06-04 14:14:55 - ic - [0.0.0.0] test(Allowed-Realm)[] - Radius authentication accepted for test (realm 'Allowed-Realm') from location-group 'tel Location Group' and attributes are: NAS-IP-Address = 172.16.10.11,NAS-Port = 12398,NAS-Port-Type = 15

 

Radius Trouble shooting log:

 

info - [127.0.0.1] - System()[] - 2012/06/04 14:14:55 - (b0b7b250)Authentication Response
info - [127.0.0.1] - System()[] - 2012/06/04 14:14:55 - (b0b7b250)Packet : Code = 0x2 ID = 0x3c

 

Switch Capture:

 

Frame 86 --> ACCESS-ACCEPT from MAG Device

Frame 116 --> EAP Failure from switch to Cleint

 

After getting Acces-Accept, switch is not responding to the client, after twenty seconds, client is sending new EAPOL start message.

 

Regards,

Raveen

 

Note: If I have answered your questions, you could mark this as accepted solution, that way it would help others as well. A kudo would be a bonus thanks!

 

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

It is pretty much a switch issue, given that, it is sending EAP-FAILURE, albeit receving ACCESS-ACCEPT. Also, EAP-ID that it is using is also wrong, I reckon!

 

However, I would also try increasing authPeriod to eliminate timing isues. For testing purpose, can you increase the authperiod timeout in OAC.

 

HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\authPeriod

 

Default values is 20 seconds, try increasing it to 60

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Forgot to add that changes to the registry requires reboot of the machine.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Posts: 68
Registered: ‎06-23-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Hello Raveen

 

thank you for your posts, i tried what you suggested but i got the same responce.

so why the switch is refussing the EAP messages?

 

Regards

Mahmoud

Distinguished Expert
Posts: 603
Registered: ‎04-15-2010
0 Kudos

Re: Do IC support for Huawei switches as 802.1x?

Well if it is not a timing issue, then you will have to work with your switch vendor on this.

You could provide the analysis that we have provided.

 

Regards,

raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!