05-20-2012 10:00 AM
i have MAG2600 and want to setup it as a L2 802.1x with Huawei switch, and asking if it supported by the MAG (IC 4.1r1)??
i was not able to find Huawei in the list of supported Vendors on Radius client configuration page!
the Huawei switch configured per to the Huawei admin Guide, but when connecting a user (having Odyssey installed and configured) to a dot1x enabled port, the agent asks for username and could not connect to the controller. but if i connected the user to a non dot1x port then i got authenticated and connected to the controller!
05-20-2012 07:32 PM
IC in MAG 2600, supports RADIUS protocol as required for dot1.x and will interoperate with any standard based dot1.x set up.You would only need to configure Huawei as a specific Vendor in IC, if you are planning to use vendor specific attributes for connecting to the Huawei switches.Otherwsie selecting Standard radius should be good enough.Can you check the IC logs (User,Events, policy tracing) for these failed attempt and that should tell you what is going wrongs in your set up.
05-21-2012 04:40 AM
MAG 2600 does not support complete feature set of IC in version 4.1.
Only from IC version 4.2, it functions as full blown IC.
05-23-2012 05:45 AM
i upgraded to 4.2 and i got the same behaviour.
for the MAG logs;
i can see that the users authentication succeeded but the agent is displaying authentication failed and requesting authentication again
i think its Huawei switch issue, so wonder if any one had the same case.
05-23-2012 06:15 AM
Can you attach tcp_dump and logs?
What is the supplicant that you are using?
05-28-2012 10:39 PM
You are right, the IC/MAG is sending Auth Accept message to the Switch.This evident from the logs.Refer below
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)----------------------------------------
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)Authentication Response
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)Packet : Code = 0x2 ID = 0x5a
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)EAP-Message (Success, id=7) : Value =
05-28-2012 10:47 PM
Are you trying to put him in any dynamic VLAN?
Certain vendors do not use standard radius attributes for dynamic vlan assisgnment..
If so, you will have to check if they use any vendor-specific attribute!
05-28-2012 11:37 PM
Alright, as Ashish pointed out IC is sending Access_Accept.
You have to check if switch is sending EAP-SUCCESS to the client.
Can you collect a sniffer capture on the switch-port?
OAC logs at level 5 also should help.
06-03-2012 08:15 PM
In OAC logs, I can see switch sending EAP-FAILURE.
00172,09 2012/06/03 13:07:24.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Discarding EAPOL packet: unknown packet type 1
00216,09 2012/06/03 13:07:26.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Cannot set master key: authentication not complete or method does not support session keys
00178,09 2012/06/03 13:07:30.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [NRM] Processing EAP-Failure: code = 4, id = 9, length = 7
00132,09 2012/06/03 13:07:30.046 4 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5428 - 'odService' STATE_Auth() 3
00156,09 2012/06/03 13:07:30.046 3 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5496 - 'odService' Supplicant state: authentication failed
This could be a switch issue! However, there is no synchronised logs provided(UAC, OAC, Sniffer capture taken together at the same time-stamp).
06-04-2012 04:47 AM
I was able to collect the logs from MAG, OAC, and the captured traffic from the switch and at the same time.
attached are the logs
06-04-2012 05:03 AM
This looks like a switch issue, as it sends EAP-FAILURE, even after receiving ACCESS-ACCEPT.
Below are the snippet for reference:
User Access Log:
2012-06-04 14:14:55 - ic - [0.0.0.0] test(Allowed-Realm) - Radius authentication accepted for test (realm 'Allowed-Realm') from location-group 'tel Location Group' and attributes are: NAS-IP-Address = 172.16.10.11,NAS-Port = 12398,NAS-Port-Type = 15
Radius Trouble shooting log:
info - [127.0.0.1] - System() - 2012/06/04 14:14:55 - (b0b7b250)Authentication Response
info - [127.0.0.1] - System() - 2012/06/04 14:14:55 - (b0b7b250)Packet : Code = 0x2 ID = 0x3c
Frame 86 --> ACCESS-ACCEPT from MAG Device
Frame 116 --> EAP Failure from switch to Cleint
After getting Acces-Accept, switch is not responding to the client, after twenty seconds, client is sending new EAPOL start message.
Note: If I have answered your questions, you could mark this as accepted solution, that way it would help others as well. A kudo would be a bonus thanks!
06-04-2012 05:29 AM
It is pretty much a switch issue, given that, it is sending EAP-FAILURE, albeit receving ACCESS-ACCEPT. Also, EAP-ID that it is using is also wrong, I reckon!
However, I would also try increasing authPeriod to eliminate timing isues. For testing purpose, can you increase the authperiod timeout in OAC.
HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired802
Default values is 20 seconds, try increasing it to 60
06-04-2012 05:29 AM
Forgot to add that changes to the registry requires reboot of the machine.
06-04-2012 06:51 AM
thank you for your posts, i tried what you suggested but i got the same responce.
so why the switch is refussing the EAP messages?
06-04-2012 11:57 PM
Well if it is not a timing issue, then you will have to work with your switch vendor on this.
You could provide the analysis that we have provided.