802.1x Authentication Fails

Hi all,

This case mainly talks about 802.1x Authentication failure.

Problem Description

Device version: S5710-28X-LI V200R008C00SPC500.

Key configurations:

radius-server template radius_huawei

radius-server shared-key cipher %^%#6-tBY5@m)-"u](H4(aJA;XT@2Qyr10vpUR%^%#

radius-server authentication 10.197.233.98 1812 weight 80

radius-server accounting 10.197.233.98 1813 source weight 80

radius-server authorization 10.197.233.98 shared-key cipher %^%#n[Y8KJgb4P1a=zL5iCRY%R,M!G!k~ '%^%#

aaa

authentication-scheme auth_scheme

authentication-mode radius

accounting-scheme acco_scheme

accounting-mode radius

accounting realtime 15

domain default

authentication-scheme auth_scheme

accounting-scheme acco_scheme

radius-server radius_huawei

interface Vlanif233

ip address 10.197.233.252 255.255.254.0

interface GigabitEthernet0/0/1

port link-type access

port default vlan 233

authentication dot1x

Handing Process

1. Check the user access information. The user access status is pre-authenticated.

<huawei> display access-user mac-address 286E-D488-C63C

Basic:

User ID: 26

Domain-name: -

User MAC : 286e-d488-c63c

User IP address: 10.197.233.2

User vpn-instance: -

User access Interface: GigabitEthernet0/0/8

User vlan event: Pre-authen

QinQVlan/UserVlan: 0/233

User access time : 2020/12/02 11:38:20

Option82 information: -

User access type: None

Terminal Device Type: Data Terminal

AAA:

User authentication type: No authentication

Current authentication method: -

Current authorization method: Local

Current accounting method: None

2. Check the trace information. It is found that the device receives the EAP Challenge Response packet from the terminal.

[huawei] trace enable

[huawei] trace object mac-address 286e-d488-c63c

[BTRACE][2020/12/03 13:15:11][EAPoL][286e-d488-c63c]:Receive a ARP packet from user.

[BTRACE][2020/12/03 13:15:11][EAPoL][286e-d488-c63c]:User(MAC:) existed in temp user table.

[BTRACE][2020/12/03 13:15:11][EAPoL][286e-d488-c63c]:User(MAC:) has been online.

[BTRACE][2020/12/03 13:15:21][EAPoL][286e-d488-c63c]:No response of request identity from user.

[BTRACE][2020/12/03 13:15:21][EAPoL][286e-d488-c63c]:Resend a EAPoL request identity packet to user.

[BTRACE][2020/12/03 13:15:21][EAPoL][286e-d488-c63c]:Receive a EAPoL response identity packet from user.

[BTRACE][2020/12/03 13:15:21][EAPoL][286e-d488-c63c]:Send a EAPoL request challenge packet to user.

[BTRACE][2020/12/03 13:15:21][EAPoL][286e-d488-c63c]:Receive a EAPoL response challenge packet from user.

[BTRACE][2020/12/03 13:15:26][EAPoL][286e-d488-c63c]:No response of request challenge from user.

[BTRACE][2020/12/03 13:15:26][EAPoL][286e-d488-c63c]:Resend a EAPoL request challenge packet to user.

[BTRACE][2020/12/03 13:15:26][EAPoL][286e-d488-c63c]:Receive a EAPoL response challenge packet from user.

[BTRACE][2020/12/03 13:15:31][EAPoL][286e-d488-c63c]:No response of request challenge from user.

[BTRACE][2020/12/03 13:15:31][EAPoL][286e-d488-c63c]:Resend a EAPoL request challenge packet to user.

[BTRACE][2020/12/03 13:15:31][EAPoL][286e-d488-c63c]:Receive a EAPoL response challenge packet from user.

[BTRACE][2020/12/03 13:15:32][EAPoL][286e-d488-c63c]:Receive a ARP packet from user.

[BTRACE][2020/12/03 13:15:32][EAPoL][286e-d488-c63c]:User(MAC:) existed in temp user table.

[BTRACE][2020/12/03 13:15:32][EAPoL][286e-d488-c63c]:User(MAC:) has been online.

[BTRACE][2020/12/03 13:15:36][EAPoL][286e-d488-c63c]:No response of request challenge from user.

[BTRACE][2020/12/03 13:15:36][EAPoL][286e-d488-c63c]:Send EAP-Failure packet to user.

3. It is suspected that the processing of EAP packets is abnormal. In 802.1X authentication, the device exchanges authentication information with the RADIUS server in either of the following modes:

EAP termination:

The device terminates EAP packets. The device encapsulates client authentication information into standard RADIUS packets, which are then authenticated by the RADIUS server using the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP). This authentication mode is applicable since the majority of RADIUS servers support PAP and CHAP authentication and server update is unnecessary. However, device processing is complex, and the device supports only the MD5-Challenge EAP authentication method.

EAP relay:

The device relays EAP packets. The device encapsulates EAP packets in EAP over RADIUS (EAPoR) format and sends the packets to the RADIUS server for authentication. This authentication mode simplifies device processing and supports various EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. However, the RADIUS server must support the corresponding authentication methods.

Refer to: https://support.huawei.com/hedex/hdx.do?docid=EDOC1100126530&id=EN-US_CONCEPT_0176369118&lang=en

4. When RADIUS authentication is used, the 802.1X packet processing mode must be set to EAP relay. In V200R008, however, the device uses EAP termination CHAP authentication by default. Therefore, the 802.1X packet processing mode must be set to EAP relay globally.

[huawei] dot1x authentication-method eap

After the configuration, the authentication succeeds.