Wrong “servive-type” parameter is generated, while mac authentication

Created: Apr 25, 2017 16:54:41Latest reply: Apr 25, 2017 17:02:06 1349 1 0 0

S5720EI  V2R7 Unified mode

We use interface config:

[HUAWEI-GigabitEthernet0/0/21]di th

#

interface GigabitEthernet0/0/21

port link-type hybrid

voice-vlan 715 enable

port hybrid pvid vlan 711

port hybrid tagged vlan 715

port hybrid untagged vlan 711

authentication mac-authen

authentication mode single-voice-with-data

dot1x reauthenticate

dot1x timer reauthenticate-period 60

dot1x authentication-method eap

 

We added mac address of VoIP phone to ISE  1.3 Patch6, but authentication  failed each time.

  • x
  • convention:

ms.america     Created Apr 25, 2017 17:02:06 Helpful(0) Helpful(0)

When did trace object by VoIP phone mac-address,  I saw that radius attribute, which goes to C ISE

trace object mac-address 001a-e85b-f394

trace enable

[BTRACE][2016/05/12 19:03:55][RADIUS][001a-e85b-f394]:

  Send a authentication request packet to radius server( server ip = 10.115.202.4).

[BTRACE][2016/05/12 19:03:55][RADIUS][001a-e85b-f394]:

  Server Template: 0

  Server IP   : 10.115.202.4

  Protocol: Standard

  Code    : 1

  Len     : 276

  ID      : 201

  [User-Name                           ] [14] [001ae85bf394]

  [User-Password                      ] [18] [7f 5e 62 36 b2 59 03 6a 74 91 96 c9 27 46 6b 7d ]

  [NAS-Port                           ] [6 ] [86731]

  [Service-Type                       ] [6 ] [2]

  [Framed-Protocol                    ] [6 ] [1]

  [Calling-Station-Id                 ] [16] [30 30 31 61 2D 65 38 35 62 2D 66 33 39 34 ]

  [NAS-Identifier                     ] [8 ] [HUAWEI]

  [NAS-Port-Type                      ] [6 ] [15]

 

 

  [Service-Type                       ] [6 ] [2]

 

From Hedex:

fd13403b32e0455eb3aac68ad635a01a

In case of mac-auth device should send  10 (Call Check).

transparent.gif Root Cause

At ISE customer has policy where Service-Type    is cheched and should be 10.  

82981ec48a3d4894b07388fa98df431e

 

 

  But Huawei switch sends always 6-2 attribute, not matter 802.1x or mac-auth is used, or mac-bypass.

transparent.gif Solution

V2R6V2R7V2R8 have this bug , V200R005C00SPC500 fixed this bug.

latest version is V2R9 , in this version it will solve this bug.

Now V2R9  is controlled and  not for general use.

Next mouth around middle June will release the new V2R9 version according the plan.

Nest patch also will solve this bug , it will release around July .

transparent.gif Suggestions

Before patch release, we can use two separate domain with different auth mode.

One for 802.1x, another for mac-auth.  At mac-auth manually set service-type attribute.

Example for 802.1x with mac-bypass:


!Software Version V200R007C00SPC500

#

sysname HUAWEI

#

vlan batch XXX

#

domain mab mac-authen force

#

domain sbrf

#

dot1x authentication-method eap

#

lldp enable

#

clock timezone msk add 03:00:00

#

diffserv domain default

#

radius-server template huawei

 radius-server shared-key cipher XXX

 radius-server authentication XXX 1812 weight 80

 undo radius-server user-name domain-included

 radius-server detect-server interval 10 

 

radius-server template huawei-mac

 radius-server shared-key cipher XXX

 radius-server authentication XXX 1812 weight 80

 undo radius-server user-name domain-included

 radius-server detect-server interval 10

 radius-attribute set Service-Type 10

drop-profile default

#

aaa

 authentication-scheme default

 authentication-scheme huawei

  authentication-mode radius

 authorization-scheme default

 accounting-scheme default

 accounting-scheme huawei

  accounting-mode radius

  accounting realtime 1

 domain default

 domain default_admin

 domain sbrf

  authentication-scheme huawei           

  accounting-scheme huawei

  radius-server huawei

  statistic enable

 domain mab

  authentication-scheme huawei

  accounting-scheme huawei

  radius-server huawei-mac

  statistic enable

#

interface GigabitEthernet0/0/21

 port link-type hybrid

 voice-vlan 715 enable

 port hybrid pvid vlan 711

 port hybrid tagged vlan 715

 port hybrid untagged vlan 711

 authentication dot1x mac-authen

dot1x authentication-method eap

 mac-authen username macaddress format with-hyphen

 

END

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top