Customer use Clearpass authentication dot1x user , but failed .

Latest reply: Nov 26, 2018 21:00:03 364 5 6 1

Problem Description: Customer have applied NAC configuration at Huawei Switch ,but which is not working properly

Problem Analysis:get needed information for analysis .

1.      How many user effected ?

2.      Please get detail topology , include device name and connected port number .

3.      Please feedback display diagnostic-informaiton .

 

Check the authentication profile :

 

authentication-profile name NAC_AUTHENTICATION

dot1x-access-profile DOT1x_AUTHENTICATION

mac-access-profile MAC_AUTHENTICATION

authentication timer re-authen pre-authen 7200

authentication timer pre-authen-aging 7200

authentication mode multi-authen max-user 100

authentication dot1x-mac-bypass

 

then check radius configuraiton :

radius-server template clearpass

radius-server shared-key cipher xxxx

radius-server authentication 192.168.x.19 1812 weight 80

radius-server authentication 192.168.x.20 1812 weight 70

radius-server accounting 192.168.x.19 1813 weight 80

radius-server accounting 192.168.x.20 1813 weight 70

calling-station-id mac-format unformatted

radius-server authorization 192.168.xx.19 shared-key cipher xxx

radius-server authorization 192.168.xxx.20 shared-key xxx

 

check domain default configuraiton .

domain default

  authentication-scheme npci

  authorization-scheme npci

  radius-server default

Root Cause: After discussed with customer , we can know customer used wrong authentication-scheme/accounting-scheme/authorization-scheme and radius server.

Solution Description: we suggest change the default domain configuation as below :

accounting-scheme clearpass

  accounting-mode radius

authorization-scheme clearpass

  authorization-mode if-authenticated

authentication-scheme clearpass

  authentication-mode radius

 

domain default

  authentication-scheme clearpass

  authorization-scheme clearpass

  accounting-scheme clearpass

  radius-server clearpass

 

Note: if dot1x user authentication failed , we can use below command to confirm the failure reason .

display aaa configuration

display aaa online-failed-reason mac-address .

 

  • x
  • convention:

Created Nov 16, 2018 10:21:23 Helpful(0) Helpful(0)

The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in 802.1X access profile dot1x_access_profile can be modified and applied, but cannot be deleted.
Before deleting an 802.1X access profile, ensure that this profile is not bound to any authentication profile.
  • x
  • convention:

Created Nov 16, 2018 15:27:35 Helpful(0) Helpful(0)

After discussed with customer , we can know customer used wrong authentication-scheme/accounting-scheme/authorization-scheme and radius server.
okay, got it! thanks for sharing us such a good example, learned!
  • x
  • convention:

Created Nov 16, 2018 15:28:12 Helpful(0) Helpful(0)

Dot1 X is an abbreviation of IEEE 802.1 X, which is based on Client/Server access control and authentication protocol. Simply put, IEEE 802.1x is an authentication technology that authenticates the host connected to the Layer 2 interface on the switch. When the host receives an interface that has IEEE 802.1x authentication enabled, it may be authenticated. Otherwise, It is possible to be denied access to the network. After IEEE 802.1x authentication is enabled on the interface, only IEEE 802.1x authentication messages are available before authentication is passed.
  • x
  • convention:

Created Nov 16, 2018 15:35:00 Helpful(0) Helpful(0)

your document is work for me , i get the point , fix my issue by your doc thanks you very much ,
also hope you public more doc that levle like this .
would you please also mention where from the technical detail , i can found it from orignial part .
from orignial part i can found more correct parameter , this is more important .
  • x
  • convention:

Created Nov 26, 2018 21:00:03 Helpful(0) Helpful(0)

802.1X is a standard defined by IEEE to solve port-based access control. 802.1X, fully known as Port-Based Networks Access Control, is a port-based network access control. It originated from the wireless network standard 802.11 protocol. 802.11 protocol is a standard wireless LAN protocol. The original purpose of 802.1X protocol design is to solve the access authentication problem of wireless LAN users, but because of its original. Rationality is universal to all local area networks conforming to the standard of IEEE 802, so it is also widely used in wired local area networks.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top