Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Customer use Clearpass au...

Customer use Clearpass authentication dot1x user , but failed .

Latest reply: Nov 26, 2018 13:00:03 1041 5 6 0 1
display all floors 1#

Problem Description: Customer have applied NAC configuration at Huawei Switch ,but which is not working properly

Problem Analysis:get needed information for analysis .

1.      How many user effected ?

2.      Please get detail topology , include device name and connected port number .

3.      Please feedback display diagnostic-informaiton .

 

Check the authentication profile :

 

authentication-profile name NAC_AUTHENTICATION

dot1x-access-profile DOT1x_AUTHENTICATION

mac-access-profile MAC_AUTHENTICATION

authentication timer re-authen pre-authen 7200

authentication timer pre-authen-aging 7200

authentication mode multi-authen max-user 100

authentication dot1x-mac-bypass

 

then check radius configuraiton :

radius-server template clearpass

radius-server shared-key cipher xxxx

radius-server authentication 192.168.x.19 1812 weight 80

radius-server authentication 192.168.x.20 1812 weight 70

radius-server accounting 192.168.x.19 1813 weight 80

radius-server accounting 192.168.x.20 1813 weight 70

calling-station-id mac-format unformatted

radius-server authorization 192.168.xx.19 shared-key cipher xxx

radius-server authorization 192.168.xxx.20 shared-key xxx

 

check domain default configuraiton .

domain default

  authentication-scheme npci

  authorization-scheme npci

  radius-server default

Root Cause: After discussed with customer , we can know customer used wrong authentication-scheme/accounting-scheme/authorization-scheme and radius server.

Solution Description: we suggest change the default domain configuation as below :

accounting-scheme clearpass

  accounting-mode radius

authorization-scheme clearpass

  authorization-mode if-authenticated

authentication-scheme clearpass

  authentication-mode radius

 

domain default

  authentication-scheme clearpass

  authorization-scheme clearpass

  accounting-scheme clearpass

  radius-server clearpass

 

Note: if dot1x user authentication failed , we can use below command to confirm the failure reason .

display aaa configuration

display aaa online-failed-reason mac-address .

 

  • x
  • convention:

Like (6) Dislike (0) Favorite(1) Share Report
Previous: BGP routes are recieved, however it does not go to the routing table.
Next: Router Restarting Every 4 Days
No.9527
Created Nov 16, 2018 02:21:23

The compatibility profile converted after an upgrade is not counted in the configuration specification. The built-in 802.1X access profile dot1x_access_profile can be modified and applied, but cannot be deleted.
Before deleting an 802.1X access profile, ensure that this profile is not bound to any authentication profile.
View more
  • x
  • convention:
Torrent
Created Nov 16, 2018 07:27:35

After discussed with customer , we can know customer used wrong authentication-scheme/accounting-scheme/authorization-scheme and radius server.
okay, got it! thanks for sharing us such a good example, learned!
View more
  • x
  • convention:
Mark.hu
Created Nov 16, 2018 07:28:12

Dot1 X is an abbreviation of IEEE 802.1 X, which is based on Client/Server access control and authentication protocol. Simply put, IEEE 802.1x is an authentication technology that authenticates the host connected to the Layer 2 interface on the switch. When the host receives an interface that has IEEE 802.1x authentication enabled, it may be authenticated. Otherwise, It is possible to be denied access to the network. After IEEE 802.1x authentication is enabled on the interface, only IEEE 802.1x authentication messages are available before authentication is passed.
View more
  • x
  • convention:
limgsc
Created Nov 16, 2018 07:35:00

your document is work for me , i get the point , fix my issue by your doc thanks you very much ,
also hope you public more doc that levle like this .
would you please also mention where from the technical detail , i can found it from orignial part .
from orignial part i can found more correct parameter , this is more important .
View more
  • x
  • convention:
littlestone
Created Nov 26, 2018 13:00:03

802.1X is a standard defined by IEEE to solve port-based access control. 802.1X, fully known as Port-Based Networks Access Control, is a port-based network access control. It originated from the wireless network standard 802.11 protocol. 802.11 protocol is a standard wireless LAN protocol. The original purpose of 802.1X protocol design is to solve the access authentication problem of wireless LAN users, but because of its original. Rationality is universal to all local area networks conforming to the standard of IEEE 802, so it is also widely used in wired local area networks.
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.