【Problem Description】: Customer have applied NAC configuration at Huawei Switch ,but which is not working properly
【Problem Analysis】:get needed information for analysis .
1. How many user effected ?
2. Please get detail topology , include device name and connected port number .
3. Please feedback display diagnostic-informaiton .
Check the authentication profile :
authentication-profile name NAC_AUTHENTICATION
dot1x-access-profile DOT1x_AUTHENTICATION
mac-access-profile MAC_AUTHENTICATION
authentication timer re-authen pre-authen 7200
authentication timer pre-authen-aging 7200
authentication mode multi-authen max-user 100
authentication dot1x-mac-bypass
then check radius configuraiton :
radius-server template clearpass
radius-server shared-key cipher xxxx
radius-server authentication 192.168.x.19 1812 weight 80
radius-server authentication 192.168.x.20 1812 weight 70
radius-server accounting 192.168.x.19 1813 weight 80
radius-server accounting 192.168.x.20 1813 weight 70
calling-station-id mac-format unformatted
radius-server authorization 192.168.xx.19 shared-key cipher xxx
radius-server authorization 192.168.xxx.20 shared-key xxx
check domain default configuraiton .
domain default
authentication-scheme npci
authorization-scheme npci
radius-server default
【Root Cause】: After discussed with customer , we can know customer used wrong authentication-scheme/accounting-scheme/authorization-scheme and radius server.
【Solution Description】: we suggest change the default domain configuation as below :
accounting-scheme clearpass
accounting-mode radius
authorization-scheme clearpass
authorization-mode if-authenticated
authentication-scheme clearpass
authentication-mode radius
domain default
authentication-scheme clearpass
authorization-scheme clearpass
accounting-scheme clearpass
radius-server clearpass
Note: if dot1x user authentication failed , we can use below command to confirm the failure reason .
display aaa configuration
display aaa online-failed-reason mac-address .