[Troubleshooting Series] Case 7 The Terminal Goes Offline in a While After Passing MAC Address Authentication Highlighted

Latest reply: Dec 12, 2018 09:30:01 302 1 1 1

The Terminal Goes Offline in a While After Passing MAC Address Authentication, and the System Displays the Error Message "ND detect fail"

Network Topology

Physical Network Topology

Figure 1-1 Network where a offline failure occurs

091844sjnzk8jujgkc777d.png

 

Fault Description

The PC goes offline in a while after passing the MAC address authentication, and an error message indicating ND detect fail is reported.

Configuration Files

LSW

!Software Version V200R010C00SPC600
#
sysname LSW
#
vlan batch 10 20 30 50 64 to 95 100 to 101 192 220
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name p1
 mac-access-profile m1
 authentication timer handshake-period 10
 access-domain huawei.com force
authentication-profile name john
 dot1x-access-profile john
 access-domain john force
#
domain huawei.com
#
access-user arp-detect default ip-address 0.0.0.0
#
lldp enable
#
clock timezone 2 add 01:00:00
#
dhcp enable
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authentication-scheme a1
 authentication-scheme john
  authentication-mode radius
 authorization-scheme default
 authorization-scheme b1
 accounting-scheme default
 accounting-scheme john
  accounting-mode radius
 local-aaa-user password policy administrator
  password expire 0
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 domain huawei.com
  authentication-scheme a1
  radius-server default
 domain john
  authentication-scheme john
  accounting-scheme john
  radius-server radius_john
 local-user admin password irreversible-cipher $1a$5~<kV.#apT$W/fbBDHC(EM,,p"KYo~DDpZ6#[,_z5@ArLH+(8J~$
 local-user admin privilege level 15
 local-user admin service-type telnet terminal ssh http
 local-user huawei password cipher %^%#XlvE#{2tjDXt@}@l1PDPQcCt3f]spQC1Ba)c,eST%^%#
 local-user huawei privilege level 0
 local-user huawei service-type 8021x
#
interface Vlanif30
 ip address 192.168.30.1 255.255.255.0
 dhcp select interface
#
interface Vlanif50
 ip address 192.168.50.1 255.255.255.0
#
interface Vlanif192
 ip address 192.168.7.254 255.255.255.0
 dhcp select interface
#
interface Vlanif220
 ip address 10.220.7.25 255.255.254.0
#
interface Vlanif1000
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/14
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 64 to 95
 authentication-profile p1
#
interface GigabitEthernet0/0/15
 port link-type access
 port default vlan 10
 authentication-profile p1
#
interface NULL0
#
arp static 10.220.7.30 38bc-0196-c308 vid 220 interface GigabitEthernet0/0/7
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 192.168.95.0 255.255.255.0 192.168.50.2
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
ssh client first-time enable
ssh client 10.220.6.1 assign ecc-key 10.220.6.1
ssh client 10.220.7.26 assign rsa-key 10.220.7.26
ssh client 10.220.7.27 assign dsa-key 10.220.7.27
ssh client 10.220.7.30 assign dsa-key 10.220.7.30
ssh client 10.220.7.61 assign dsa-key 10.220.7.61
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 1
 authentication-mode aaa
 idle-timeout 0 0
user-interface vty 2 4
 authentication-mode aaa
user-interface vty 16 20
#
mac-access-profile name mac_access_profile
mac-access-profile name m1
 authentication trigger-condition dhcpv6 nd
 mac-authen username fixed Huawei password cipher %^%#U>wXOHlE"*m@@~UcsJF9,fbeIKBq4AW19.AG'qf3%^%#
#
return

Troubleshooting Location

Troubleshooting Procedure

                               Step 1      Check the reason for PC about  logout record.

Run the display aaa command in any view of the reported faulty PC to view the information about time when a user goes online and offline, reason why a user fails to go offline.

[LSW] display aaa offline-record mac-address 98e7-f434-3f59   
  ------------------------------------------------------------------------------
  User name             : Huawei                                                
  Domain name           : huawei.com                                            
  User MAC              : 98e7-f434-3f59                                        
  User access type      : MAC                                                   
  User access interface : GigabitEthernet0/0/15                                 
  Qinq vlan/User vlan   : 0/10                                                  
  User IP address       : -                                                     
  User IPV6 address     : -                                                      
  User ID               : 64                                                    
  User login time       : 2018/01/24 16:51:33                                   
  User offline time     : 2018/01/24 16:56:33                                   
  User offline reason   : ND detect fail                                         
  ------------------------------------------------------------------------------
...

The reason why a user fails to go offline is ND dectect fail, go to Step 2.

                               Step 2      Check the user type form the device record.

1.         Connect the faulty PC to the network again. Run the display access-user command to check the index of the faulty user.

[LSW] display access-user                                            
 ------------------------------------------------------------------------------ 
 UserID Username                IP address       MAC            Status          
 ------------------------------------------------------------------------------ 
 10     admin                   172.28.65.144    -              Success         
 11     admin                   -                -              Success         
 68     Huawei                  FE80::3849:34D7:7376:27D0                       
                                                 98e7-f434-3f59 Success          
 ------------------------------------------------------------------------------ 
 Total: 3, printed: 3 

2.         Based on the index of the faulty PC, run the display cm item command in the disgnostic view to check the uesr type.

[LSW] diagnose
[LSW-diagnose] display cm item cid 68                                         
  Cid    :68          SlotCid:0/51 ucIsV6User:1                                 
  Port   :0/15        Vlan :0/10       PVC:65535/65535                          
  State  :UP/BUTT  WaitMsg:ESAP_SRV_MSG_BUTT TimeoutMsg:Message                 
  IpAddr :255.255.255.255/32  GateWay :255.255.255.255/32                       
  UserMac:98e7-f434-3f59                                                        
  IfIndex  :22         PortIndex:15                                             
  Access :4294967295 AuthMod:4294967295 AuthedPlace:2 VRF :0                    
  UpPriority :255    DownPriority :255                                          
  UpFlowCon  :1      DownFlowCon:1                                              
  AccessType :23     TriggerType:255    AuthType   :2     MTU        :1500      
  NeedModify :0      IfAckAAA   :0      IfAuthFirst:0                           
  RevUserDic :0      DelTimes   :0      FirstAuth  :0      ShortLease :0        
  ucAcctMethod :1      ucAcctState :255    ulRTAcctInterval :0      ulRTAcctTime
r :-1                                                                            
  InstanceID : -1                                                               
  Web    :255.255.255.255 WebAuth :255.255.255.255/0                            
  WebAuthVrf:-1      DownPriority:255 ucAclOK:1                                  
  ReauthTime:0       ReauthTimeID:4294967295                                    
  OfflineTime:100     OfflineTimes:2                                            
  EapolHandShakeType:0                                                           
  UserType   :2      IfNeedAddFI :0                                             
 ... 

The user type is UserType :2, indicating that the switch identifies the user as an IPv6 user.

                               Step 3      Confirm with the customer. The result shows that no IPv6 addresses exist on the live network, but the IPv4/IPv6 function is enabled on the PC's network adapter. By default, the switch supports MAC address authentication triggered by ARP/DHCP/DHCPv6/ND packets. After the PC accessed the network, it sent IPv6 packets first to trigger MAC address authentication.

Solution: Change the configuration on the switch so that MAC address authentication can be triggered by only ARP/DHCP packets. In this case, the PC can go online normally after passing MAC address authentication.

[LSW] mac-access-profile name m1
[LSW--mac-access-profile-m1] authentication trigger-condition arp  dhcp

----End

Root Case

The S5700 functions as the authentication point. The PC has to pass MAC address authentication before accessing the network. By default, the S5700 supports MAC address authentication triggered by ARP/DHCP/DHCPv6/ND packets. The IPv4/IPv6 function is enabled on the PC's network adapter by default. The PC connects to the S5700. If the terminal sends a DHCPv6 or ND packet first, the S5700 identifies the user as an IPv6 user and will send ND probe packets. However, the PC does not respond to the ND probe packet sent by the switch, and is offline due to probe timeout. As a result, the system displays an error message "ND detect fail."

 


  • x
  • convention:

EdeninRealMadrid
Created Dec 12, 2018 09:30:01 Helpful(0) Helpful(0)

Its nice
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login