Hi, everyone! Today I’m going to introduce case 7 The Terminal Goes Offline in a While After Passing MAC Address Authentication.
The Terminal Goes Offline in a While After Passing MAC Address Authentication, and the System Displays the Error Message "ND detect fail"
Network Topology
Physical Network Topology
Figure 1-1 Network where a offline failure occurs
Fault Description
The PC goes offline in a while after passing the MAC address authentication, and an error message indicating ND detect fail is reported.
Configuration Files
LSW
!Software Version V200R010C00SPC600
#
sysname LSW
#
vlan batch 10 20 30 50 64 to 95 100 to 101 192 220
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name p1
mac-access-profile m1
authentication timer handshake-period 10
access-domain huawei.com force
authentication-profile name john
dot1x-access-profile john
access-domain john force
#
domain huawei.com
#
access-user arp-detect default ip-address 0.0.0.0
#
lldp enable
#
clock timezone 2 add 01:00:00
#
dhcp enable
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authentication-scheme a1
authentication-scheme john
authentication-mode radius
authorization-scheme default
authorization-scheme b1
accounting-scheme default
accounting-scheme john
accounting-mode radius
local-aaa-user password policy administrator
password expire 0
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
domain huawei.com
authentication-scheme a1
radius-server default
domain john
authentication-scheme john
accounting-scheme john
radius-server radius_john
local-user admin password irreversible-cipher
$1a$5~<kV.#apT$W/fbBDHC(EM,,p"KYo~DDpZ6#[,_z5@ArLH+(8J~$
local-user admin privilege level 15
local-user admin service-type telnet terminal ssh http
local-user huawei password cipher
%^%#XlvE#{2tjDXt@}@l1PDPQcCt3f]spQC1Ba)c,eST%^%#
local-user huawei privilege level 0
local-user huawei service-type 8021x
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select interface
#
interface Vlanif50
ip address 192.168.50.1 255.255.255.0
#
interface Vlanif192
ip address 192.168.7.254 255.255.255.0
dhcp select interface
#
interface Vlanif220
ip address 10.220.7.25 255.255.254.0
#
interface Vlanif1000
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/14
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 64 to 95
authentication-profile p1
#
interface GigabitEthernet0/0/15
port link-type access
port default vlan 10
authentication-profile p1
#
interface NULL0
#
arp static 10.220.7.30 38bc-0196-c308 vid 220 interface GigabitEthernet0/0/7
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 192.168.95.0 255.255.255.0 192.168.50.2
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
ssh client first-time enable
ssh client 10.220.6.1 assign ecc-key 10.220.6.1
ssh client 10.220.7.26 assign rsa-key 10.220.7.26
ssh client 10.220.7.27 assign dsa-key 10.220.7.27
ssh client 10.220.7.30 assign dsa-key 10.220.7.30
ssh client 10.220.7.61 assign dsa-key 10.220.7.61
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 1
authentication-mode aaa
idle-timeout 0 0
user-interface vty 2 4
authentication-mode aaa
user-interface vty 16 20
#
mac-access-profile name mac_access_profile
mac-access-profile name m1
authentication trigger-condition dhcpv6 nd
mac-authen username fixed Huawei password cipher
%^%#U>wXOHlE"*m@@~UcsJF9,fbeIKBq4AW19.AG'qf3%^%#
#
return
Troubleshooting Location
Troubleshooting Procedure
Step 1 Check the reason for PC about logout record.
Run the display aaa command in any view of the reported faulty PC to view the information about time when a user goes online and offline, reason why a user fails to go offline.
[LSW] display aaa offline-record
mac-address 98e7-f434-3f59
------------------------------------------------------------------------------
User
name :
Huawei
Domain name
:
huawei.com
User
MAC
:
98e7-f434-3f59
User access type :
MAC
User access interface :
GigabitEthernet0/0/15
Qinq vlan/User vlan :
0/10
User IP address :
-
User IPV6 address : -
User
ID
:
64
User login time : 2018/01/24
16:51:33
User offline time : 2018/01/24 16:56:33
User offline reason : ND detect fail
------------------------------------------------------------------------------
...
The reason why a user fails to go offline is ND dectect fail, go to Step 2.
Step 2 Check the user type form the device record.
1. Connect the faulty PC to the network again. Run the display access-user command to check the index of the faulty user.
[LSW] display access-user
------------------------------------------------------------------------------
UserID
Username
IP address
MAC
Status
------------------------------------------------------------------------------
10
admin
172.28.65.144
-
Success
11
admin
-
-
Success
68
Huawei
FE80::3849:34D7:7376:27D0
98e7-f434-3f59 Success
------------------------------------------------------------------------------
Total: 3, printed: 3
2. Based on the index of the faulty PC, run the display cm item command in the disgnostic view to check the uesr type.
[LSW] diagnose
[LSW-diagnose] display cm item cid 68
Cid
:68 SlotCid:0/51
ucIsV6User:1
Port :0/15 Vlan
:0/10
PVC:65535/65535
State :UP/BUTT WaitMsg:ESAP_SRV_MSG_BUTT
TimeoutMsg:Message
IpAddr :255.255.255.255/32 GateWay
:255.255.255.255/32
UserMac:98e7-f434-3f59
IfIndex :22
PortIndex:15
Access :4294967295 AuthMod:4294967295 AuthedPlace:2 VRF
:0
UpPriority :255 DownPriority
:255
UpFlowCon :1
DownFlowCon:1
AccessType :23 TriggerType:255
AuthType :2
MTU
:1500
NeedModify :0 IfAckAAA :0 IfAuthFirst:0
RevUserDic :0 DelTimes
:0 FirstAuth
:0 ShortLease
:0
ucAcctMethod :1 ucAcctState
:255 ulRTAcctInterval :0
ulRTAcctTime
r
:-1
InstanceID :
-1
Web :255.255.255.255 WebAuth
:255.255.255.255/0
WebAuthVrf:-1 DownPriority:255
ucAclOK:1
ReauthTime:0
ReauthTimeID:4294967295
OfflineTime:100
OfflineTimes:2
EapolHandShakeType:0
UserType :2 IfNeedAddFI
:0
...
The user type is UserType :2, indicating that the switch identifies the user as an IPv6 user.
Step 3 Confirm with the customer. The result shows that no IPv6 addresses exist on the live network, but the IPv4/IPv6 function is enabled on the PC's network adapter. By default, the switch supports MAC address authentication triggered by ARP/DHCP/DHCPv6/ND packets. After the PC accessed the network, it sent IPv6 packets first to trigger MAC address authentication.
Solution:Change the configuration on the switch so that MAC address authentication can be triggered by only ARP/DHCP packets. In this case, the PC can go online normally after passing MAC address authentication.
[LSW] mac-access-profile name m1
[LSW--mac-access-profile-m1] authentication trigger-condition arp dhcp
----End
Root Case
The S5700 functions as the authentication point. The PC has to pass MAC address authentication before accessing the network. By default, the S5700 supports MAC address authentication triggered by ARP/DHCP/DHCPv6/ND packets. The IPv4/IPv6 function is enabled on the PC's network adapter by default. The PC connects to the S5700. If the terminal sends a DHCPv6 or ND packet first, the S5700 identifies the user as an IPv6 user and will send ND probe packets. However, the PC does not respond to the ND probe packet sent by the switch, and is offline due to probe timeout. As a result, the system displays an error message "ND detect fail."
If you have any problems, please post them in our Community. We are happy to solve them for you!
