Users Frequently Go Offline After Passing MAC Address Authentication Highlighted

Network Topology

Physical Network Topology

Figure 1-1 Network where a offline failure occurs

Fault Description

MAC address authentication is applied to access devices. When a user goes online after passing MAC address authentication, the user goes offline in a while. The process repeated frequently.

Configuration Files

#LSW

!Software Version V200R010C00SPC600
#
sysname LSW
#
vlan batch 10 20 64 to 95 100 to 101 220
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name p1
 mac-access-profile m1
 authentication timer handshake-period 10
 access-domain huawei.com force
#
lldp enable
#
clock timezone 2 add 01:00:00
#
dhcp enable
#
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
 authentication-scheme radius             
  authentication-mode radius
 authentication-scheme a1
 authorization-scheme default
 authorization-scheme b1
 accounting-scheme default
 local-aaa-user password policy administrator
  password expire 0
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 domain huawei.com
  authentication-scheme a1
  radius-server default
 local-user admin password irreversible-cipher $1a$5~<kV.#apT$W/fbBDHC(EM,,p"KYo~DDpZ6#[,_z5@ArLH+(8J~$
 local-user admin privilege level 15
 local-user admin service-type telnet terminal ssh http
 local-user huawei password cipher %^%#XlvE#{2tjDXt@}@l1PDPQcCt3f]spQC1Ba)c,eST%^%#
 local-user huawei privilege level 0
 local-user huawei service-type 8021x
#
interface Vlanif220
 ip address 10.220.7.25 255.255.254.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/14
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 64 to 95
 authentication-profile p1
#
interface GigabitEthernet0/0/15
 port link-type access
 port default vlan 10
 authentication-profile p1
#
interface NULL0
#
arp static 10.220.7.30 38bc-0196-c308 vid 220 interface GigabitEthernet0/0/7
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
#
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
ssh client first-time enable
ssh client 10.220.6.1 assign ecc-key 10.220.6.1
ssh client 10.220.7.26 assign rsa-key 10.220.7.26
ssh client 10.220.7.27 assign dsa-key 10.220.7.27
ssh client 10.220.7.30 assign dsa-key 10.220.7.30
ssh client 10.220.7.61 assign dsa-key 10.220.7.61
#
user-interface con 0                      
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
mac-access-profile name m1
 mac-authen username fixed Huawei password cipher %^%#U>wXOHlE"*m@@~UcsJF9,fbeIKBq4AW19.AG'qf3%^%#
#
return

Troubleshooting Location

Troubleshooting Procedure

                              Step 1     Obtain the MAC address of the offline PC, go to Step 2.

                              Step 2     Check the information about  logout record.

Run the display aaa command in any view of the device to view the information about time when a user goes online and offline, reason why a user fails to go offline.

[LSW] display aaa offline-record mac-address f0de-f162-bee4
  ------------------------------------------------------------------------------
  User name             : vlan-test
  Domain name           : default
  User MAC              : f0de-f162-bee4
  User access type      : 802.1x
  User access interface : GigabitEthernet0/0/15
  Qinq vlan/User vlan   : 0/42
  User IP address       : 192.168.42.254
  User ID               : 25
  User login time       : 2018/01/06 17:24:20
  User offline time     : 2018/01/06 17:24:29
  User offline reason   : ARP detect fail

The interval between user online and offline is 10s, and the reason why a user fails to go offline is ARP dectect fail, go to Step 2.

                              Step 3     Check the handshake interval of the device with authorized users.

Run the display authentication-profile configuration command to check whether the  handshake interval is equal to the interval between user online and offline.

<LSW> display authentication-profile configuration name p1
  Profile name                                : p1
  Dot1x access profile name                   : -
  Mac access profile name                     : -
  Portal access profile name                  : testdel
  Free rule template                          : -
  Force domain                                : -
  Dot1x force domain                          : -
  Mac-authen force domain                     : -
  Portal force domain                         : -
  Default domain                              : 110
  Dot1x default domain                        : -
  Mac-authen default domain                   : -
  Portal default domain                       : -
  Permit domain                               : -
  Authentication handshake                    : Enable
  Authentication handshake period             : 10s    
  Auth-fail re-auth period                    : 60s
  Pre-auth Re-auth period                     : 60s
  Auth-fail aging time                        : 82800s
  Pre-auth aging time                         : 82800s
...

After all, we can be sure that the PC goes offline because the PC does not respond with ARP reply packets or ND reply packets during the period when the handshake with authorized users is enabled. The device will log the PC out unexpectedly, go to Step 4.

                              Step 4     Capture packets on the client interface to check whether the client responds to the ARP probe packets sent from the device and whether the source IP address of the ARP probe packets is 255.255.255.255 (it is optional, and the default value is 255.255.255.255.). So the PC cannot respond to an ARP probe packet with the source IP address 255.255.255.255.

Solution:

1.        Specify a source IP address for the offline detection packet, the user gateway IP address and its corresponding MAC address as the source IP address and source MAC address of offline detection packets is advitsed to specify.

[LSW] access-user arp-detect vlan 10 ip-address 192.168.1.1 mac-address 2222-1111-1234

2.        Set the default source IP address of offline detection packets to 0.0.0.0.

[LSW] access-user arp-detect default ip-address 0.0.0.0

----End

Root Cause

The device sends an ARP probe packet to check the user online status. If the user does not respond within a detection period, the device considers that the user is offline.

If the VLAN to which the user belongs does not have a VLANIF interface or the VLANIF interface does not have an IP address, the device sends an offline detection packet using 255.255.255.255 as the source IP address. If a user cannot respond to an ARP probe packet with the source IP address 255.255.255.255, the device will log the PC out unexpectedly.