i have MAG2600 and want to setup it as a L2 802.1x with Huawei switch, and asking if it supported by the MAG (IC 4.1r1)??
i was not able to find Huawei in the list of supported Vendors on Radius client configuration page!
the Huawei switch configured per to the Huawei admin Guide, but when connecting a user (having Odyssey installed and configured) to a dot1x enabled port, the agent asks for username and could not connect to the controller. but if i connected the user to a non dot1x port then i got authenticated and connected to the controller!
IC in MAG 2600, supports RADIUS protocol as required for dot1.x and will interoperate with any standard based dot1.x set up.You would only need to configure Huawei as a specific Vendor in IC, if you are planning to use vendor specific attributes for connecting to the Huawei switches.Otherwsie selecting Standard radius should be good enough.Can you check the IC logs (User,Events, policy tracing) for these failed attempt and that should tell you what is going wrongs in your set up.
MAG 2600 does not support complete feature set of IC in version 4.1.
Only from IC version 4.2, it functions as full blown IC.
i upgraded to 4.2 and i got the same behaviour.
for the MAG logs;
i can see that the users authentication succeeded but the agent is displaying authentication failed and requesting authentication again
i think its Huawei switch issue, so wonder if any one had the same case.
You are right, the IC/MAG is sending Auth Accept message to the Switch.This evident from the logs.Refer below
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)-----------------------------------------------------------
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)Authentication Response
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)Packet : Code = 0x2 ID = 0x5a
info - [127.0.0.1] - System() - 2012/05/23 13:04:59 - (b0b5f250)EAP-Message (Success, id=7) : Value =
Are you trying to put him in any dynamic VLAN?
Certain vendors do not use standard radius attributes for dynamic vlan assisgnment..
If so, you will have to check if they use any vendor-specific attribute!
the clients switch ports assigned a static VLAN and the MAG configured for a returne attribute to open the port if client authenticated.
Alright, as Ashish pointed out IC is sending Access_Accept.
You have to check if switch is sending EAP-SUCCESS to the client.
Can you collect a sniffer capture on the switch-port?
OAC logs at level 5 also should help.