cancel
Showing results for 
Search instead for 
Did you mean: 

Do IC support for Huawei switches as 802.1x?

eng_mahmood48_
Contributor

Re: Do IC support for Huawei switches as 802.1x?

Hi

attached is the OAC log file.

Regards

Mahmoud

Raveen_
Regular Contributor

Re: Do IC support for Huawei switches as 802.1x?

Hi,

In OAC logs, I can see switch sending EAP-FAILURE.

Snippet..

--------------------------------------------------------------------------

00172,09 2012/06/03 13:07:24.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Discarding EAPOL packet: unknown packet type 1

...

00216,09 2012/06/03 13:07:26.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [ERR] Cannot set master key: authentication not complete or method does not support session keys

...

00178,09 2012/06/03 13:07:30.046 0 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicantMgr.cpp:300 - 'odService' [NRM] Processing EAP-Failure: code = 4, id = 9, length = 7

00132,09 2012/06/03 13:07:30.046 4 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5428 - 'odService' STATE_Auth() 3

00156,09 2012/06/03 13:07:30.046 3 SYSTEM odClientService.exe odService p1944 tDB0 OdysseySupplicant.cpp:5496 - 'odService' Supplicant state: authentication failed

---------------------------------------------------------------------------

This could be a switch issue! However, there is no synchronised logs provided(UAC, OAC, Sniffer capture taken together at the same time-stamp).

Regards,

Raveen

eng_mahmood48_
Contributor

Re: Do IC support for Huawei switches as 802.1x?

I was able to collect the logs from MAG, OAC, and the captured traffic from the switch and at the same time.

attached are the logs

Regards

Mahmoud

Raveen_
Regular Contributor

Re: Do IC support for Huawei switches as 802.1x?

Hi Mahmoud,

This looks like a switch issue, as it sends EAP-FAILURE, even after receiving ACCESS-ACCEPT.

Below are the snippet for reference:

------------------------------------------------------------------------------

User Access Log:

2012-06-04 14:14:55 - ic - [0.0.0.0] test(Allowed-Realm)[] - Radius authentication accepted for test (realm 'Allowed-Realm') from location-group 'tel Location Group' and attributes are: NAS-IP-Address = 172.16.10.11,NAS-Port = 12398,NAS-Port-Type = 15

Radius Trouble shooting log:

info - [127.0.0.1] - System()[] - 2012/06/04 14:14:55 - (b0b7b250)Authentication Response
info - [127.0.0.1] - System()[] - 2012/06/04 14:14:55 - (b0b7b250)Packet : Code = 0x2 ID = 0x3c

Switch Capture:

Frame 86 --> ACCESS-ACCEPT from MAG Device

Frame 116 --> EAP Failure from switch to Cleint

After getting Acces-Accept, switch is not responding to the client, after twenty seconds, client is sending new EAPOL start message.

Regards,

Raveen

Note: If I have answered your questions, you could mark this as accepted solution, that way it would help others as well. A kudo would be a bonus thanks!

Raveen_
Regular Contributor

Re: Do IC support for Huawei switches as 802.1x?

It is pretty much a switch issue, given that, it is sending EAP-FAILURE, albeit receving ACCESS-ACCEPT. Also, EAP-ID that it is using is also wrong, I reckon!

However, I would also try increasing authPeriod to eliminate timing isues. For testing purpose, can you increase the authperiod timeout in OAC.

HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software, Inc.\odyssey\client\configuration\options\wired8021x\authPeriod

Default values is 20 seconds, try increasing it to 60

Regards,

Raveen

Raveen_
Regular Contributor

Re: Do IC support for Huawei switches as 802.1x?

Forgot to add that changes to the registry requires reboot of the machine.

Regards,

Raveen

eng_mahmood48_
Contributor

Re: Do IC support for Huawei switches as 802.1x?

Hello Raveen

thank you for your posts, i tried what you suggested but i got the same responce.

so why the switch is refussing the EAP messages?

Regards

Mahmoud

Raveen_
Regular Contributor

Re: Do IC support for Huawei switches as 802.1x?

Well if it is not a timing issue, then you will have to work with your switch vendor on this.

You could provide the analysis that we have provided.

Regards,

raveen