Comware

Hi,

We are using MAC-based RADIUS authentication to set ports in the correct VLAN for our different clients. I wrongly assumed I could use the same code I used on our 5120's on the new 5130 switch.

I get a successful authentication, but the port does not set up the assigned VLAN, and display mac-authentication indicates it is continuously reauthenticating. Authentication is successful according to logs on my RADIUS server though, so I am uncertain what is wrong.

Here is config from 5130, my original config from the 5120 is below. I am hoping someone can show me a working config, or otherwise point me to were I went wrong in my config.

radius scheme system
 primary authentication 1.2.3.4 key cipher xxxxxxx
 secondary authentication 5.6.7.8 key cipher xxxxxxxx

 key authentication cipher xxxxxx
 user-name-format without-domain
 nas-ip 10.10.10.11
#
domain system
 authentication lan-access radius-scheme system
 authorization lan-access radius-scheme system
#
 domain default enable system

interface GigabitEthernet2/0/17
 description Test-port for vlan240 windows machine
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 230 untagged
 port hybrid pvid vlan 230
 mac-vlan enable
 broadcast-suppression pps 3000
 multicast-suppression pps 3000
 stp edged-port
 lldp admin-status disable
 qos trust dscp
 mac-authentication
 mac-authentication guest-vlan 232
#

[5130-GigabitEthernet2/0/17]dis mac-authentication  int g 2/0/17
Global MAC authentication parameters:
   MAC authentication     : Enabled
   User name format       : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
           Username       : mac
           Password       : Not configured
   Offline detect period  : 300 s
   Quiet period           : 60 s
   Server timeout         : 100 s
   Authentication domain  : system
 Max MAC-auth users       : 4294967295 per slot
 Online MAC-auth users    : 0

 Silent MAC users:
          MAC address       VLAN ID  From port               Port index

 GigabitEthernet2/0/17  is link-up
   MAC authentication         : Enabled
   Authentication domain      : Not configured
   Auth-delay timer           : Disabled
   Re-auth server-unreachable : Logoff
   Guest VLAN                 : 232
   Critical VLAN              : Not configured
   Host mode                  : Single VLAN
   Max online users           : 4294967295
   Authentication attempts    : successful 19, failed 0
   Current online users       : 0
          MAC address       Auth state
[5130-GigabitEthernet2/0/17]dis mac-au

The corresponding working config from a 5120 looks like this: ( There are some small differences, but I am deeming them extremely unlikely to have the effect I am seeing. )

radius scheme system
 primary authentication 1.2.3.4 key cipher xxxxxxx
 primary accounting 127.0.0.1 1646
 secondary authentication 5.6.7.8 key cipher xxxxxxxx
 key authentication cipher xxxxxx
 user-name-format without-domain
 nas-ip 10.11.12.13
#
domain system
 authentication lan-access radius-scheme system
 authorization lan-access radius-scheme system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#

#
interface GigabitEthernet1/0/15
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 broadcast-suppression pps 3000
 multicast-suppression pps 3000
 undo jumboframe enable
 stp edged-port enable
 mac-authentication
 mac-authentication guest-vlan 1234
 lldp admin-status disable
 qos trust dscp
#

<5120_A2>dis mac-authentication
MAC address authentication is enabled.
 User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
 Fixed username:mac
 Fixed password:not configured
         Offline detect period is 300s
         Quiet period is 60s
         Server response timeout value is 100s
         The max allowed user number is 1024 per slot
         Current user number amounts to 19
         Current domain is system

Silent MAC User info:
         MAC Addr         From Port                    Port Index

GigabitEthernet1/0/26 is link-up
  MAC address authentication is enabled
  Authenticate success: 2, failed: 0
  Max number of on-line users is 256
  Current online user number is 1
         MAC Addr         Authenticate State           Auth Index
         abcd-abcd-abcd   MAC_AUTHENTICATOR_SUCCESS     4
GigabitEthernet1/0/27 is link-down

Sorry I lack the experience form such setups using Comware-products.

Note however that 5130 uses Comware v7 (7.10_R3109P05 is the latest firmware) while 5120 EI use Comware v5 (5.20_R2221P15 as the latest firmware).

As always verify that you have the latest firmware before you continue to troubleshoot.

I assume you already checked the manual like page 131 in the "Layer 2—LAN Switching Configuration Guide " regarding "Configuring dynamic MAC-based VLAN assignment " for 5130?

http://h10032.www1.hp.com/ctg/Manual/c04461164

Thanks Apachez-,

I did not realize there had been that many firmware releases since Mars when I installed 3108P03.

Reading through Release Notes, I notice bug ID 201505110287,

A user passes MAC authentication but the authentication server fails to assign the authorization VLAN to the user.

I will make another reply once I have managed to install the new firmware.

Regards,

Tommy

Updated firmware, as well as reread reference guide.

Made a change in config, added the VLAN's I am interested in as untagged VLAN's on the hybrid port. Still does not work for some reason.

I have tried debugging on RADIUS all, as well as MAC-Authentication all, and all I see is that user gets logged out due to port failing to change state.

Here is the output from debug log. ( Trimmed a bit )

*Jul 31 07:31:59:907 2015 5130_Switch RADIUS/7/EVENT: -Slot=2;
Decoded reply packet successfully.
*Jul 31 07:31:59:908 2015 5130_Switch RADIUS/7/PACKET: -Slot=2;
    Framed-Protocol=PPP
    Service-Type=Framed-User
    Tunnel-Medium-Type:0=IEEE-802
    Tunnel-Private-Group-Id:0="240"
    Tunnel-Type:0=VLAN
    Class=0x6b96088f0000013700010a70d3ed01d0bfecc6d5815400000000000167c7
*Jul 31 07:31:59:908 2015 5130_switch RADIUS/7/PACKET: -Slot=2;
 02 99 00 51 95 f1 28 06 97 f5 cd 25 5b 64 67 b5
 77 2f 5c 46 07 06 00 00 00 01 06 06 00 00 00 02
 41 06 00 00 00 06 51 05 32 34 30 40 06 00 00 00
 0d 19 20 6b 96 08 8f 00 00 01 37 00 01 0a 70 d3
 ed 01 d0 bf ec c6 d5 81 54 00 00 00 00 00 01 67
 c7

*Jul 31 07:31:59:909 2015 5130_switch RADIUS/7/EVENT: -Slot=2;
PAM_RADIUS: Processing RADIUS authentication.
*Jul 31 07:31:59:909 2015 5130_Switch RADIUS/7/EVENT: -Slot=2;
PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0

*Jul 31 07:31:59:916 2015 5130_Switch RADIUS/7/EVENT: -Slot=2;
PAM_RADIUS: RADIUS Authorization successfully.
*Jul 31 07:31:59:917 2015 5130_SwitchMACA/7/EVENT: -Slot=2; [abcd-abcd-abcd:VLAN230:GE2/0/17] AAA processed authorizat
ion request and returned Success.
*Jul 31 07:31:59:918 2015 5130_Switch MACA/7/EVENT: -Slot=2; [abcd-abcd-abcd:VLAN230:GE2/0/17] Authorization VLAN ID is
 240.
%Jul 31 07:31:59:956 2015 5130_Switch MACA/6/MACA_LOGOFF: -Slot=2; -IfName=GigabitEthernet2/0/17-MACAddr=abcd-abcd-abcd
-VLANId=230-UserName=ab-cd-ab-cd-ab-cd-UserNameFormat=MAC address; Session of the MAC-AUTH user was terminated.
*Jul 31 07:31:59:927 2015 5130_Switch MACA/7/EVENT: -Slot=2; [abcd-abcd-abcd:VLAN230:GE2/0/17] User started offline-det
ect timer, length=300(s).
*Jul 31 07:31:59:955 2015 5130_Switch MACA/7/EVENT: -Slot=2; User will logoff for failing to change state.
*Jul 31 07:31:59:956 2015 5130_Switch MACA/7/EVENT: -Slot=2; [abcd-abcd-abcd:VLAN230:GE2/0/17] User closed offline-dete
ct timer.
*Jul 31 07:32:00:024 2015 5130_Switch MACA/7/EVENT: -Slot=2; [abcd-abcd-abcd:VLAN230:GE2/0/17] User was deleted.

Although this is a bit dated, I'll leave this information, as it might be usefull to others. I confirm that I have a working configuration on release 3111P02, although I only have two vlans. My radius server just replies 'Access Accepted', but doesn't send a vlan id. You seem to have three vlans (230,232,240), and your server seems to reply with vlan 240, while the port was originaly configured on vlan 230. Did you later configure all of them as untagged?

port hybrid vlan 230 232 240 untagged

These commands might be usefull for debug:

display radius statistics               (check if 'Request Packet' counter is the same as 'Packet With Response')

display mac-address xxxx-xxxx-xxxx           (should tell you on which vlan the client was placed)

Thanks for the reply. We did some extensive debugging, and in the end there was a problem with certain releases of HP's firmware. Imagine that, bugs in the firmware.

Here is a snippet of configuration that works for me in release cmw710-r3109p05

 mac-authentication
 mac-authentication domain system
 mac-authentication user-name-format mac-address with-hyphen

interface GigabitEthernet1/0/6
 port link-type hybrid
 port hybrid vlan 1 untagged
 mac-vlan enable
 broadcast-suppression pps 3000
 multicast-suppression pps 3000
 stp edged-port
 lldp admin-status disable
 qos trust dscp
 mac-authentication
 mac-authentication critical vlan 244
#

 radius nas-ip my.own.ip.address
#
radius scheme system
 primary authentication radius.server.ip.address key cipher $c1234573737373737463728283737
 primary accounting radius.server.ip.address key cipher $ccrypted_password
 secondary authentication radius.server2.ip.address key cipher $c$3crypted_password
 secondary accounting radius.server2.ip.address key cipher $c$3crypetd_password_misspelled
 key authentication cipher $cmore_password_string/
 user-name-format without-domain
 nas-ip my.own.ip.address
#
domain system
 authentication lan-access radius-scheme system
 authorization lan-access radius-scheme system
 accounting lan-access radius-scheme system
#
 domain default enable system