Security

 View Only
  • 1.  Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping

    Posted 9 days ago
    Edited by GorazdKikelj 9 days ago

    Hi.

    I observed a strange behavior on my 5140EI Comware switch with latest FW 7.10.R6351P02.

    Using very simple dot1x authentication with certificate.

    When I connect client to the port, authentication on Clearpass is successful, but in switch debug log report failure and authentication is repeated in never ending loop. If RADIUS server deny access, then it works as expected and no loop is observed. 

    The same configuration is working flawlessly on Clearpass 6.10 and 6.12. It only fails on 6.11.9 and 10. Before I jump on TAC, did anybody encounter something like that?

    #
     dot1x
     dot1x authentication-method eap
     dot1x quiet-period
     dot1x retry 3
     dot1x timer quiet-period 30
     dot1x timer handshake-period 30
     dot1x timer supp-timeout 10
     dot1x timer tx-period 10
    #

    interface GigabitEthernet1/0/7
     dot1x
     undo dot1x handshake
     dot1x mandatory-domain clearpass1-tacacs
     undo dot1x multicast-trigger
     dot1x unicast-trigger
     dot1x guest-vlan 200
     dot1x auth-fail vlan 300
     dot1x critical vlan 1
    #

    radius scheme clearpass1
     primary authentication x.x.x.x key cipher
     primary accounting x.x.x.x key cipher 
     accounting-on enable
     user-name-format without-domain

    domain clearpass1-tacacs
     authentication lan-access radius-scheme clearpass1 local
     authorization lan-access radius-scheme clearpass1 local
     accounting lan-access radius-scheme clearpass1 local
     

    Here is switch debug log for one attempt.

    *Nov 26 08:17:14:437 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authentication.
    *Nov 26 08:17:14:437 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: Fetched authentication reply-data successfully, resultCode: 0
    *Nov 26 08:17:14:437 2024 HPE5140 DOT1X/7/EVENT: Received authentication response with code 0: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
    *Nov 26 08:17:14:438 2024 HPE5140 DOT1X/7/EVENT: BE is in Success state: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
    *Nov 26 08:17:14:438 2024 HPE5140 DOT1X/7/EVENT: PAE is in Authenticated state: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
    *Nov 26 08:17:14:438 2024 HPE5140 DOT1X/7/EVENT: Request clear all Oper-Vlan Vsi: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=7.
    *Nov 26 08:17:14:439 2024 HPE5140 DOT1X/7/EVENT: BE is in Idle state: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
    *Nov 26 08:17:14:440 2024 HPE5140 RADIUS/7/EVENT: Sent reply message successfully.
    *Nov 26 08:17:14:441 2024 HPE5140 DOT1X/7/PACKET:
    Transmitted a packet on interface GigabitEthernet1/0/7.
    Destination Mac Address=xyxx-xxxx-xxxx
    Source Mac Address=xxxx-xxxx-xxxx
    VLAN ID=1
    Mac Frame Type=888e
    Protocol Version ID=1
    Packet Type=0
    Packet Length=4.
    -----Packet Body-----
    Code=3
    Identifier=d
    Length=4.
    *Nov 26 08:17:14:443 2024 HPE5140 DOT1X/7/EVENT: Notify User Authenticated: UserMAC=xxxx.-xxxx-xxxx, VLANID=1, Interface=7.
    *Nov 26 08:17:14:444 2024 HPE5140 DOT1X/7/EVENT: Sent authorization request: UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7.
    *Nov 26 08:17:14:444 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: Processing RADIUS authorization.
    *Nov 26 08:17:14:445 2024 HPE5140 RADIUS/7/EVENT: PAM_RADIUS: RADIUS Authorization successfully.
    *Nov 26 08:17:14:469 2024 HPE5140 DOT1X/7/EVENT: AAA processed authorization request: Result= Failure, UserMAC=xxxx-xxxx-xxxx, VLANID=1, Interface=GigabitEthernet1/0/7
    *Nov 26 08:17:14:475 2024 HPE5140 DOT1X/7/PACKET:
    Transmitted a packet on interface GigabitEthernet1/0/7.
    Destination Mac Address=yxxx-xxxx-xxxx
    Source Mac Address=xxxx-xxxx-xxxx
    VLAN ID=1
    Mac Frame Type=888e
    Protocol Version ID=1
    Packet Type=0
    Packet Length=4.
    Best, Gorazd
    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 2.  RE: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping

    Posted 6 days ago

    Supplicant issue?  Did your certificates change between these versions/deployments?  




  • 3.  RE: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping

    Posted 6 days ago

    No. Same certs same ca. 

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 4.  RE: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping

    Posted 5 days ago

    Have you tried enabling dot1x handshake?   The default setting is on.




  • 5.  RE: Clearpass 6.11.10 or 6.11.9 and HPE 5140 Comware Dot1X authentication looping

    Posted 5 days ago

    Hi Alan.

    Yes I try with and without dot1x handshake. Same result.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------