Ok, we have several switches 5406zl series, with K.15.09.0019 running. All but one of them perform as expected.
The one that troubles us won t let us authenticate with macbased auth agains our radius servers.
The switch throws the message "port is blocked by AAA", ok, obviously something went wrong.
Our raduis (W2kR2 NAP) says: "...got a "Access-Request from....with invalid "Message Authentication Attribute"...
After investigating the networraffic we found the following:
From a switch whitch ist behaving as expectet, the access request lokks like:
Frame: Number = 72629, Captured Frame Length = 227, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-22-19-6B-E6-2E],SourceAddress:[00-10-F3-31-1E-95]
+ Ipv4: src=10.2.26.19, Dest = 10.2.0.43, Next Protocol = UDP, Packet ID = 22748, Total IP Length = 213
+ Udp: SrcPort = 1024, DstPort = 1812, Length = 193
- Radius: Access Request, Id = 103, Length = 185
MessageType: Access Request, 1(0x01)
Identifier: 103 (0x67)
AllLength: 185 (0xB9)
Authenticator: FA B4 65 62 97 B4 BA DD 10 F3 FA 4B E5 15 3C 08
+ AttributeFramedMTU: 1480
+ AttributeNasIPAddress: 10.2.26.19
+ AttributeNASIdentifier: sys-cob-swt-004
+ AttributeUserName: 080037336465
+ AttributeServiceType: Call Check, 10(0xa)
+ AttributeFramedProtocol: PPP, 1(0x1)
+ AttributeNasPort: 8
+ AttributeRadiusNASPortType: Ethernet, 15(0xf)
+ AttributeNASPortID:
+ AttributeCalledStationID: 08-2e-5f-bf-3d-98
+ AttributeStationID: 08-00-37-33-64-65
+ AttributeConnectInfo:
+ AttributeChapPassword:
From the one that causes trouble it looks like this:
Frame: Number = 3719, Captured Frame Length = 368, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-22-19-6B-E6-2E],SourceAddress:[00-10-F3-31-1E-95]
+ Ipv4: src=10.2.26.16, Dest = 10.2.0.43, Next Protocol = UDP, Packet ID = 56993, Total IP Length = 354
+ Udp: SrcPort = 1812, DstPort = 1812, Length = 334
- Radius: Access Request, Id = 79, Length = 326
MessageType: Access Request, 1(0x01)
Identifier: 79 (0x4F)
AllLength: 326 (0x146)
Authenticator: BD CC 08 38 F5 6F 8D F5 16 17 A8 E6 FE 70 2B AC
+ AttributeFramedMTU: 1466
+ AttributeNasIPAddress: 10.2.26.16
+ AttributeNASIdentifier: sys-cob-swt-008
+ AttributeUserName: 0800373f5437
+ AttributeServiceType: Call Check, 10(0xa)
+ AttributeFramedProtocol: PPP, 1(0x1)
+ AttributeNasPort: 26
+ AttributeRadiusNASPortType: Ethernet, 15(0xf)
+ AttributeNASPortID:
+ AttributeCalledStationID: 00-17-a4-c5-f8-e6
+ AttributeStationID: 08-00-37-3f-54-37
+ AttributeConnectInfo:
+ AttributeChapPassword:
+ AttributeMessageAuthenticator:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
So IMHO the last one sends more information than it should (or that the radius server is expecting), whithch IMHO brings the raidus to complan about the unexpectect/uneccecery MessageAuthenticatior attribute.
Any one any idea what config I ve to do to change the behaviour of the procurve?
#Mac#authentication