Security e-Series
1748210 Members
2747 Online
108759 Solutions
New Discussion

probems with mac based authentication/radius because of MessageAuthentication attribute

 
andreashuemmer
Occasional Collector

probems with mac based authentication/radius because of MessageAuthentication attribute

Ok, we have several switches 5406zl series, with K.15.09.0019 running. All but one of them perform as expected.

 

The one that troubles us won t let us authenticate with macbased auth agains our radius servers.

The switch throws the message "port is blocked by AAA", ok, obviously something went wrong.

Our raduis (W2kR2 NAP) says: "...got a "Access-Request from....with invalid "Message Authentication Attribute"...

 

After investigating the networraffic we found the following:

 

From a switch whitch ist behaving as expectet, the access request lokks like:

 

  Frame: Number = 72629, Captured Frame Length = 227, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-22-19-6B-E6-2E],SourceAddress:[00-10-F3-31-1E-95]
+ Ipv4: src=10.2.26.19, Dest = 10.2.0.43, Next Protocol = UDP, Packet ID = 22748, Total IP Length = 213
+ Udp: SrcPort = 1024, DstPort = 1812, Length = 193
- Radius: Access Request, Id = 103, Length = 185
    MessageType: Access Request, 1(0x01)
    Identifier: 103 (0x67)
    AllLength: 185 (0xB9)
    Authenticator: FA B4 65 62  97 B4 BA DD  10 F3 FA 4B  E5 15 3C 08
  + AttributeFramedMTU: 1480
  + AttributeNasIPAddress: 10.2.26.19
  + AttributeNASIdentifier: sys-cob-swt-004
  + AttributeUserName: 080037336465
  + AttributeServiceType: Call Check, 10(0xa)
  + AttributeFramedProtocol: PPP, 1(0x1)
  + AttributeNasPort: 8
  + AttributeRadiusNASPortType: Ethernet, 15(0xf)
  + AttributeNASPortID:
  + AttributeCalledStationID: 08-2e-5f-bf-3d-98
  + AttributeStationID: 08-00-37-33-64-65
  + AttributeConnectInfo:
  + AttributeChapPassword:

 

From the one that causes trouble it looks like this:

 

  Frame: Number = 3719, Captured Frame Length = 368, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-22-19-6B-E6-2E],SourceAddress:[00-10-F3-31-1E-95]
+ Ipv4: src=10.2.26.16, Dest = 10.2.0.43, Next Protocol = UDP, Packet ID = 56993, Total IP Length = 354
+ Udp: SrcPort = 1812, DstPort = 1812, Length = 334
- Radius: Access Request, Id = 79, Length = 326
    MessageType: Access Request, 1(0x01)
    Identifier: 79 (0x4F)
    AllLength: 326 (0x146)
    Authenticator: BD CC 08 38  F5 6F 8D F5  16 17 A8 E6  FE 70 2B AC
  + AttributeFramedMTU: 1466
  + AttributeNasIPAddress: 10.2.26.16
  + AttributeNASIdentifier: sys-cob-swt-008
  + AttributeUserName: 0800373f5437
  + AttributeServiceType: Call Check, 10(0xa)
  + AttributeFramedProtocol: PPP, 1(0x1)
  + AttributeNasPort: 26
  + AttributeRadiusNASPortType: Ethernet, 15(0xf)
  + AttributeNASPortID:
  + AttributeCalledStationID: 00-17-a4-c5-f8-e6
  + AttributeStationID: 08-00-37-3f-54-37
  + AttributeConnectInfo:
  + AttributeChapPassword:
  + AttributeMessageAuthenticator:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:
  + AttributeVendorSpecific:

 

So IMHO the last one sends more information than it should (or that the radius server is expecting), whithch IMHO brings the raidus to complan about the unexpectect/uneccecery MessageAuthenticatior attribute.

 

Any one any idea what config I ve to do to change the behaviour of the procurve?