- Community Home
- >
- Networking
- >
- Security e-Series
- >
- probems with mac based authentication/radius becau...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2014 10:25 AM
09-03-2014 10:25 AM
probems with mac based authentication/radius because of MessageAuthentication attribute
Ok, we have several switches 5406zl series, with K.15.09.0019 running. All but one of them perform as expected.
The one that troubles us won t let us authenticate with macbased auth agains our radius servers.
The switch throws the message "port is blocked by AAA", ok, obviously something went wrong.
Our raduis (W2kR2 NAP) says: "...got a "Access-Request from....with invalid "Message Authentication Attribute"...
After investigating the networraffic we found the following:
From a switch whitch ist behaving as expectet, the access request lokks like:
Frame: Number = 72629, Captured Frame Length = 227, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-22-19-6B-E6-2E],SourceAddress:[00-10-F3-31-1E-95]
+ Ipv4: src=10.2.26.19, Dest = 10.2.0.43, Next Protocol = UDP, Packet ID = 22748, Total IP Length = 213
+ Udp: SrcPort = 1024, DstPort = 1812, Length = 193
- Radius: Access Request, Id = 103, Length = 185
MessageType: Access Request, 1(0x01)
Identifier: 103 (0x67)
AllLength: 185 (0xB9)
Authenticator: FA B4 65 62 97 B4 BA DD 10 F3 FA 4B E5 15 3C 08
+ AttributeFramedMTU: 1480
+ AttributeNasIPAddress: 10.2.26.19
+ AttributeNASIdentifier: sys-cob-swt-004
+ AttributeUserName: 080037336465
+ AttributeServiceType: Call Check, 10(0xa)
+ AttributeFramedProtocol: PPP, 1(0x1)
+ AttributeNasPort: 8
+ AttributeRadiusNASPortType: Ethernet, 15(0xf)
+ AttributeNASPortID:
+ AttributeCalledStationID: 08-2e-5f-bf-3d-98
+ AttributeStationID: 08-00-37-33-64-65
+ AttributeConnectInfo:
+ AttributeChapPassword:
From the one that causes trouble it looks like this:
Frame: Number = 3719, Captured Frame Length = 368, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-22-19-6B-E6-2E],SourceAddress:[00-10-F3-31-1E-95]
+ Ipv4: src=10.2.26.16, Dest = 10.2.0.43, Next Protocol = UDP, Packet ID = 56993, Total IP Length = 354
+ Udp: SrcPort = 1812, DstPort = 1812, Length = 334
- Radius: Access Request, Id = 79, Length = 326
MessageType: Access Request, 1(0x01)
Identifier: 79 (0x4F)
AllLength: 326 (0x146)
Authenticator: BD CC 08 38 F5 6F 8D F5 16 17 A8 E6 FE 70 2B AC
+ AttributeFramedMTU: 1466
+ AttributeNasIPAddress: 10.2.26.16
+ AttributeNASIdentifier: sys-cob-swt-008
+ AttributeUserName: 0800373f5437
+ AttributeServiceType: Call Check, 10(0xa)
+ AttributeFramedProtocol: PPP, 1(0x1)
+ AttributeNasPort: 26
+ AttributeRadiusNASPortType: Ethernet, 15(0xf)
+ AttributeNASPortID:
+ AttributeCalledStationID: 00-17-a4-c5-f8-e6
+ AttributeStationID: 08-00-37-3f-54-37
+ AttributeConnectInfo:
+ AttributeChapPassword:
+ AttributeMessageAuthenticator:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
+ AttributeVendorSpecific:
So IMHO the last one sends more information than it should (or that the radius server is expecting), whithch IMHO brings the raidus to complan about the unexpectect/uneccecery MessageAuthenticatior attribute.
Any one any idea what config I ve to do to change the behaviour of the procurve?
- Tags:
- authentication
- Mac