Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 5500 Comware 5 Mac Authentication issue

 
Highlighted
jordanbacon
Occasional Visitor

HP 5500 Comware 5 Mac Authentication issue

Hello Everyone -

 

I am trying to configure mac-authentication on a HP 5500 Comware 5 using Radius. Unfortunately, it is not working like in Com7.

 

Here are some of the info:

[COM5]dis mac-authentication interface g1/0/46
MAC address authentication is enabled.
User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s
Server response timeout value is 100s
The max allowed user number is 2048 per slot
Current user number amounts to 0
Current domain is system

Silent MAC User info:
MAC Addr From Port Port Index
6400-6a0a-af8d GigabitEthernet1/0/46 9437229 << I am seeing that it authenticated globally and mac address is visible

GigabitEthernet1/0/46 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 339   <<  Failed on the port authication
Max number of on-line users is 2048
Current online user number is 0
MAC Addr Authenticate State Auth Index

 

Here is my port config:

interface GigabitEthernet1/0/46
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 60 untagged
port hybrid pvid vlan 60
undo voice vlan mode auto
mac-vlan enable
undo enable snmp trap updown
poe enable
stp edged-port enable
mac-authentication
mac-authentication domain system
mac-authentication host-mode multi-vlan

 

My global config:

mac-authentication
mac-authentication domain system
mac-authentication user-name-format mac-address with-hyphen

Radius scheme is also configured correctly.

 

My main concern is the interface mac-authentication. Am I missing something?

 

Thank you.

 

 

 

4 REPLIES
Som77
HPE Pro

Re: HP 5500 Comware 5 Mac Authentication issue

Hi Jordan,

Interface configuration seems to be fine,

Authenticate success: 0, failed: 339 << Failed on the port authentication
From above please ensure MAC-Authentication is enabled on the port

When you configure RADIUS-based MAC authentication, follow these restrictions and guidelines:

• Enable MAC authentication globally only after you have configured the authentication-related
parameters. Otherwise, users might fail to pass MAC authentication.

• When you create a user account on the RADIUS server, make sure the account has the same format
as the one configured by the mac-authentication user-name-format command on the access device.

• The authentication port (UDP) used by RADIUS servers is 1812 according to standard RADIUS
protocols. However, the port (UDP) is set to 1645 on an HP device that functions as the RADIUS
authentication server. You must specify the authentication port as 1645 in the RADIUS scheme on the access device.


Please Refer Pg:298 configure RADIUS-based MAC authentication, also verify AAA configuration
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941510-1.pdf


If issue is still seen please collect debug logs that would help in further Troubleshooting:

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04279443-1.pdf

<SwitchB> terminal debugging
<SwitchB> terminal monitor

Use debugging mac-authentication to enable MAC authentication debugging.
Use undo debugging mac-authentication to disable MAC authentication debugging

<SwitchB> undo t d
<SwitchB> undo t m
<SwitchB> undo debug all



I am a HPE Employee
jordanbacon
Occasional Visitor

Re: HP 5500 Comware 5 Mac Authentication issue

Really appreciate your response. I will try and provide feedback.

Also, I forgot to tell that logs on the radius server shows that the authentication is accepted but looks like it wasn't able to forward back to the switchport.

 

 

Som77
HPE Pro

Re: HP 5500 Comware 5 Mac Authentication issue

Hi Jordan,

May i know which RADIUS Server is used for authentication
please also check the event logs in event viewer of remote RADIUS server.T

There is a Reason Code Attribute in the logs from which we could find the reason why the authentication failed via these logs.
According to the reason code attribute, we could find the possible reason and find the solution. Both Debug logs and Using packets capture from Wireshark will help to identify the cause of the problem.



I am a HPE Employee
Som77
HPE Pro

Re: HP 5500 Comware 5 Mac Authentication issue

Hi Jordan,

Hope the issue is resolved by yourself, if it still persists recommend to log a support case to analyze the logs and resolve the issue.

 



I am a HPE Employee