Comware Based
1748246 Members
3665 Online
108760 Solutions
New Discussion

Re: HP 5500 Comware 5 Mac Authentication issue

 
jordanbacon
Occasional Visitor

HP 5500 Comware 5 Mac Authentication issue

Hello Everyone -

 

I am trying to configure mac-authentication on a HP 5500 Comware 5 using Radius. Unfortunately, it is not working like in Com7.

 

Here are some of the info:

[COM5]dis mac-authentication interface g1/0/46
MAC address authentication is enabled.
User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s
Server response timeout value is 100s
The max allowed user number is 2048 per slot
Current user number amounts to 0
Current domain is system

Silent MAC User info:
MAC Addr From Port Port Index
6400-6a0a-af8d GigabitEthernet1/0/46 9437229 << I am seeing that it authenticated globally and mac address is visible

GigabitEthernet1/0/46 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 339   <<  Failed on the port authication
Max number of on-line users is 2048
Current online user number is 0
MAC Addr Authenticate State Auth Index

 

Here is my port config:

interface GigabitEthernet1/0/46
port link-mode bridge
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 60 untagged
port hybrid pvid vlan 60
undo voice vlan mode auto
mac-vlan enable
undo enable snmp trap updown
poe enable
stp edged-port enable
mac-authentication
mac-authentication domain system
mac-authentication host-mode multi-vlan

 

My global config:

mac-authentication
mac-authentication domain system
mac-authentication user-name-format mac-address with-hyphen

Radius scheme is also configured correctly.

 

My main concern is the interface mac-authentication. Am I missing something?

 

Thank you.

 

 

 

5 REPLIES 5
Som77
HPE Pro

Re: HP 5500 Comware 5 Mac Authentication issue

Hi Jordan,

Interface configuration seems to be fine,

Authenticate success: 0, failed: 339 << Failed on the port authentication
From above please ensure MAC-Authentication is enabled on the port

When you configure RADIUS-based MAC authentication, follow these restrictions and guidelines:

• Enable MAC authentication globally only after you have configured the authentication-related
parameters. Otherwise, users might fail to pass MAC authentication.

• When you create a user account on the RADIUS server, make sure the account has the same format
as the one configured by the mac-authentication user-name-format command on the access device.

• The authentication port (UDP) used by RADIUS servers is 1812 according to standard RADIUS
protocols. However, the port (UDP) is set to 1645 on an HP device that functions as the RADIUS
authentication server. You must specify the authentication port as 1645 in the RADIUS scheme on the access device.


Please Refer Pg:298 configure RADIUS-based MAC authentication, also verify AAA configuration
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c03941510-1.pdf


If issue is still seen please collect debug logs that would help in further Troubleshooting:

http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c04279443-1.pdf

<SwitchB> terminal debugging
<SwitchB> terminal monitor

Use debugging mac-authentication to enable MAC authentication debugging.
Use undo debugging mac-authentication to disable MAC authentication debugging

<SwitchB> undo t d
<SwitchB> undo t m
<SwitchB> undo debug all



I am a HPE Employee

Accept or Kudo

jordanbacon
Occasional Visitor

Re: HP 5500 Comware 5 Mac Authentication issue

Really appreciate your response. I will try and provide feedback.

Also, I forgot to tell that logs on the radius server shows that the authentication is accepted but looks like it wasn't able to forward back to the switchport.

 

 

Som77
HPE Pro

Re: HP 5500 Comware 5 Mac Authentication issue

Hi Jordan,

May i know which RADIUS Server is used for authentication
please also check the event logs in event viewer of remote RADIUS server.T

There is a Reason Code Attribute in the logs from which we could find the reason why the authentication failed via these logs.
According to the reason code attribute, we could find the possible reason and find the solution. Both Debug logs and Using packets capture from Wireshark will help to identify the cause of the problem.



I am a HPE Employee

Accept or Kudo

Som77
HPE Pro

Re: HP 5500 Comware 5 Mac Authentication issue

Hi Jordan,

Hope the issue is resolved by yourself, if it still persists recommend to log a support case to analyze the logs and resolve the issue.

 



I am a HPE Employee

Accept or Kudo

jordanbacon
Occasional Visitor

Re: HP 5500 Comware 5 Mac Authentication issue

Still the same. Issue is not resolve. 

Radius server is Clearpass. I tried once again and below are the logs showed when debug was enabled on the switch.

 

*Feb 25 09:14:18:026 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Port:GigabitEthernet1/0/46,Send request to driver to Get Port Portsec info for IfIndex = 90002d,cmd = 8460f01
*Feb 25 09:14:18:027 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Port:GigabitEthernet1/0/46, Get Port Portsec info for IfIndex = 90002d,cmd = 8460f01,return code = 0, cap = f07
Mac-auth is enabled on port GigabitEthernet1/0/46.
[USHOP-ACCESS-04-GigabitEthernet1/0/46]
*Feb 25 09:14:19:565 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Port:GigabitEthernet1/0/46,new mac address 6400-6a0a-af8d
*Feb 25 09:14:19:567 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Port:GigabitEthernet1/0/46,
Need not delay.
*Feb 25 09:14:19:567 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Auth:753,Processing node CONNECTING...
*Feb 25 09:14:19:572 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Recv MSG,[MsgType=Auth request Index = 753, ulParam3=387432976]
*Feb 25 09:14:19:573 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Send attribute list:
*Feb 25 09:14:19:573 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
[1 User-name ] [19] [64-00-6a-0a-af-8d]
[2 Password ] [34] [A4967CF5271AA02AE6A20D7A9F6670D24C9A9FA0F8254ED7CDE1E41EF13C3515]
[4 NAS-IP-Address ] [6 ] [10.57.192.24]
[32 NAS-Identifier ] [17] [USHOP-ACCESS-04]
[5 NAS-Port ] [6 ] [16965692]
[87 NAS_Port_Id ] [36] [slot=1;subslot=0;port=46;vlanid=60]
*Feb 25 09:14:19:574 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
[61 NAS-Port-Type ] [6 ] [15]
[HP-26 Connect_ID ] [6 ] [3084289]
[6 Service-Type ] [6 ] [10]
[7 Framed-Protocol ] [6 ] [1]
[31 Caller-ID ] [19] [36342D30302D36412D30412D41462D3844]
[44 Acct-Session-Id ] [20] [119012509142235010]
*Feb 25 09:14:19:575 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
[HP-255Product-ID ] [56] [HP 5500-48G-PoE+-4SFP HI Switch with 2 Interface Slots]
[HP-59 NAS-Startup-Timestamp ] [6 ] [956750450]
*Feb 25 09:14:19:576 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
Event: Send Packet,oem(10), send count(0), primary state(0).
*Feb 25 09:14:19:576 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
Event: Restart select server.
*Feb 25 09:14:19:577 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
Event: Begin to switch RADIUS server when sending 0 packet.
*Feb 25 09:14:19:578 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
Event: Modify NAS-IP to 10.57.192.24.
*Feb 25 09:14:19:578 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Send: IP=[10.50.1.135], UserIndex=[753], ID=[86], RetryTimes=[0], Code=[1], Length=[269]
*Feb 25 09:14:19:579 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
Event: Set socket VPN attribute, VPN index=0, Result=0!
*Feb 25 09:14:19:579 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Send Raw Packet is:
*Feb 25 09:14:19:580 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
01 56 01 0d 44 9a b0 f9 8f 98 e4 2f f2 01 28 17
ee a7 f2 1f 01 13 36 34 2d 30 30 2d 36 61 2d 30
61 2d 61 66 2d 38 64 02 22 a4 96 7c f5 27 1a a0
2a e6 a2 0d 7a 9f 66 70 d2 4c 9a 9f a0 f8 25 4e
d7 cd e1 e4 1e f1 3c 35 15 04 06 0a 39 c0 18 20
11 55 53 48 4f 50 2d 41 43 43 45 53 53 2d 30 34
05 06 01 02 e0 3c 57 24 73 6c 6f 74 3d 31 3b 73
75 62 73 6c 6f 74 3d 30 3b 70 6f 72 74 3d 34 36
3b 76 6c 61 6e 69 64 3d 36 30 3d 06 00 00 00 0f
06 06 00 00 00 0a 07 06 00 00 00 01 1f 13 36 34
2d 30 30 2d 36 41 2d 30 41 2d 41 46 2d 38 44 2c
14 31 31 39 30 31 32 35 30 39 31 34 32 32 33 35
30 31 30 1a 4a 00 00 63 a2 1a 06 00 2f 10 01 ff
38 48 50 20 35 35 30 30 2d 34 38 47 2d 50 6f 45
2b 2d 34 53 46 50 20 48 49 20 53 77 69 74 63 68
20 77 69 74 68 20 32 20 49 6e 74 65 72 66 61 63
65 20 53 6c 6f 74 73 3b 06 39 06 da 72

*Feb 25 09:14:19:645 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Recv MSG,[MsgType=PKT response Index = 121, ulParam3=387599312]
*Feb 25 09:14:19:646 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Receive Raw Packet is:
*Feb 25 09:14:19:646 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
02 56 00 79 7a 96 49 b9 37 6f b9 5d a6 2c 46 06
ef 6d 0b 97 01 13 36 34 2d 30 30 2d 36 61 2d 30
61 2d 61 66 2d 38 64 1b 06 00 00 2a 30 1d 06 00
00 00 01 40 06 01 00 00 0d 41 06 01 00 00 06 19
3a 53 b6 dc d0 28 c5 4c 35 92 ff c3 7c a6 94 63
d3 08 0c 00 00 00 00 00 00 52 30 31 61 31 33 65
33 34 2d 30 31 2d 35 63 37 33 62 31 65 62 00 00
00 00 00 00 00 00 00 00 00

*Feb 25 09:14:19:647 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Receive:IP=[10.50.1.135],Code=[2],Length=[121]
*Feb 25 09:14:19:648 2019 USHOP-ACCESS-04 RDS/7/DEBUG:
[1 User-name ] [19] [64-00-6a-0a-af-8d]
[27 Session-TimeOut ] [6 ] [10800]
[29 Termination-Action ] [6 ] [1]
[64 Tunnel-Type ] [6 ] [16777229]
[65 Tunnel-Medium-Type ] [6 ] [16777222]
[25 Class ] [58] [53B6DCD028C54C3592FFC37CA69463D3080C0000000000005230316131336533342D30312D35633733623165620000000000000000000000]
*Feb 25 09:14:19:649 2019 USHOP-ACCESS-04 RDS/7/DEBUG: NULL
*Feb 25 09:14:19:649 2019 USHOP-ACCESS-04 RDS/7/DEBUG: Reject, Message=[Vlan value that the server assigns is invalid!]
*Feb 25 09:14:19:651 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Auth:753,Processing node connecting trans...
*Feb 25 09:14:19:652 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Port:GigabitEthernet1/0/46,Auth:753,PORTSEC HandleAccessUserEvent return 2
*Feb 25 09:14:19:652 2019 USHOP-ACCESS-04 MACAUTH/7/EVENT: Auth:753,Processing node RELEASE...

 

There was a quick moment when I saw the mac auth connected but gone in just a second or 2.

[USHOP-ACCESS-04]dis mac-auth int g1/0/46
MAC address authentication is enabled.
User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 60s
Quiet period is 2s
Server response timeout value is 100s
The max allowed user number is 2048 per slot
Current user number amounts to 1
Current domain is cp

Silent MAC User info:
MAC Addr From Port Port Index

GigabitEthernet1/0/46 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 568
Max number of on-line users is 2048
Current online user number is 1
MAC Addr Authenticate State Auth Index
6400-6a0a-af8d MAC_AUTHENTICATOR_CONNECT 798