Comware Wireless / Unified Series
1833695 Members
3671 Online
110062 Solutions
New Discussion

A9552 - RADIUS MAC authentication problem

 
SCPL
New Member

A9552 - RADIUS MAC authentication problem

Dear Friends,

 

I have a huge problem with my A9552 access points.

They are set up to authenticate the user by the MAC adress on the RADIUS server. The RADIUS server is a Windows Server 2008 IAS which is working perfectly. The configuration of the AP also seams fine because randomly for some clients the authentication works, but for some not. After restart of the AP randomly some other clients doesn't connect.

 

I've checked the RADIUS server and is responding correctly. But even thought the user cannot connect.

In the attachment I've given a log from the AP marked with the green color when the connection is fine:

 

 

Nov 30 09:04:50:706 2010 PORTSEC Information PORTSEC_MACAUTH_LOGIN_SUCC "-IfName=WLAN-BSS3-MACAddr=C4:46:19:25:75:BB-VlanId=1-UserName=c446192575bb-UserNameFormat=MAC address; The user passed MAC address authentication and got online successfully."


Nov 30 09:04:50:701 2010 RDS Debug RDAUTHSUCC c446192575bb@sohbi-poland from Port=0x1003001 Vlan=1 MAC=c446-1925-75bb IP=[IPADDR] succeeded to be online


Nov 30 09:04:50:701 2010 RDS Debug RDAUTHSUCC c446192575bb@sohbi-poland from Port=0x1003001 Vlan=1 MAC=c446-1925-75bb IP=[IPADDR] succeeded to be online


Nov 30 09:04:50:692 2010 RDS Debug RDAUTHREQ c446192575bb@sohbi-poland from Port=0x1003001 Vlan=0 MAC=c446-1925-75bb IP=[IPADDR] sent authentication request


Nov 30 09:04:50:691 2010 WMAC Information LOG Client [c446-1925-75bb] successfully joins WLAN [SCPL_Net], on APID [1] with BSSID [4001-c612-7980].

 

 

 

But when when the problem with the authentication exists log looks like this:

 

Nov 30 09:04:32:211 2010 WMAC Information LOG Client [0016-4461-9d74] goes offline & detaches from WLAN [SCPL_Net]. Reason Code [1].


Nov 30 09:04:32:211 2010 PORTSEC Information PORTSEC_MACAUTH_LOGOFF "-IfName=WLAN-BSS4-MACAddr=00:16:44:61:9D:74-VlanId=4-UserName=001644619d74-UserNameFormat=MAC address; Session of the MAC-AUTH user was terminated."


Nov 30 09:04:32:210 2010 RDS Debug RDAUTHSUCC 001644619d74@sohbi-poland from Port=0x1004001 Vlan=1 MAC=0016-4461-9d74 IP=[IPADDR] succeeded to be online


Nov 30 09:04:32:210 2010 RDS Debug RDAUTHSUCC 001644619d74@sohbi-poland from Port=0x1004001 Vlan=1 MAC=0016-4461-9d74 IP=[IPADDR] succeeded to be online


Nov 30 09:04:32:206 2010 RDS Debug RDAUTHREQ 001644619d74@sohbi-poland from Port=0x1004004 Vlan=0 MAC=0016-4461-9d74 IP=[IPADDR] sent authentication request


Nov 30 09:04:32:203 2010 WMAC Information LOG Client [0016-4461-9d74] successfully joins WLAN [SCPL_Net], on APID [1] with BSSID [4001-c612-7990].
 

 

Below is current AP config, which seems to be fine for me:

 

#
 version 5.20, Release 1104(Canada), Release 1104(Canada)
#
 sysname AP9552 - QC office
#
 domain default enable sohbi-poland 
#
 telnet server enable 
#
 port-security enable 
#
 dot1x authentication-method eap
#
 mac-authentication domain sohbi-poland
 mac-authentication user-name-format mac-address without-hyphen
#
 wlan country-code PL
#
vlan 1
 description SohbiNet
#
vlan 2
 description SohbiGuest
#
vlan 4
 description SohbiNet wo domain
#
radius scheme system
 primary authentication 172.30.0.12
 primary accounting 172.30.0.12
 key authentication Radi0Chron
 key accounting Radi0Chron
 user-name-format without-domain
#
domain sohbi-poland 
 authentication default radius-scheme system
 authorization default radius-scheme system
 accounting default radius-scheme system
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
 accounting optional 
domain system 
 access-limit disable 
 state active 
 idle-cut disable 
 self-service-url disable 
#
user-group system
#
local-user admin
 password cipher /V_V6Y8M."0X!X<]K3BK;Q!!
 authorization-attribute level 3
 service-type telnet
#
wlan rrm
 dot11a mandatory-rate 6 12 24 
 dot11a supported-rate 9 18 36 48 54 
 dot11b mandatory-rate 1 2 
 dot11b supported-rate 5.5 11 
 dot11g mandatory-rate 1 2 5.5 11 
 dot11g supported-rate 6 9 12 18 24 36 48 54 
#
wlan service-template 3 clear
 ssid SCPL_Guest
 service-template enable
#
wlan service-template 4 crypto
 ssid SCPL_Net
 cipher-suite ccmp
 security-ie rsn
 service-template enable
#
interface NULL0
#
interface Vlan-interface1
 ip address 172.30.0.25 255.255.0.0 
#
interface GigabitEthernet1/0/1
 port link-type hybrid
 port hybrid vlan 2 4 tagged
 port hybrid vlan 1 untagged
#
interface WLAN-BSS1
 port access vlan 2
 port-security max-mac-count 64
 undo dot1x multicast-trigger
#
interface WLAN-BSS2
 port access vlan 2
 port-security max-mac-count 64
 undo dot1x multicast-trigger
#
interface WLAN-BSS3
 port-security port-mode mac-and-psk 
 port-security tx-key-type 11key 
 port-security preshared-key pass-phrase cipher /3o7cJPJ3RWNXLcyqdsKoA==
#
interface WLAN-BSS4
 port-security port-mode mac-and-psk 
 port-security tx-key-type 11key
 port-security preshared-key pass-phrase cipher /3o7cJPJ3RWNXLcyqdsKoA==
#
interface WLAN-Radio1/0/1
 service-template 4 interface wlan-bss 3
 service-template 3 interface wlan-bss 2
#
interface WLAN-Radio1/0/2
 channel 1
 service-template 4 interface wlan-bss 4
 service-template 3 interface wlan-bss 1
#
 arp-snooping enable
#
 load xml-configuration 
#
user-interface con 0
 authentication-mode scheme
user-interface vty 0 4
 authentication-mode scheme
#
return

 

 

 

Can someone please point me the direction about the problem with the authentication of clients?

 

Best regards,