Monthly Archives: February 2017

When Users Fail Wireless Portal Authentication by the S12708 and Policy Center 

Wireless Portal authentication is configured on the S12708 and Policy Center. The VPN instance XX is bound to VLANIF 256 of the switch for communication with the Portal server.

Authentication fails and no authentication records are displayed on the Portal server.

The configuration on the switch is as follows:

sysname Core_S12708
#
set net-manager vpn-instance XX
#
ip vpn-instance XX
ipv4-family
route-distinguisher 65535:4
vpn-target 65535:4 export-extcommunity
vpn-target 65535:4 65535:3 65535:5 65535:6 65535:7 65535:8 65535:9 65535:10 import-extcommunity
vpn-target 65535:11 import-extcommunity
#
radius-server template radius_huawei
radius-server shared-key cipher %@%@MhYHRn’xG)G`2&)0kQb@w#B:%@%@
radius-server authentication 172.16.2.146 1812 vpn-instance XX source ip-address 10.66.1.1 weight 80
radius-server accounting 172.16.2.146 1813 vpn-instance XX source ip-address 10.66.1.1 weight 80
radius-server authorization 172.16.2.146 shared-key cipher %@%@>U:l~MJa=C8^U’9fmZ-4+q=4%@%@
#
url-template name urlTemplate_0
#
web-auth-server huawei
server-ip 172.16.2.146
port 50200
shared-key cipher %@%@1s9zQui#nH`s%U47Ce~–%rA%@%@
url http://172.16.2.146:8080/portal
#
aaa
authentication-scheme default
authentication-scheme radius_huawei
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme radius_huawei
accounting-mode radius
domain default
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
domain default_admin
#
interface Vlanif256
ip binding vpn-instance XX
ip address 10.66.1.1 255.255.255.0
#
#
authentication free-rule 1 destination ip 172.16.2.146 mask 255.255.255.255
#

WLAN configurations are omitted.

The configuration on the Policy Center is as follows:

User account setting:

modify account

modify account

Access device setting:

modify device

modify device

Authorization rule setting:

Authorization rule

Authorization rule

Handling Process

Step 1 Run the test-aaa command to test the authentication account on the switch. User authentication fails. Enable debugging of RADIUS packets on the switch. The switch receives a message with the error code 4117, indicating that account authorization fails.

<Core_S12708>test-aaa 123 Admin123 radius-template radius_huawei
<Core_S12708>
Error: User name or password is wrong.
<Core_S12708>
Apr 23 2015 13:30:25.115.1 Core_S12708 RDS/7/DEBUG:
RADIUS Sent a Packet.
<Core_S12708>
Apr 23 2015 13:30:25.115.2 Core_S12708 RDS/7/DEBUG:
Server Template: 0
Server IP   : 172.16.2.146
Protocol: Standard
Code    : 1
Len     : 156
ID      : 118
[User-Name                          ] [5 ] [123]
[CHAP-Password                      ] [19] [c1 45 ee 4e 8a 81 68 5e 5c bf 55 16 f7 18 2e e0 08 ]
[CHAP-Challenge                     ] [18] [a6 de 82 54 33 fb 6d 61 d8 75 2c 98 a3 e5 3f 6a ]
[Service-Type                       ] [6 ] [2]
[Framed-Protocol                    ] [6 ] [1]
[NAS-Identifier                     ] [13] [Core_S12708]
[NAS-Port-Type                      ] [6 ] [15]
[Acct-Session-Id                    ] [37] [Core_S1000000000000002dd550f3001055]
[NAS-IP-Address                     ] [6 ] [10.66.1.1]
<Core_S12708>
Apr 23 2015 13:30:25.145.1 Core_S12708 RDS/7/DEBUG:
RADIUS Received a Packet.
<Core_S12708>
Apr 23 2015 13:30:25.145.2 Core_S12708 RDS/7/DEBUG:
Server Template: 0
Server IP   : 172.16.2.146
Server Port : 1812
Protocol: Standard
Code    : 3
Len     : 34
ID      : 118
[Reply-Message                      ] [14] [ErrCode:4117]
<Core_S12708>

Step 2 Test the Portal authorization policy based on configuration requirement. Compare the policy reported to the RADIUS server and the preset customized condition for wireless access on the Policy Center. The result shows that the value of NAS-Port-Type in the preset customized condition is different from the value of [NAS-Port-Type] [6] [15] in reported packets. Delete the customized condition and run the test-aaa command again to test the account. The account passes the test, but users still fail the Portal authentication.

modify cunstomcondition

modify cunstomcondition

Step 3 Obtain packets on the Portal server. The analysis shows that the Portal server sends three Challenge requests to the switch but receives no response. The Portal server also sends logout request packets to the switch but receives no response. No RADIUS authentication request is initiated further. No relevant RADIUS authentication logs of this account are displayed on the Portal server. As a result, the switch configuration needs to be verified.

switch configuration

switch configuration

Note: A relevant Portal plug-in needs to be installed to filter packets. If the Portal plug-in is not installed, you can filter packets as follows: Packets staring with 0201 and 0205 indicate REQ_CHALLENGE and REQ_LOGOUT packets respectively.

packets

packets

Step 4 Verify relevant switch configuration. If the switch communicates with the Portal server through a VPN instance, check whether the VPN instance is bound to the Portal server template. If not, bind the VPN instance XX to the Portal server template and test the Portal authentication again. The authentication succeeds.

#
web-auth-server huawei
server-ip 172.16.2.146
port 50200
shared-key cipher %@%@1s9zQui#nH`s%U47Ce~–%rA%@%@
url http://172.16.2.146:8080/portal
vpn-instance XX
#

Root Cause

Account authentication and authorization fail because the configuration of the Portal server authorization template is incorrect.

The switch fails to respond to the server’s Portal packets because no VPN instance is bound to the Portal server template.

Suggestions

Portal packet exchange process is as follows:

Portal packet exchange process

Portal packet exchange process

1. A Portal user initiates an authentication request using the HTTP protocol. The access device allows the HTTP packet destined for the Portal server or a preset free-of-charge website to pass through. The access device redirects the HTTP packet destined for other addresses to the Portal server. The Portal server pushes a web page for the user to enter the user name and password for authentication.

2. The Portal server exchanges information with the access device to implement CHAP authentication. If PAP is adopted, this step is omitted.

3. The Portal server assembles the user name and password entered by the user into an authentication request packet, sends the packet to the access device, and starts a timer to wait for an authentication reply packet.

4. The access device exchanges a RADIUS protocol packet with the RADIUS server.

5. The access device sends an authentication reply packet to the Portal server.

6. The Portal server sends an authentication success packet to the client to inform that the client authentication succeeds.

7. The Portal server sends an authentication reply acknowledgment packet to the access device.

8. The client exchanges security information with the Policy Center server. The Policy Center server checks whether antivirus software and unauthorized software are installed and whether the virus library and operating system patches are updated to verify the security of the access terminal.

9. The Policy Center server allows the user to access authorized resources based on the user security. The access device uses the authorization information that is stored in the device to control user access.

Note: Steps 8 and 9 describe the extended Portal authentication function.

TwitterLinkedInGoogle+FacebookPinterestTumblrStumbleUponRedditShare

When Can not login S5700 after S5700 power on?

Issue Description

After a customer upgraded the software version to V200R005C00SPC500 and the latest patch V200R005SPH011 from V200R005C00SPC200, he could login S5700 by telnet. Then the S5700 was powered off due to power outage. After he powered on S5700 again, he couldn’t login S5700 by telnet.

The topology is simple:

 

Here are the detail steps:

(1)   In the old software version V200R005C00SPC200, the customer can login S5700 by telnet.

(2)   After a customer upgraded the software version to V200R005C00SPC500 and the latest patch V200R005SPH011, he can login S5700 by telnet. When he checked the configuration, he found the following configuration, which didn’t exist in the configuration of V200R005C00SPC200.

#

telnet server enable

#

user-interface vty 0 4

protocol inbound telnet

#

 

(3)   But then S5700 was powered off due to power outage. After S5700 was powered on again, the customer couldn’t login S5700 by telnet. When he login S5700 by console interface, he found the there was no above configuration.

Alarm Information

None

Handling Process

(1)   After the S5700 was power on, the customer login S5700 by console interface, then he added the following configuration, he can login S5700 again by telnet.

#

telnet server enable

#

user-interface vty 0 4

protocol inbound telnet

#

Root Cause

(1)  In V200R005C00SPC200, the telnet server is enabled by default. So in the configuration of SPC200, there is no such command “telnet server enable” by default, but you can login S5700 by telnet.

(2)    In V200R005C00SPC500, the telnet server is disabled by default.  So in the configuration of SPC500, if there is no command “telnet server enable”, you can’t login S5700 by telnet.

(3)   During the upgrade of  S5700 from SPC200 to SPC500+patch V200R005SPH011,  S5700 will do this configuration translation. (it found that the last software version is SPC200, but the new one is SPC500, so it will do the configuration translation)

(4)   So when S5700 is running with SPC500 for the first time, in the current running configuration, you can see “telnet server enable”, and you can login S5700 by telnet. But in the saved  configuration, it’s still the  same configuration as SPC200 where there is no such command “telnet server enable”.

In this situation,

(1.1)    If the configuration was not “save”, after S5700 was rebooted( by manually, by power on-off button or by power outage) again, the  S5700 will not do the configuration translation again, and will run with that configuration which was used in SPC200, and for this configuration, there is no “telnet server enable”. But for SPC500, if there is no “telnet server enable” in the running configuration, you can’t login S5700 by telnet.

(1.2)    If the configuration was  “save”, the command “telnet server enable” will be saved to the saved configuration.  After S5700 is rebooted again, in the running configuration, there is ““telnet server enable”, so you can login S5700 by telnet.

Solution

(1)   After the software version of S5700 was upgraded to V200R005C00SPC500 and the latest patch V200R005SPH011 from V200R005C00SPC200, you need “save” the current configuration.

(2) Or you need configure the following commands for telnet.

#

telnet server enable

#

user-interface vty 0 4

protocol inbound telnet

#

Suggestions

After the software version of S5700 was upgraded to V200R005C00SPC500 and the latest patch V200R005SPH011 from V200R005C00SPC200, you need “save” the current configuration.  If not, after S5700 was rebooted or power on again, you can’t login S5700 by telnet.

 

How Is MAC Address Authentication Configured on the S5700?

Issue Description

Version: V100R005C01SPC100
Question: How is MAC address authentication configured on the S5700?

Alarm Information

None

Handling Process

Answer: Local MAC address authentication can be configured as follows:
[Quidway]mac-authen
[Quidway]mac-authen username macaddress format with-hyphen
[Quidway]aaa
[Quidway-aaa]
[Quidway-aaa]local-user f0de-f163-76d5 password simple f0de-f163-76d5
[Quidway]int ethe0/0/4
[Quidway-Ethernet0/0/4]mac-authen

When MAC address authentication fails, the switch does not learn the PC’s MAC address. View the authentication status.
[Quidway]display mac-authen int Ethernet 0/0/4
Ethernet0/0/4 state: UP.  MAC address authentication is enabled
Maximum users: 256
Current users: 0
Authentication Success: 6, Failure: 18
Guest VLAN is disabled
Silent MAC info:
f0de-f163-76d5
1 silent mac address(es) found, 1 printed.

When MAC address authentication succeeds, the switch learns the PC’s MAC address. View the authentication status.
[Quidway]display mac-authen int Ethernet 0/0/4
Ethernet0/0/4 state: UP.  MAC address authentication is enabled
Maximum users: 256
Current users: 1
Authentication Success: 5, Failure: 17
Guest VLAN is disabled
Online user(s) info:
UserId   MAC/VLAN            AccessTime              UserName
——————————————————————————
37       f0de-f163-76d5/1    2008/01/01 00:37:08     f0de-f163-76d5
——————————————————————————

Root Cause

None

Suggestions

1. If MAC address authentication uses the user name and password, the configuration is as follows:
[Quidway]mac-authen
[Quidway]mac-authen username fixed cc pass cc
[Quidway]aaa
[Quidway-aaa]
[Quidway-aaa]local-user cc password simple cc
[Quidway]int ethe0/0/4
[Quidway-Ethernet0/0/4]mac-authen
2. By default, the number of MAC address authentication users supported by a port is 256, and that supported by a switch is 1024.