Network Topology
Topo:
Problem Description
WX2860X integrate with a third-partycaptive portal/ AAA server,but the on-site faced a weird problem,they have to trigger authentication request twice to port 2000 AC before the AC actually perform access-request with AAA. They are unsure whether or not if it"s a bug or a misconfiguration on our part.
Process Analysis
Here"s the log we see when we trigger the first authentication request.
*Apr 6 03:46:56:561 2023
attrelogix:h3c PORTAL/7/PACKET:
Portal received 45 bytes of packet: Type=req_auth(3), ErrCode=0,
IP=192.168.110.11
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/PACKET:
[ 1 USERNAME ] [ 11] [anonymous]
[ 2 PASSWORD ] [ 18] [******]
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/PACKET:
01 03 01 00 e0 9e 00 00 c0 a8 6e 0b 00 00 00 02
01 0b 61 6e 6f 6e 79 6d 6f 75 73 02 12 6c 61 79
6c 37 32 73 6b 6a 66 34 64 37 66 32 30
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/ERROR: Failed to obtain
user physical information when create user.UserIP=192.168.110.11
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/ERROR: Portal is
disabled on the interface.
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/ERROR: User mac is invalid.
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/ERROR: Failed to get get
ssid by user mac,UserMac is Zero.
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/PACKET:
Portal sent 23 bytes of packet: Type=ack_auth(4), ErrCode=1, IP=192.168.110.11
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/PACKET:
[ 5 TEXTINFO ] [ 7]
[AC999]
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/PACKET:
01 04 01 00 e0 9e 00 00 c0 a8 6e 0b 00 00 01 01
05 07 41 43 39 39 39
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/ERROR: User mac is
invalid.
*Apr 6 03:46:56:561 2023 attrelogix:h3c PORTAL/7/ERROR: Failed to get get
ssid by user mac,UserMac is Zero.
*Apr 6 03:46:56:727 2023 attrelogix:h3c PORTAL/7/RULE:
[Inbound] execute full rule match, { MatchRes = [Rule3-Redirect] }
L3 Interface = WLAN-BSS1/0/5, L2 Interface = WLAN-BSS1/0/5, VLAN = 1,
SrcMac = 727b-1e75-0799,
SrcIP = 192.168.110.11, DstIP = 142.250.199.3
Protocol = 6, SrcPort = 55722, DstPort = 80, VPN Instance = 0
Here"s the log when we trigger the second authentication request to AC.
*Apr 6 03:48:19:704 2023
attrelogix:h3c PORTAL/7/PACKET:
Portal received 45 bytes of packet: Type=req_auth(3), ErrCode=0,
IP=192.168.110.11
*Apr 6 03:48:19:704 2023 attrelogix:h3c PORTAL/7/PACKET:
[ 1 USERNAME ] [ 11] [anonymous]
[ 2 PASSWORD ] [ 18] [******]
*Apr 6 03:48:19:704 2023 attrelogix:h3c PORTAL/7/PACKET:
01 03 01 00 e1 81 00 00 c0 a8 6e 0b 00 00 00 02
01 0b 61 6e 6f 6e 79 6d 6f 75 73 02 12 39 30 77
69 63 67 6a 30 6d 68 61 74 66 35 33 69
As you can see, there"s no weird error as in the first request. Note that the password is dynamically generated thus different in the 2 requests.
And they did not see the radius request coming in during the first try but we do in the second try.
Solution
Actually the portal server send the req_auth to AC, AC will query local arp entries.
If the AC arp entry didn"t have such client, it will send Type=ack_auth(4), ErrCode=1 to deny the authentication.
After AC queryed the local arp entries,then the arp of the client generated so the second authentication can go on.
So it need to configure this command to let AC enable the Client legitimacy check function.
portal host-check enable
The WLAN Snooping table, DHCP Snooping table, and ARP table will be used to check its validity.
If the Portal client information is found in these three tables, it is considered legal and Portal authentication is allowed.
After configure the command,the on-site AC is able
to authenticate on the first trigger.