Network Topology
NULL
Problem Description
After upgrading the terminal iNode version, some switches cannot authenticate the terminal dot1x
Process Analysis
1.During a fault, the terminal capture packets and checks. The switch initiates an EAP request. After the terminal responds with an EAP response, the device side directly responds with a failure, resulting in authentication failure;
2.By debugging dot1x all, debugging radius all on the switch checked the abnormal authentication process, which was consistent with the packet capture results. The device ultimately returned 1x authentication failure, but the process did not go to radius authentication;
*Feb 19 02:30:24:407 2013 H3C DOT1X/7/EVENT: BE is in Request state: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:408 2013 H3C DOT1X/7/EVENT: Sending EAP packet: Identifier=1, type=1.
*Feb 19 02:30:24:409 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/23.
Destination Mac Address=e861-1f31-xxxx
Source Mac Address=7425-8ad9-117d
VLAN ID=838
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=5.
-----Packet Body-----
Code=1
Identifier=1
Length=5.
*Feb 19 02:30:24:523 2013 H3C DOT1X/7/PACKET:
Received a packet on interface GigabitEthernet1/0/23.
Destination Mac Address=7425-8ad9-117d
Source Mac Address=e861-1f31-xxxx
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=71.
-----Packet Body-----
Code=2
Identifier=1
Length=71.
*Feb 19 02:30:24:524 2013 H3C DOT1X/7/EVENT: BE is in Response state: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:524 2013 H3C DOT1X/7/EVENT: Successfully created server timeout timer: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:524 2013 H3C DOT1X/7/EVENT: Obtained user IP address X.X.X.X in old form: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:525 2013 H3C DOT1X/7/EVENT: Sent authentication request: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:526 2013 H3C DOT1X/7/EVENT: AAA processed authentication request: Result=Failure code 4, UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:526 2013 H3C DOT1X/7/EVENT: BE is in Fail state: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:527 2013 H3C DOT1X/7/PACKET:
Transmitted a packet on interface GigabitEthernet1/0/23.
Destination Mac Address=e861-1f31-xxxx
Source Mac Address=7425-8ad9-117d
VLAN ID=838
Mac Frame Type=888e
Protocol Version ID=1
Packet Type=0
Packet Length=4.
-----Packet Body-----
Code=4
Identifier=1
Length=4.
*Feb 19 02:30:24:527 2013 H3C DOT1X/7/EVENT: PAE is in Aborting state: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:528 2013 H3C DOT1X/7/EVENT: BE is in Initialize state: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23.
*Feb 19 02:30:24:529 2013 H3C DOT1X/7/EVENT: PAE is in Disconnect state: UserMAC=e861-1f31-xxxx, VLANID=838, Interface=GigabitEthernet1/0/23..
3.After analysis, it was found that the error in this report was caused by not bringing the domain. After confirming with the customer, it was found that the customer was using a user with a domain name for authentication, but the switch was not configured with domain.
Solution
The switch needs to add the configuration domain name:
[Device-GigabitEthernet1/0/1] dot1x mandatory-domain xxx