Solved

802.1x wierd security (btw Huawei S3900 switch, MS IAS 2006 (RADIUS) and Windows 2k3 AD) doesn't  work

Posted on 2009-05-04
4
1,094 Views
Last Modified: 2013-12-04
Hi,

We use HuaWei equipment in our network: S8500 for our core routers, S3900 for the edge switches.
We tried to implement wired 802.1x security in schools network via the S3900 edge switches, and followed the instructions from HuaWei documents, and it doesnt work.

Please see the following testing results:

1.)Enable CHAP only on RADIUS and on S3900, it doesnt work, please see the attached debug file ( also I cannot see any event regarding my logon (mbus\j.wan) via Event Viewer on RADIUS);
2.)Enable MS-CHAPv2 on RADIUS and enable EAP on Switch, it doesnt work, please see the attached debug file ( but I can see some events regarding my logon (mbus\j.wan) via Event Viewer on RADIUS, it said:----Access request for user MBUS\j.wan was discarded, Reason-Code = 23 and Unexpected error. Possible error in server or client).

We actually have another part of 802.1x in our network--- network points in public areas, which are working well (via a login portal from an Aruba controller), please see the following diagram:

Client machine---------> S3900 switch -----------> Aruba controller (Use CHAP)  ------------> IAS (RADIUS)-------------->Windows AD----------> a successful authentication.
                                                                                                   
I would like to share some my experience with you, I had a similar issue with ChiliSpots (an open source software for HOT SPOT ---wireless and RADIUS authentication) three years ago, I successfully rectified the issue via CHAP whilst whole ChiliSpots community reckoned there was no way to make  ChilliSpots&RADIUS&Windows AD  work as their different ways of authentication.  

I think there might be an issue with S3900 regarding authentication method with Windows Active Directory via IAS (RADIUS), the switch S3900 really should use CHAP to initiate an authentication request to Windows AD via IAS (RADIUS) as CHAP would be a common language between S3900, RADIUS and Windows AD regarding authentication process.

Please also see two attached debug files for above two scenarios.

If someone out there experienced similar issues and know how to fix them, please help us, any information and help would be much appreciated.

Many thanks in advance.

Regards

John Wan

debugging-8021x-with-only-CHAP-e.txt
debugging-8021x-with-only-MS-CHA.txt
0
Comment
Question by:mbsadmin1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 24428336
There is quite a bit of planning and testing you need to do to enable 802.1x on a wired lan, the wifi networks have it all rolled up into a nice neat packages so it is much easier on wifi than wired. Are you going to use certificates or active directory as the authentication mechanism? Have considered trying a solution like PacketFence, FreeNac or safe access lite from still secure. These are NAC solutions that don't require 802.1x, but can use it as well.
Also for 802.1x to work you have to have the supplicant installed/enabled. With XP I think it's enabled by default on wireless nic's but not always on wired nic's, and 802.1x depends on the "Wired AutoConfig" service to be started this is especially true for vista and 2008.. XP SP3 moves the service to wired autoconfig, and it's set to manual.
XP SP2 you had to have the Wireless Zero Configuration service started...
http://technet.microsoft.com/en-us/magazine/cc194418.aspx
http://support.microsoft.com/kb/953650
-rich
0
 

Author Comment

by:mbsadmin1
ID: 24634301
Hi Rich,

Thanks for your info, we are going to upgrade firmware soon, and will let you know the outcomes.

Cheers

John
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question