Problem with 802.1X and 3Com 5500G

markholmes24
markholmes24 used Ask the Experts™
on
I'm trying to set up a 3Com 5500G to authenticate connections via RADIUS.

I have configured it to use mac authentication, so when a machine is plugged in the port sends the connected NICS MAC address as username and password, to a RADIUS server (I'm using IAS in Windows 2008 - now called something different)

The RADIUS server authenticates against AD, if there is an account found for the connecting machine it allows connection and then should return a VLAN to the switch to put the port into based on AD Group membership.

If auth fails, the switch puts the port into a Guest VLAN.

When I test this, the log on the server shows RADIUS authenticates the connection and records a sucessfull logon, but this is immediately followed by a logoff event

The switch logs an authentication failure - see below

It looks to me like the RADIUS server is returning a NULL response to the switch?  Why could this be?

*0.427711560 5500G-EI MACAUTH/8/EVENT:- 1 -Port:0,MAC authentication new mac is: 001c-2315-56ca, vlan:1.r
*0.427711682 5500G-EI MACAUTH/8/EVENT:- 1 -Port:0,MAC authenticaiton: excute MAC_AddressLearn...a
*0.427711802 5500G-EI MACAUTH/8/EVENT:- 1 -Port:0,new mac address 001c-2315-56ca , vlan 1.d
*0.427711912 5500G-EI MACAUTH/8/EVENT:- 1 -Auth:1058,Processing  InitTrans!i
*0.427712002 5500G-EI MACAUTH/8/EVENT:- 1 -Auth:1058,Processing node CONNECTING...u
*0.427712103 5500G-EI RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=Normal auth request Index = 1058, ulParam3=2214909604]s
*0.427712246 5500G-EI RDS/8/DEBUG:- 1 -Send attribute list:
*0.427712312 5500G-EI RDS/8/DEBUG:- 1 -
[1  User-name                   ] [28] [001c231556ca@netauth.local]
[2  Password                    ] [18] [FFEEF390AC4963F6684FC39313DB8AEA]
[4  NAS-IP-Address              ] [6 ] [192.168.99.50]
[32 NAS-Identifier              ] [14] [001ec178cc82]
[5  NAS-Port                    ] [6 ] [16781313]
[61 NAS-Port-Type               ] [6 ] [15]schem
*0.427712802 5500G-EI RDS/8/DEBUG:- 1 -
[6  Service-Type                ] [6 ] [2]
[7  Framed-Protocol             ] [6 ] [1]
[31 Caller-ID                   ] [16] [303031632D323331352D35366361]e
*0.427713054 5500G-EI RDS/8/DEBUG:- 1 -Send: IP=[192.168.99.1], UserIndex=[1058], ID=[247], RetryTimes=[0], Code=[1], Length=[126]
*0.427713223 5500G-EI RDS/8/DEBUG:- 1 -Send Raw Packet is:
*0.427713293 5500G-EI RDS/8/DEBUG:- 1 -
 01 f7 00 7e 00 00 18 de 00 00 17 69 00 00 41 69
 00 00 66 d4 01 1c 30 30 31 63 32 33 31 35 35 36
 63 61 40 6e 65 74 61 75 74 68 2e 6c 6f 63 61 6c
 02 12 ff ee f3 90 ac 49 63 f6 68 4f c3 93 13 db
 8a ea 04 06 c0 a8 63 32 20 0e 30 30 31 65 63 31
 37 38 63 63 38 32 05 06 01 00 10 01 3d 06 00 00
 00 0f 06 06 00 00 00 02 07 06 00 00 00 01 1f 10
 30 30 31 63 2d 32 33 31 35 2d 35 36 63 61
 
*0.427713842 5500G-EI RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=PKT response Index = 20, ulParam3=2215056340]
*0.427713972 5500G-EI RDS/8/DEBUG:- 1 -Receive Raw Packet is:
*0.427714042 5500G-EI RDS/8/DEBUG:- 1 -
 03 f7 00 14 bb 5e e0 f0 a1 2c d5 4d 95 aa 42 e0
 6c 51 8a a4
 
*0.427714172 5500G-EI RDS/8/DEBUG:- 1 -Receive:IP=[192.168.99.1],Code=[3],Length=[20]
*0.427714281 5500G-EI RDS/8/DEBUG:- 1 -NULL
*0.427714322 5500G-EI RDS/8/DEBUG:- 1 -RejectMsg=[Rejected by RADIUS server without any message ]
*0.427714443 5500G-EI MACAUTH/8/EVENT:- 1 -Auth:0,
 MacGuestVlanId = 0, MacGuestVlanCfg = 0, MacAuthCount = 1
*0.427714582 5500G-EI MACAUTH/8/EVENT:- 1 -Auth:1058,Processing CONNECTING Trans!
*0.427714692 5500G-EI MACAUTH/8/EVENT:- 1 -Auth:1058,Processing node FAILURE...


 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
SInce no one has responded I'll jump in here.  I'm confused by your first few lines.  How would the NICs MAC magically turn into the password on the Radius server?  
In our environment and the way I've been taught is you use password auth OR MAC auth for your endpoint.  In my case, we use MAC authentication for printers, and PEAP (aka password) for workstations, passwords for switches and MAC or password for VoIP devices depending on what particular model.
MAC authentication sucks because I have to put every MAC into the RADIUS server.  PEAP is easy to configure and so is the password option for my L2 switches.
Your log output shows the RADIUS is rejecting it.  Was there an error in the eventviewer for the server?
I'm not a 3COM expert (I'm an HP expert though) but it would be helpful if you posted your config on the switch

Author

Commented:
Thanks very much for replying.

It's a function of the switch - they can be configured to send the MAC address of the connecting device as a username and password, to your RADIUS server.  This part is working as I can see the sucessfull logon events in the event viewer - so I see something like 0025649f1bd8@domain.local sucessful logon, followed immediately by a logoff event for the same account.

I have looked at all the ways of doing this and ended up with MAC auth for several reasons.  We are a University and so have a mixture of managed (ie on our domain) and unmanaged machines.  What I want to do is put those on seperate networks.

The issue with using PEAP and passwords as I saw it was that a)Certificates are required - easy to push those out to machines on a domain ( we already have a PKI in place) but more complicated for machines off the domain ie I don't want to have to ask users to install certificates, it will just generate too much support  b) If we are talking about them using an AD user account to log in, that's not enough as we need to know wether the machine they are connecting should go on the trusted or untrusted network - plenty of users have one managed and one unmanaged machine.

The way I plan to  have this working is:

User connects device

If authentication fails (ie MAC not found in AD) they are dropped into a 'Registration' VLAN.  I am using DNAT on our firewall to forward all port 80 traffic to our registration server, so when they connect and open their browser they get a Registration page.

On the registration page, they enter their MAC address, this then generates an AD account with that address and drops it into the 'Untrusted' group.  They are then told to disconnect and re-connect to the network, this time, the account is found in AD and they are placed into the Untrusted VLAN (this is all done by an IAS policy returning the VLAN to the switch based on group membership).

Only the IT department can move a machine into the 'trusted' AD group, as the name suggests this will drop them into the 'trusted' VLAN when they connect.

I'll post the config shortly.  There are no errors logged on the RADIUS server side.





I resolved this myself - there was a problem with one of the Remote Access policies.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial