freeradius + mysql 实现802.1x认证 客户端认证失败

Question

各位大侠：

俺遇到一个问题，

CentOS搭建Freeradius + mysql 实现802.1x认证，通过windows自带的802.1x认证工具（即修改网卡，启用802.1x身份认证），使用MD5+质询  点击确定后，提示输入用户名密码，在输入凭据窗口中输入用户名和密码，点击确定，网络显示“网络已连接”，并正常获取到了IP地址，大概1秒钟左右，网络连接状态从“已连接上”立即变成“尝试身份验证“，接着网卡图标变成获取地址状态（一个光色的小球在转动）,接着就一直处于身份验证失败。

在freeradius调试窗口显示认证成功，信息如下：

rad_recv: Access-Request packet from host 10.150.10.41 port 2740, id=0, length=192

        User-Name = "bob"

        CHAP-Password = 0x02ea1f176f0d518a40827e6144ef92eb67

        CHAP-Challenge = 0x5daf295da20c9f8f72f25656e49dbfb4

        NAS-IP-Address = 10.150.10.41

        NAS-Identifier = "JieRu"

        NAS-Port = 16781413

        NAS-Port-Id = "slot=1;subslot=0;port=1;vlanid=101"

        NAS-Port-Type = Ethernet

        Service-Type = Framed-User

        Framed-Protocol = PPP

        Calling-Station-Id = "D4-3D-7E-3D-35-63"

        Huawei-Connect-ID = 6225921

        Huawei-Product-ID = "H3C S5120-24P-EI-D"

        Huawei-Startup-Stamp = 956750404

......

Sending Access-Accept of id 0 to 10.150.10.41 port 2740

        Framed-Protocol = PPP

        Framed-Compression = Van-Jacobson-TCP-IP

        Reply-Message = "Hello Bob!"

        Tunnel-Medium-Type:0 = IEEE-802

        Tunnel-Type:0 = VLAN

        Tunnel-Private-Group-Id:0 = "1101"

Finished request 43.

Going to the next request

尝试采用802.1x客户端进行认证，但是新的问题出现

使用了 H3C的iNode 和xClient 均出现，radius收到的认证请求中，用户名字段的签名有一段”0607“开头的一串字符，而且每次的前缀都不一样，导致认证失败

rad_recv: Access-Request packet from host 10.150.10.41 port 2740, id=0, length=224

        User-Name = "0607SQsoN1Mmdzo7SU93bUYNM9SlPDY=  bob"

        CHAP-Password = 0x02bcf304be0529837426408b166107c3e5

        CHAP-Challenge = 0x443efcde846a18e2bbeec76bf8799cde

        NAS-IP-Address = 10.150.10.41

        NAS-Identifier = "JieRu"

        NAS-Port = 16781413

        NAS-Port-Id = "slot=1;subslot=0;port=1;vlanid=101"

        NAS-Port-Type = Ethernet

        Service-Type = Framed-User

        Framed-Protocol = PPP

        Calling-Station-Id = "D4-3D-7E-3D-35-63"

        Huawei-Connect-ID = 5963777

        Huawei-Product-ID = "H3C S5120-24P-EI-D"

        Huawei-Startup-Stamp = 956750404

求高手指点，谢谢。

Answer 1

交换机（H3C S5120-EI-D ver5.20 R1513P15）配置如下：

radius scheme radius1

server-type extended

primary authentication 10.150.0.206

primary accounting 10.150.0.206

key authentication cipher $c$3$jcYVhNgnH5LLgZJjBwxFyUdLvkyFDQ==

key accounting cipher $c$3$4DYuIIq1hwwi4W5sTfEYS80nvR8tww==

user-name-format without-domain

dot1x

domain test

authentication lan-access radius-scheme radius1 local

authorization lan-access radius-scheme radius1 local

accounting lan-access radius-scheme radius1 local

access-limit disable

state active

idle-cut disable

self-service-url disable

interface GigabitEthernet1/0/1

port link-type hybrid

undo port hybrid vlan 1

port hybrid vlan 101 to 110 1001 to 1023 1101 to 1123 untagged

port hybrid pvid vlan 101

mac-vlan enable

dot1x

radius认证服务器改为 H3C IMC 是则正常