Security

Reply
Contributor I
Posts: 29
Registered: ‎05-09-2013

802.1X enable - IP conflict detected in the windows machine

Hi Aruba,

 

Our customer say that before NAC they haven't experience any IP conflict issue but after NAC few windows machine start experiencing IP conlict message pop up in the icon tray. Is the "ip device tracking " in the switch configuration is causing this ip conflict?

 

 

Many thanks

 

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: 802.1X enable - IP conflict detected in the windows machine

Which NAC and how is it configured?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 29
Registered: ‎05-09-2013

Re: 802.1X enable - IP conflict detected in the windows machine


Hi cJoseph thanks for prompt reply,

 

Our client is using ClearPass Policy Manager Appliance 5K and 25K models.

 

See below switch configuration

 

!Global configuration
radius server Server1
 address ipv4 x.x.x.x auth-port 1645 acct-port 1646
 automate-tester username test
 key ***********
!
aaa server radius dynamic-author
 client x.x.x.x server-key *******
 port 3799
 auth-type any
!
radius-server deadtime 8
radius-server dead-criteria time 10 tries 3
!
radius-server vsa send authentication
ip device tracking
ip dhcp snooping
!
ip access-list extended default
 permit ip any any
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
dot1x critical eapol
!
!port config
interface range fa0/X-X
 ip access-group default in
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication host multi-auth
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 3
 dot1x max-req 1
!

 

The windows  machine is configured win 802.1X  : Authentication method PEAP and allow to access if policy match <Machine Authentication and User Authentication>.

 

Some blogs I read they say it is due to "ip device tracking"

 

Duplicate IP Address Cause

If the switch sends out an ARP Probe for the client while the Windows PC is in its duplicate-address detection phase, Windows detects the probe as a duplicate IP address and presents the user with a message that a duplicate IP address was found on the network for 0.0.0.0. The PC does not obtain an address, and the user must either manually release/renew the address, disconnect and reconnect to the network, or reboot the PC in order to gain network access."
 

Many thanks

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: 802.1X enable - IP conflict detected in the windows machine

I think you need the command ip device tracking probe use-svi. It should reduce your error message because the switch will use the SVI MAC address rather than the MAC address of the client to do an reverse arp request to get IP address.
Occasional Contributor II
Posts: 12
Registered: ‎06-09-2016

Re: 802.1X enable - IP conflict detected in the windows machine

We are encountering this occassionally too. To address this we are moving the Aruba's onto a vLAN with network-based DHCP, and disabling builtin DHCP/NAT.

Search Airheads
Showing results for 
Search instead for 
Did you mean: