12-11-2014 04:54 AM
Got a problem with a combination of an AP225 and an HP 5130 switch stack. The actual problem is to do with the 5130 but I'm wondering if there's anything I can do on the 225 to get round the problem
Our switch ports are configured to support both 802.1x and mac auth. A successful authentication results in cleapass passing back a vlan name to the switch and the client device is placed in the appropriate vlan. For a failed authentication, the switch drops the client into an "unauth" vlan with limited network access.
This is something we do all over campus on our HP Procurve switches. The 5130 is a rebadged H3C switch running ComWare Vsn 7
I'm getting a race condition where the sequence of events seems to be as follows:-
power up AP via PoE+ from switch
switch puts AP in catch all vlan
Switch sees (dhcp) traffic from AP and start processng a mac-auth
ap requests an IP address and gets one associated with the "unauth" vlan
switch finishes processing the mac_auth and places AP into the correct vlan
AP has IP associated with one vlan but is in another one
Eventually AP reboots because it can't "phone home" to the mobility controller and sequence starts again.
Now the problem is that the switch shouldn't proces the dhcp request until after either a mac-auth or 802.1x auth request has been processed/timed out. If it did that then things would be just fine and the AP would get an IP address on the right vlan.
While I could put a silly lease time in for the DHCP pool associated with the "unauth" vlan, that would affect everything connected to it which would be a bit silly. Is there any way of configuring the AP to delay the dhcp request for a couple of seconds to give the switch enough time to process the mac-auth?
12-11-2014 05:36 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP