Wireless Access

Reply
Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Drops on RAP155-P for wired 802.1x connections

Hello

I'm facing ramdomize drops for 802.1x clients connected on the wired ports of my RAP 155P.

I have a AAA profile for MAC and 802.1x authenitcations and for all the hosts connected via mac autheitcation they work without any problem. Connectivity is recovered automatically after 2 seconds but all connections from the 802.1x clients during the hit are dropped which is causing alot issues with any flows from the host.

Endpoints are Win7 with latest LAN driver, ArubaOS is 6.4.3.5 and ClearPass is on 6.5.3. 

I've also verify my Radius Cert which have been issued from my internal PKI, I also tried to deactivate validate Cert on the 802.1x configuration for the Windows NIC and I don't see events on the Radius server for the hits in most ofthe cases and on the controller, debugging the endpoints I don't see anything which can indicate a problem.

I've been trying to get a resolution from the TAC for more than a week but I don't receive any direction and I don't think this looks like they will solve the issue so I plan to scalate the case next week anyway if someone coulld help me to stablize this will be great.

 

Thanks in advance

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Drops on RAP155-P for wired 802.1x connections

Why are you doing mac authentication on top of 802.1x? You should eliminate that to get to the bottom of your problem. You should execute "show auth-tracebuf" to find out why it is happening.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: Drops on RAP155-P for wired 802.1x connections

Thanks for answering. I need both authentication methods to support devices which are not performing 8021.x.  I will look into the output for the command auth-tracebuf right after a hit happens to see if I can narrow down the root of the problem.

Regards,

 

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: Drops on RAP155-P for wired 802.1x connections

I haven't triggered yet the vent but so far I see something.

Although my client is set to 802.1x seems to send mac authentication requests

 

Dec  6 11:01:22  m-auth req             *  34:e6:d7:2f:87:be  01:80:c2:00:00:03        -    -    
Dec  6 11:01:22  m-auth resp            *  34:e6:d7:2f:87:be  01:80:c2:00:00:03        -    -     failed
Dec  6 11:01:59  rad-acct-int-update   ->  34:e6:d7:2f:87:be  01:80:c2:00:00:03/cppm1  -    -    
Dec  6 11:12:12  rad-acct-int-update   ->  34:e6:d7:2f:87:be  01:80:c2:00:00:03/cppm1  -    -    

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Drops on RAP155-P for wired 802.1x connections

If you enable mac authentication AND  802.1x in the AAA profile, both are required.  You should enable "L2 Authentication Fail Through" in the AAA profile so that only one is required.

 

In your output above, mac authentication is failing and then interim radius accounting is being triggered...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: Drops on RAP155-P for wired 802.1x connections

I have L2 Authentication Fail Trough enabled and under AAA profile for MAC Authentication I have a the following options enabled: Reauthentication, Reauthentication interval to 60sec and use Server provided provided reauthentication interval which I sent from the CPPM to 3600

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Drops on RAP155-P for wired 802.1x connections

Why do you have reauthentication enabled?

 

Just to be clear, you are having "drops" on 802.1x.  Does that mean your 802.1x device is losing connectivity?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: Drops on RAP155-P for wired 802.1x connections

Reauthentication is enabled to allow the endpoints which are using MAC authenticatio to try again automatically after the set interval to avoid end users to disconnect from the RAP the cable to force an authentication.

802.1x clients are losing connectoivity for 2/3 seconds, MAC endpoints work fine

Guru Elite
Posts: 21,480
Registered: ‎03-29-2007

Re: Drops on RAP155-P for wired 802.1x connections

Ok.

 

How often does the disconnect happen?  Find a single wired 802.1x client and do this:

 

config t
logging level debugging user-debug <mac address of client>

Observe the client until it disconnects and then do this:

show log user-debug 100
show auth-tracebuf mac <mac address of client>

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎05-11-2011

Re: Drops on RAP155-P for wired 802.1x connections

It is very variable, there are days where this is become more than annoying and of course you get disconnted from your session so very distrusctive. I will have a checks logs for my mac address after gets disconnected

Search Airheads
Showing results for 
Search instead for 
Did you mean: