Hi,
for me it has helped to use the parameter "client-inactivity timeout none"
Be aware:
Konica Minolta Devices okay
Ricoh devices not completely okay. They don't support re-auth or there is an issue. By ERe-Auth and Session-Timeout the port is blocked for about 1 minute. The Problem has something to do with the tls encryption. So we disable reauth for Ricoh printers and set session timeout to 24h.
Up to now we do not got a solution from Ricoh.
It can be done with local port-access-roles, like:
port-access role PRINTER
auth-mode client-mode
client-inactivity timeout none
session-timeout 86400
trust-mode none
stp-admin-edge-port
vlan access 2480
! locally assigned port-access role
interface 1/1/37
no shutdown
description Printer
no routing
vlan access 999
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 2
aaa authentication port-access auth-role PRINTER
aaa authentication port-access reject-role QUARANTAENE
! aaa authentication port-access radius-override enable
port-access allow-flood-traffic enable
aaa authentication port-access dot1x authenticator
eapol-timeout 10
max-retries 5
quiet-period 30
discovery-period 10
enable
client track ip update-interval 300
loop-protect
! parameters by radius or radius assigned port-access role
interface 1/1/37
no shutdown
description Printer
no routing
vlan access 999
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 2
aaa authentication port-access reject-role QUARANTAENE
aaa authentication port-access radius-override enable
port-access allow-flood-traffic enable
aaa authentication port-access dot1x authenticator
eapol-timeout 10
max-retries 5
quiet-period 30
discovery-period 10
enable
client track ip update-interval 300
loop-protect
The CPPM (Clearpass Policy Manager) equivalent is idle-timeout = 0 (Type Radius:IETF).
To assign a locally configured port-access role by radius use Aruba-User-Role = e.g. PRINTER (Type Radius:Aruba)
Using Aruba Downloadable Roles it is Client Inactivity Timeout = None
Original Message:
Sent: Oct 26, 2021 02:46 AM
From: Unknown User
Subject: Aruba CX port-access dot1x repeating block/unblock round about every 10 minutes
Hi,
I also had a similar issue with printers and timestamp machines on a 6300CX which are suspected to enter sleep mode after a while. I tweaked some parameters but due to operational pressurre had to remove dot1x from the port.
So, please do share the findings and fix from TAC :)
Original Message:
Sent: Oct 25, 2021 05:09 AM
From: Herman Robers
Subject: Aruba CX port-access dot1x repeating block/unblock round about every 10 minutes
It may be best to work with TAC and let them run debug or troubleshooting commands to find out why the switch is de-authorizing the client and run a new authentication as I agree it doesn't look as expected.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 25, 2021 02:23 AM
From: Robert Großmann
Subject: Aruba CX port-access dot1x repeating block/unblock round about every 10 minutes
Hi Herman,
I don't know why, but printers are the only devices where the switchports are protected by dot1x.
Maybe because the RJ45 ports are "public" (floor and not office).
I don't think that it has something to do with sleep mode because It does not happen on the old switch.
Also I had copied something and then scanned something, so that the multi-function-printer (Konica Minolta) was powered on.
Kind Regards
Robert
------------------------------
Robert Großmann
Original Message:
Sent: Oct 22, 2021 11:03 AM
From: Herman Robers
Subject: Aruba CX port-access dot1x repeating block/unblock round about every 10 minutes
I see these are printers? Could it be that after 10 minutes your printer goes in 'sleep mode', or 'energy efficient' mode which may put the interface from gigabit to 100Mbps or so?
Do you see this just with printers? Or also with other devices?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 22, 2021 05:24 AM
From: Robert Großmann
Subject: Aruba CX port-access dot1x repeating block/unblock round about every 10 minutes
Looking at the clearpass site, it does look weird, too. Recurring timeout and accept...:
------------------------------
Robert Großmann
Original Message:
Sent: Oct 21, 2021 08:39 AM
From: Robert Großmann
Subject: Aruba CX port-access dot1x repeating block/unblock round about every 10 minutes
Hi Guys,
after replacing some old Aruba-OS Client Access Switches (2810, 2530 etc) with the new Aruba-CX Client Access Switches (6200F) we do have some trouble with our printers.
The printers do have a self signed certificate and port-access is granted by dot1x with aruba clearpass.
Principially it does work. But....:
The log shows repeating port block and unblock in 10-minutes interval:
2021-10-21T12:16:30.145560+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/38 is unblocked by port-access
2021-10-21T12:16:30.135554+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/40 is unblocked by port-access
2021-10-21T12:16:30.129388+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/37 is unblocked by port-access
2021-10-21T12:16:29.945933+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/38 is blocked by port-access
2021-10-21T12:16:29.933452+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/40 is blocked by port-access
2021-10-21T12:16:29.907307+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/37 is blocked by port-access
2021-10-21T12:06:30.310630+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/38 is unblocked by port-access
2021-10-21T12:06:30.113784+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/38 is blocked by port-access
2021-10-21T12:05:30.191547+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/40 is unblocked by port-access
2021-10-21T12:05:30.090960+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/40 is blocked by port-access
2021-10-21T11:54:30.042322+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/37 is unblocked by port-access
2021-10-21T11:54:29.916321+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/40 is unblocked by port-access
2021-10-21T11:54:29.904589+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/38 is unblocked by port-access
2021-10-21T11:54:29.776992+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/37 is blocked by port-access
2021-10-21T11:54:29.720679+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/40 is blocked by port-access
2021-10-21T11:54:29.716880+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/38 is blocked by port-access
2021-10-21T11:45:00.024908+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/38 is unblocked by port-access
2021-10-21T11:44:59.937057+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/38 is blocked by port-access
2021-10-21T11:44:30.174179+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/40 is unblocked by port-access
2021-10-21T11:44:30.132218+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/37 is unblocked by port-access
2021-10-21T11:44:30.128373+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/37 is unblocked by port-access
2021-10-21T11:44:29.962611+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/40 is blocked by port-access
2021-10-21T11:44:29.952958+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/37 is blocked by port-access
2021-10-21T11:44:29.912622+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/37 is blocked by port-access
2021-10-21T11:35:29.734719+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/37 is unblocked by port-access
2021-10-21T11:35:29.647509+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/37 is blocked by port-access
2021-10-21T11:34:59.723785+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/38 is unblocked by port-access
2021-10-21T11:34:59.621648+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/38 is blocked by port-access
2021-10-21T11:34:30.247033+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/37 is unblocked by port-access
2021-10-21T11:34:30.235149+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10503|LOG_INFO|MSTR|1|Port 2/1/40 is unblocked by port-access
2021-10-21T11:34:30.110471+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/37 is blocked by port-access
2021-10-21T11:34:30.107721+02:00 vsf-vw-2og-01 port-accessd[3619]: Event|10502|LOG_INFO|MSTR|1|Port 2/1/40 is blocked by port-access
Some employees have reported problems with printing and scanning (scan to e-mail).
Today I had the same problem. I tried to scan-to-mail something but without success. Some minutes later a tried again, and then it works.
Watching the switch logs, there was an entry for the time I tried to scan at first (11:54)
time between blocking and unblocking is less a second, but printer log says that three attemps to reach the mail server were not successfully.
My question is... why there is a repating blocking and unblocking by port-access round about every 10 minutes? And how can I stop it?
Not sure if the scanning problem really comes from the port-access, but cause of time-relation I would guess so.
Configuration Output:
New AOS-CX:!aaa group server radius EWRaaa authentication port-access dot1x authenticator!interface 1/1/37 no shutdown description Printer vlan access 2480 spanning-tree bpdu-guard spanning-tree root-guard spanning-tree tcn-guard spanning-tree port-type admin-edge aaa authentication port-access dot1x authenticator cached-reauth eapol-timeout 20 max-retries 5 quiet-period 30 enable loop-protect exit!Old AOS-S:!aaa authentication port-access eap-radius!aaa port-access authenticator 23!aaa port-access authenticator 23 quiet-period 30aaa port-access authenticator 23 tx-period 10aaa port-access authenticator 23 supplicant-timeout 8aaa port-access authenticator 23 server-timeout 20aaa port-access authenticator 23 max-requests 5aaa port-access authenticator 23 client-limit 1!aaa port-access 23 controlled-direction in!
The port-access statistics show session duration much longer than the 10-minutes-interval:
Session Time : 6148s = 102 minutes
Reauthentication Period : 10800 secs = 180 minutes = 3 hours
vsf-vw-2og-01# sh port-access clients detailPort Access Client Status Details:Client 00:20:6b:b4:7f:60, dot1x-drucker============================ Session Details --------------- Port : 1/1/37 Session Time : 6148s IPv4 Address : IPv6 Address : VLAN Details ------------ VLAN Group Name : VLANs Assigned : 2480 Access : 2480 Native Untagged : Allowed Trunk : Authentication Details ---------------------- Status : dot1x Authenticated Auth Precedence : dot1x - Authenticated, mac-auth - Not attempted Auth History : dot1x - Authenticated, 6148s ago Authorization Details ---------------------- Role : RADIUS_3820372328 Status : AppliedRole Information:Name : RADIUS_3820372328Type : radius---------------------------------------------- Reauthentication Period : 10800 secs Cached Reauthentication Period : Authentication Mode : Session Timeout : Client Inactivity Timeout : Description : Gateway Zone : UBT Gateway Role : UBT Gateway Clearpass Role : Access VLAN : 2480 Native VLAN : Allowed Trunk VLANs : Access VLAN Name : Native VLAN Name : Allowed Trunk VLAN Names : VLAN Group Name : MTU : QOS Trust Mode : STP Administrative Edge Port : PoE Priority : Captive Portal Profile : Policy :
Thanks and Kind Regards
Robert
------------------------------
Robert Großmann
------------------------------