Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.

J9772A intermittent 802.1x NPS port block issues

This thread has been viewed 4 times
  • 1.  J9772A intermittent 802.1x NPS port block issues

    Posted Sep 23, 2022 10:07 AM

    We are having intermittent issues where ports get blocked by 802.1x . This appears on different sites and sites report back to centralised NPS .

    Focussed troubleshooting on one J9772A running YA.16.10.21 and saw the following:

    1) A device experiencing the issue (blocked by AAA), can move to a new port and be ok
    2) If a different device is used on the "bad-blocked" port it is also ok
    3) If the same (original blocked) device is moved back to the port that it was originally blocked on, it is still blocked
    4) Removing 802.1x on a port fixes the issue
    5) aaa port-access authenticator XX initialize (XX is just the port number) fixes the issue
    6) All Radius attempts go through the first off site radius server listed in the running config. The second radius server is not called
    7) Show port-access clients detailed XX shows the device as authenticated (and gives an ip address) even though show log -r will see the device blocked by AAA.

    eg.

    sh log -r | include port 30
    I 08/09/22 10:12:45 00435 ports: port 30 is Blocked by AAA
    I 08/09/22 10:12:33 00077 ports: port 30 is now off-line
    I 08/09/22 09:52:58 00435 ports: port 30 is Blocked by AAA
    I 08/09/22 09:52:45 00077 ports: port 30 is now off-line
    I 08/09/22 09:31:29 00435 ports: port 30 is Blocked by AAA

    NPS server logs were checked and we could see that the blocked device authenticated successfully

    Tried downgrading to YA.16.10.15 issue remains. Totally random across sites but the only resolution we have seen is "aaa port-access authenticator XX initialize"