Wired Intelligent Edge

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache
Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Hello, 

This document describes a very similar symptom with MAC authentication and end devices which normally don't talk actively on the network and only respond when someone sends a packet to them. If you think that your cameras may behave the same way maybe you can try the suggested options here - MAC pinning and controlled-direction in.

https://community.arubanetworks.com/blogs/esupport1/2019/06/04/mac-authentication-for-printers-and-other-headless-devices

------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Jan 13, 2022 03:58 PM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache

Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Thanks for your response.  I got confirm from Security team that the cameras are streaming video constantly, so it is always on-line.  I do see the behavior of the printer as describe in the document, printer re-auth with no issues.  
Regards,

------------------------------
Trinh Nguyen
------------------------------

Original Message:
Sent: Jan 14, 2022 02:22 AM
From: Emil Gogushev
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

Hello, 

This document describes a very similar symptom with MAC authentication and end devices which normally don't talk actively on the network and only respond when someone sends a packet to them. If you think that your cameras may behave the same way maybe you can try the suggested options here - MAC pinning and controlled-direction in.

https://community.arubanetworks.com/blogs/esupport1/2019/06/04/mac-authentication-for-printers-and-other-headless-devices

------------------------------
Emil Gogushev

Original Message:
Sent: Jan 13, 2022 03:58 PM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache

Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Hello, 

It is strange if the cameras are indeed streaming constantly. I am not familiar with the basic working principle of the cameras but I see in internet that some battery powered cameras can use the network only when motion is detected (motion triggered cameras) and be idle when there is no motion. Of course your security team should be knowing them better.

Anyway, the symptom you describe looks pretty much like the switch is enforcing the logoff period of 300 seconds. The mac-pin command will effectively disable the logoff period.
I would at least test on one port if both commands or any one of them separately will make any difference or not. I cannot think of any negative impact they could have. This would be a very fast and easy test and if it is working it could save you a lot of time for troubleshooting.

Of course if anyone has other suspects or ideas, feel free to share it!

------------------------------
Emil Gogushev
------------------------------

Original Message:
Sent: Jan 18, 2022 08:55 AM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

Thanks for your response.  I got confirm from Security team that the cameras are streaming video constantly, so it is always on-line.  I do see the behavior of the printer as describe in the document, printer re-auth with no issues.  
Regards,

------------------------------
Trinh Nguyen

Original Message:
Sent: Jan 14, 2022 02:22 AM
From: Emil Gogushev
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

Hello, 

This document describes a very similar symptom with MAC authentication and end devices which normally don't talk actively on the network and only respond when someone sends a packet to them. If you think that your cameras may behave the same way maybe you can try the suggested options here - MAC pinning and controlled-direction in.

https://community.arubanetworks.com/blogs/esupport1/2019/06/04/mac-authentication-for-printers-and-other-headless-devices

------------------------------
Emil Gogushev

Original Message:
Sent: Jan 13, 2022 03:58 PM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache

Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Setting the below under the Role worked for us on a similar issue.

client-inactivity timeout none 

------------------------------
Paul Reddy
------------------------------

Original Message:
Sent: Jan 13, 2022 03:58 PM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache

Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------

There is no mac-pining in AOS-CX, but added "client-inactivity timeout none" to camera role works for me.    I also have different security device that keep re-auth every minutes.  It works but flooding ClearPass with the authentication.  Added this command also help.
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Original Message:
Sent: Jan 19, 2022 04:13 AM
From: Paul Reddy
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

Setting the below under the Role worked for us on a similar issue.

client-inactivity timeout none 

------------------------------
Paul Reddy

Original Message:
Sent: Jan 13, 2022 03:58 PM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache

Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Anyone knows equivalent of  AOX-CX "client-inactivity timeout none" to Aruba switch 2903f?  
Thanks,

------------------------------
Trinh Nguyen
------------------------------

Original Message:
Sent: Jan 19, 2022 04:13 AM
From: Paul Reddy
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

Setting the below under the Role worked for us on a similar issue.

client-inactivity timeout none 

------------------------------
Paul Reddy

Original Message:
Sent: Jan 13, 2022 03:58 PM
From: Trinh Nguyen
Subject: Security Camera Drop Out When AOS-Switch Dynamic VLAN Segmentation

ClearPass version 6.9.7, Switch: AOS-CX 6300 version 10.06.0011 with dynamic VLAN segmentation.
We have no problem at home campus, but at the remote site where traffic is tunneled. There are four types of Mac-Auth devices at remote site: IP phone, printer, Aruba AP and Security camera. CPPM profiled and assigned roles and VLANs to these devices correctly.
There is no problem with phone, AP, and printer but all security cameras drop out 5 minutes after getting correct role and VLAN. These cameras are not coming back until the switchport bounces. The Endpoint shows cache expires in 5 minutes and seems like the time match the drop.
"show port-access client" not seeing these cameras when they drop
"show mac-address port xxx" is not register mac address of the camera.
CPPM access tracker shows no reject or any events of camera trying to re authenticate.

Event log when camera connects gets a VLAN and role:
2022-01-11T15:48:34.985937-06:00 MY-SW port-accessd[3511]: Event|10503|LOG_INFO|MSTR|1|Port 1/1/40 is unblocked by port-access
2022-01-11T15:48:34.972945-06:00 MY-SW ops-switchd[732]: Event|2108|LOG_INFO|MSTR|1|Created Mac based VLAN entry. VLAN 500 is mapped to client e4:30:22:xx:xx:xx on port 1/1/40
2022-01-11T15:48:34.241574-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Event log after 5 minutes:
2022-01-11T15:53:39.347613-06:00 MY-SW ops-switchd[732]: Event|2110|LOG_INFO|MSTR|1|Deleted Mac based VLAN entry for e4:30:22:xx:xx:xx with VLAN 500 on port 1/1/40
2022-01-11T15:53:39.334512-06:00 MY-SW port-accessd[3511]: Event|10502|LOG_INFO|MSTR|1|Port 1/1/40 is blocked by port-access

Endpoint Policy Cache

Ideas? suggestions?
Thanks,

------------------------------
Trinh Nguyen
------------------------------