Wired Intelligent Edge

 View Only
last person joined: 20 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

"clear? or "reset" a port-access role from Clear pass

This thread has been viewed 13 times
  • 1.  "clear? or "reset" a port-access role from Clear pass

    Posted May 07, 2022 03:55 PM
    Anyone know how to clear/reset on of these other than rebooting the entire switch?

    We had a large power outage, and various switches had various roles in this state:

    show port-access roles​
    Name  : cx_print-1234-2
    Type  : clearpass
    Status: Failed, Server Timed Out

    Once the switch was rebooted it returned to a working state.

    Don Rhodes

  • 2.  RE: "clear? or "reset" a port-access role from Clear pass

    Posted May 09, 2022 04:44 AM

    Is this an ArubaOS-CX switch?

    I would try 2 things.
    There is a command which can trigger a manual reauthentication of a single interface or a range of interfaces.

    switch(config)# port-access reauthenticate interface ?
    IFRANGE Interface identifier range.

    If you trigger a reauthentication of all interfaces after the connection to CPPM was restored, the switch will try to reach the CPPM again and will finish the authentication resp download the role.

    Another option - 802.1x and MAC authentication can be enabled and disabled globally.

    switch(config)# aaa authentication port-access mac-auth disable
    switch(config)# aaa authentication port-access mac-auth enable

    Disabling and re-enabling the authentication method should also trigger new authentication on all interfaces.

    Without knowing any details I suspect that the issue is happening because the connection between switch and ClearPass  is established with some delay after the switch boots up. The switches start and try to authenticate the end devices before the connection to CPPM can be established and for this reason it fails (server time out). 
    For MAC authentication for example the switch will not do periodic reauthentication attempts after a RADIUS time out if reauthentication is not configured in the role or interface.

    In order to prevent this from happening you could configure a critical role with reauthentication and very short reauthentication interval. The critical role will be applied only if the switch cannot reach the radius server. With this short reauthentication interval the switch will attempt new authentication and try to reach RADIUS very frequently until authentication is successful and the final role can be applied.

    Emil Gogushev

  • 3.  RE: "clear? or "reset" a port-access role from Clear pass

    Posted May 13, 2022 03:13 PM
    Neither of those resolved the issue.  TAC said the only way to clear it is to reboot the switch.

    I have noticed that a few switches have cleared the issue on their own, so I am wonder if it does not get tried it will time out at some point and then try again when a client comes on that would match.  Trying to test it out, but no idea how long of a timer it might have.

    Don Rhodes