Security

Hello,

I have a doubt about clients authenticated through 802.1x or MAB connected to an ArubaOS switch. If I don't have any secondary method of authentication configured. I don't have any reauthentication timer enabled or cached-reauth enabled, if I check one of my clients authentication details, I have "0" vault inside reauth period and cached reauth period; I understand that by default, if no reauth-timer is enabled, the reauthentication will be made after 86400 seconds, am I right? 

In this scenario, what would happen if  radius servers became unreachable, all clients will be dropped/unauthorized immediately? I was thinking about enable cached-reauth as second authentication option, but I have some doubts about differences between "authorized" and "cached-reauth" modes (I have another post opened about this).

Thanks in advance

------------------------------
tech_sec
------------------------------

As far as I know, having the reauthentication timer, or Session-Timeout (RADIUS Attribute) set to 0, there is no reauthentication. Clients are authorized till they are disconnected. For better security, I typically do set a re-authentication timer.

First of all, I think when network authentication is deployed, you must make sure that the service is always available. If your firewall fails, I don't think you fallback to an open router to the internet, you make sure it works with redundancy and other availability measures.

Then, when ClearPass service is lost (read the previous phrase why it shouldn't) connected clients will remain connected. During a re-authentication, which on Wireless may even be a roaming event, the authentication will fail/timeout and what happens then depends on the authentication method (MAB or 802.1X) and medium (Wired Ethernet or WLAN). For WLAN, and if the client is configured to require a successful 802.1X session (Do not fallback to unauthorized access, on Windows), the client will not be able to connect. The settings are a security consideration, and form a balance between high and no security versus what happens in case of service interruption.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 09, 2021 04:23 AM
From: Abraham Lopez
Subject: Clients behavior once Radius server is unreachable

Hello,

I have a doubt about clients authenticated through 802.1x or MAB connected to an ArubaOS switch. If I don't have any secondary method of authentication configured. I don't have any reauthentication timer enabled or cached-reauth enabled, if I check one of my clients authentication details, I have "0" vault inside reauth period and cached reauth period; I understand that by default, if no reauth-timer is enabled, the reauthentication will be made after 86400 seconds, am I right? 

In this scenario, what would happen if  radius servers became unreachable, all clients will be dropped/unauthorized immediately? I was thinking about enable cached-reauth as second authentication option, but I have some doubts about differences between "authorized" and "cached-reauth" modes (I have another post opened about this).

Thanks in advance

------------------------------
tech_sec
------------------------------