Security

 View Only
last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Client Reconnects / disconnects every 60sec after Update

This thread has been viewed 42 times
  • 1.  Client Reconnects / disconnects every 60sec after Update

    Posted Jan 04, 2022 07:54 AM
    Hi,

    last week i updated Clearpass from 6.9.4 to 6.9.8.

    - single server no cluster
    - windows 10 clients
    - MAC and AAA authentication on ports 
    - Aruba 2920 and 2930F switches

    Now i see some clients getting disconnected and reconneting every 60 seconds.

    01/04/22 13:22:37 00898 ports: RADIUS(37) has disabled port 7 for 12 seconds
    0070:07:03:38.84 1X m8021xCtrl:Port 7: connection terminated.
    0070:07:03:38.84 1X m8021xCtrl:Port 7: stopping Acct session for client
    10e7c6-b39995, user host/b20185058.xxxxxxx.local termination code is 7.
    0070:07:03:38.84 1X m8021xCtrl:Port 7: removed client 10e7c6-b39995 from all
    VLANs.
    0070:07:03:38.84 1X m8021xCtrl:Port 7: Deleted Client 10e7c6-b39995User
    host/b20185058.xxxxxxxx.local from Client-List
    I 01/04/22 13:22:37 00077 ports: port 7 is now off-line
    I 01/04/22 13:22:37 05746 DFP: device_fingerPrinting: policy fingerprint removed
    from port 7
    0070:07:03:41.87 1X m8021xCtrl:Port 3: sent ReqId #173 to 0180c2-000003.


    I didn't change config - any suggestions?

    ------------------------------
    Tobias Schnurr
    ------------------------------


  • 2.  RE: Client Reconnects / disconnects every 60sec after Update

    Posted Jan 04, 2022 07:56 AM
    Clearpass is logging:

    2022-01-04 13:30:56,504 [Th 36 Req 83209 SessId R00000c1c-01-61d43e00] INFO RadiusServer.Radius - rlm_service: The request has Service-State attribute but it is not in the tree
    2022-01-04 13:30:56,505 [Th 36 Req 83209 SessId R00000c1c-01-61d43e00] INFO RadiusServer.Radius - Request processing time = 61 ms
    2022-01-04 13:31:37,480 [RequestHandler-1-0x7f4db9df1700 r=R00000c1c-01-61d43e00 h=69307] ERROR Core.MacAuthSessionQueryEventHandler - Failed to get MacAuth session info for 10e7c6b39995


    ------------------------------
    Tobias Schnurr
    ------------------------------



  • 3.  RE: Client Reconnects / disconnects every 60sec after Update

    EMPLOYEE
    Posted Jan 04, 2022 08:25 AM
    Did you try removing the mac authentication temporarily?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 4.  RE: Client Reconnects / disconnects every 60sec after Update

    Posted Jan 04, 2022 08:36 AM
    Yes - it didn't make a change.

    ------------------------------
    Tobias Schnurr
    ------------------------------



  • 5.  RE: Client Reconnects / disconnects every 60sec after Update

    EMPLOYEE
    Posted Jan 04, 2022 11:51 AM
    This does not make sense to me. Do you have profiling enabled with CoA? Do you see CoA in your Access Tracker entries?
    It would make sense to have an interactive look into ClearPass and your switch, and Aruba TAC may be the best option for that.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Client Reconnects / disconnects every 60sec after Update

    Posted Jan 05, 2022 04:53 AM
    Yes I do have profiling enabled with CoA an i can see in access tracker logs that a port bounces has been triggert every 60 sec.

    Radius [ArubaOS Switching - Bounce Switch Port] successful for client xxxxxxxx2413

    But why since the update from 6.9.4 to 6.9.8?
    Sometimes a client is "bouncing" 10-20 times every 60sec.

    In the authentication services profiling is set to "Any Category / OS Family / Name"
    Profiling is enabled in MAC Authentication an 802.1x Wired Authenticaction Service



    ------------------------------
    Tobias Schnurr
    ------------------------------



  • 7.  RE: Client Reconnects / disconnects every 60sec after Update

    EMPLOYEE
    Posted Jan 05, 2022 08:34 AM
    Do you have any indication that the client is changing profiling? Or maybe is using periodically changing randomized MAC addresses?

    With that setting (Any Category), ClearPass will do a CoA (Port bounce apparently), whenever the device classification changes. I think that you should see more detailed information in the PolicyManagerLogs/ivconnector/netevents/deviceprofiler/netevents.log file that you can get from a 'Collect Logs' under the Server Manager.

    With this knowledge, if you can't find what's happening yourself, it would be good to have a look together with Aruba Support.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Client Reconnects / disconnects every 60sec after Update

    Posted Jan 05, 2022 10:00 AM
    Ideally, with profiling enabled on the service, Clearpass is supposed to trigger a CoA only if the profiled status of the endpoint changes from No to Yes - meaning - only newly profiled devices will have to go through a re-authentication. 

    If you are sure that nothing has changed in terms of the configuration, raise a TAC ticket please.

    Regards,
    Thiyagi

    ------------------------------
    Thiyagarajan Palanisamy
    ------------------------------