last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - MAC re-authentication interval

This thread has been viewed 31 times
  • 1.  ClearPass - MAC re-authentication interval

    Posted Oct 18, 2021 07:32 AM
    Hi all,

    I'm experiencing a strange issue where as connected 'guest' clients to our wired network via a NAC-enabled port, a unnecessary re-authentication happens every 25 seconds. I've setup ClearPass to authenticate all wired clients and allow guests by pushing unknown clients to a 'internet-only' vlan. 

    The unknown client gets pushed to the 'internet-only' vlan succesfully, and ClearPass sends the Radius:IETF:Session-Timeout : 10800 (3 hours). Despite the session timeout, the client re-authenticates every +/- 25 seconds: 

    The +/- 25 seconds is corresponding with the port-configuration of the access switches. But when a printer (for instance) is authentication using the same service and port, no re-authentication is happening. 

    My question is: What is triggering the re-authentication every 25 seconds and how do I prevent this from happening?


  • 2.  RE: ClearPass - MAC re-authentication interval

    Posted Oct 18, 2021 11:16 PM
    Hi Lex,

    This sounds like it would either be a client specific or switch related event. Is the client this is occurring for multiples of the same kind of client (or just one), and what kind of device is it? What is the switch make and model?


  • 3.  RE: ClearPass - MAC re-authentication interval

    Posted Oct 19, 2021 02:14 AM
    Hi ProbeRequest,

    It is unknown to me what kind of client is trying to connect (my guess is a laptop of a guest), but it seems to be happening with one system only. 
    The switch-model i'm using is a Dell N2048 (N-Series). I've configured the following interface configuration: 

    Dell N2048#show running-config interface gigabitethernet 1/0/10
    description "NAC ENABLED"
    spanning-tree portfast
    switchport mode general
    authentication host-mode multi-auth
    authentication event fail action authorize vlan <FALLBACK VLAN>
    authentication event no-response action authorize vlan <FALLBACK VLAN>
    authentication event server dead action authorize vlan <FALLBACK VLAN>
    authentication event server alive action reinitialize
    authentication periodic
    dot1x timeout tx-period 5
    dot1x max-reauth-req 3
    dot1x max-req 3
    authentication order dot1x mab
    authentication priority dot1x mab

    The Dot1x configuration explains the +/- 25 seconds re-authentication interval, but I can't place why the re-authentication is happening in the first place.
    Like described, the RADIUS Response 'Radius:IETF:Session-Timeout : 10800' should only force a re-authentication after 3 hours. This works well for other MAC authenticated devices, like printers and VoIP phones. Any guesses on whats going wrong? 


  • 4.  RE: ClearPass - MAC re-authentication interval

    Posted Oct 20, 2021 07:58 AM
    I would 'hunt down' that client. What may be happening is that the client is failing 802.1X authentication (or not getting the required access) and bouncing the port after that to start over. Or it is booting, failing authentication, rebooting. As others, I would expect the port to go down from the client side.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 5.  RE: ClearPass - MAC re-authentication interval

    Posted Oct 19, 2021 04:08 AM
    If its in wired connection, Maybe a bad infrastructure cause this.

    Shmulik Mazor

  • 6.  RE: ClearPass - MAC re-authentication interval

    Posted Oct 19, 2021 07:14 AM
    It would definitely be worth just checking the logs of the switch to see if the link is going down on that port. 

    Some client devices 'sleep' for short periods and then come back online. This may essentially look like the client is going away and returning or even as much as dropping bouncing the link on the switch port which would give some suggestion as to why the new authentication comes through.

    You mention a printer works ok on that same port and service. Just to clarify the printer is also using MAC Auth and not 802.1X in this case?

    The reauthentication period defined in your radius response is a suggestion and may not necessarily be utilised by the switch. Double check the switch documentation to be sure that Session-Timeout value is accepted. I took a quick look at the N2000 user guide and can see that session-timeout is a supported radius attribute for 802.1X - it didn't specifically say it was for MAC auth bypass but hopefully that is the case.

    From my brief read I could not find any indication of 25 second timers (there is a default 30 second authentication restart interval - but a successful auth would likely override the need for this).