I would 'hunt down' that client. What may be happening is that the client is failing 802.1X authentication (or not getting the required access) and bouncing the port after that to start over. Or it is booting, failing authentication, rebooting. As others, I would expect the port to go down from the client side.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 19, 2021 02:14 AM
From: Lex Krijnen
Subject: ClearPass - MAC re-authentication interval
Hi ProbeRequest,
It is unknown to me what kind of client is trying to connect (my guess is a laptop of a guest), but it seems to be happening with one system only.
The switch-model i'm using is a Dell N2048 (N-Series). I've configured the following interface configuration:
Dell N2048#show running-config interface gigabitethernet 1/0/10description "NAC ENABLED"spanning-tree portfastswitchport mode generalauthentication host-mode multi-authauthentication event fail action authorize vlan <FALLBACK VLAN>authentication event no-response action authorize vlan <FALLBACK VLAN>authentication event server dead action authorize vlan <FALLBACK VLAN>authentication event server alive action reinitializeauthentication periodicdot1x timeout tx-period 5dot1x max-reauth-req 3dot1x max-req 3mabauthentication order dot1x mabauthentication priority dot1x mab
The Dot1x configuration explains the +/- 25 seconds re-authentication interval, but I can't place why the re-authentication is happening in the first place.
Like described, the RADIUS Response 'Radius:IETF:Session-Timeout : 10800' should only force a re-authentication after 3 hours. This works well for other MAC authenticated devices, like printers and VoIP phones. Any guesses on whats going wrong?
------------------------------
Lex
Original Message:
Sent: Oct 18, 2021 11:15 PM
From: Matthew Sutherland
Subject: ClearPass - MAC re-authentication interval
Hi Lex,
This sounds like it would either be a client specific or switch related event. Is the client this is occurring for multiples of the same kind of client (or just one), and what kind of device is it? What is the switch make and model?
Thanks
Original Message:
Sent: Oct 18, 2021 07:32 AM
From: Lex Krijnen
Subject: ClearPass - MAC re-authentication interval
Hi all,
I'm experiencing a strange issue where as connected 'guest' clients to our wired network via a NAC-enabled port, a unnecessary re-authentication happens every 25 seconds. I've setup ClearPass to authenticate all wired clients and allow guests by pushing unknown clients to a 'internet-only' vlan.
The unknown client gets pushed to the 'internet-only' vlan succesfully, and ClearPass sends the Radius:IETF:Session-Timeout : 10800 (3 hours). Despite the session timeout, the client re-authenticates every +/- 25 seconds:
The +/- 25 seconds is corresponding with the port-configuration of the access switches. But when a printer (for instance) is authentication using the same service and port, no re-authentication is happening.
My question is: What is triggering the re-authentication every 25 seconds and how do I prevent this from happening?
------------------------------
Lex
------------------------------