Hi
I saw your other question as well where you are mentioning ClearPass, so I'm assuming this is the same environment. How many ClearPass servers do you have?
For 802.1x to work smoothly the configuration on the ClearPass server must be correct and also the configuration of the 802.1x profiles on the clients.
Your ClearPass server certificate, is it a self-signed certificate, issued by an internal CA or an external CA? Is it unique certificates on each ClearPass server or one for all servers?
What clients to you try to connect and are those clients managed, if so how? Ie. manually, AD, Intune or other system
Do you push same the 802.1x profiles to all clients?
Under normal situations with a correct configuration on the clients they should perform 802.1x and don't be forced to do do MAC authentication.
Client Timeout can often be a result of missed configuration on the clients.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Sep 30, 2024 04:27 AM
From: KemPetFi
Subject: Clearpass and Aruba OSCX port configuration
Hi!
Aruba docs are basic port configurations.
Windows computers have many different vendors network cards. Some clients have timeout problems and when clients starts it do mac-auth first. If windows client do first mac-auth it get vlan that have only access to domain controllers. We are using aruba oscx switches.
This might be network card issue, driver or power save problem but can i do something from switch side? What kind of port configuration i should have that this behavior can be solved? Some parameters that help?
We have this line in port config
port-access onboarding-method concurrent enable
Is this gonna help or behavior is same? This is not anymore in our basic config because we think that this method do more timeout problems?
Here is our port configuration
interface 1/1/1-1/1/48
no shutdown
vlan access 1
client track ip
loop-protect
aaa authentication port-access dot1x authenticator
cached-reauth
cached-reauth-period 60
max-eapol-requests 1
max-retries 1
quiet-period 5
discovery-period 10
enable
aaa authentication port-access mac-auth
reauth
enable
I hope that you understand what i am tryin to find.. now we have take 802.1x authentication off because of client have problems to get network access smootly when they start computer. This is not problem with all windows clients.