Security

 View Only
  • 1.  Clearpass and Aruba OSCX port configuration

    Posted Sep 30, 2024 04:27 AM

    Hi!

    Aruba docs are basic port configurations. 

    Windows computers have many different vendors network cards. Some clients have timeout problems and when clients starts it do mac-auth first. If windows client do first mac-auth it get vlan that have only access to domain controllers. We are using aruba oscx switches. 

    This might be network card issue, driver or power save problem but can i do something from switch side? What kind of port configuration i should have that this behavior can be solved? Some parameters that help? 

    We have this line in port config 

    port-access onboarding-method concurrent enable

    Is this gonna help or behavior is same? This is not anymore in our basic config because we think that this method do more timeout problems?  

    Here is our port configuration

    interface 1/1/1-1/1/48
        no shutdown
        vlan access 1
        client track ip
        loop-protect
        aaa authentication port-access dot1x authenticator
            cached-reauth
            cached-reauth-period 60
            max-eapol-requests 1
            max-retries 1
            quiet-period 5
            discovery-period 10
            enable
        aaa authentication port-access mac-auth
            reauth
            enable

    I hope that you understand what i am tryin to find.. now we have take 802.1x authentication off because of client have problems to get network access smootly when they start computer. This is not problem with all windows clients. 



  • 2.  RE: Clearpass and Aruba OSCX port configuration

    Posted Sep 30, 2024 08:24 AM

    Hi

    I saw your other question as well where you are mentioning ClearPass, so I'm assuming this is the same environment. How many ClearPass servers do you have?

    For 802.1x to work smoothly the configuration on the ClearPass server must be correct and also the configuration of the 802.1x profiles on the clients.

    Your ClearPass server certificate, is it a self-signed certificate, issued by an internal CA or an external CA? Is it unique certificates on each ClearPass server or one for all servers?

    What clients to you try to connect and are those clients managed, if so how? Ie. manually, AD, Intune or other system

    Do you push same the 802.1x profiles to all clients?

    Under normal situations with a correct configuration on the clients they should perform 802.1x and don't be forced to do do MAC authentication.

    Client Timeout can often be a result of missed configuration on the clients.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpass and Aruba OSCX port configuration

    Posted Sep 30, 2024 11:01 AM

    Sounds like a driver/GPO/endpoint issue to me.  IIRC the concurrent enable configuration starts a MAB and 802.1X at the same time.  Personally I would caution against using this.  802.1X should take priority and be attempted first.