Security

 View Only
Back to discussions
Expand all | Collapse all

Clearpass authorisation flipping off and on

This thread has been viewed 111 times

  • 1.  Clearpass authorisation flipping off and on

    Posted 22 days ago
      |   view attached

    Hi there.  We have a large industrial site with Clearpass handling authentication and automatic VLAN selection for each area.  We have the system check for 802.1x details and it checks those against our domain controller machine list.  A GPO pushes out the certificates and makes sure the 802.1x service is on by default on our machines.  If the check is passed the machine is assigned the local data VLAN for that area.  The fail-through rule for this is a MAC address check.  The system checks against a host list which has our printers, access control devices, etc and if on the list they are also assigned the local data VLAN.  Ultimate fail-through put anything that fails these tests into a separate visitors VLAN which can't access any corporate stuff and is basically straight to internet.

    I was called out on a Friday evening because one one of our areas could not access systems and servers.  A quick check showed that everyone regardless of machine type was failing through to the visitor VLAN.  I was forced to remove aaa authentication from the switches in that area to restore service.  I'm now looking at troubleshooting and I can't find anything obviously wrong.   We made no changes that day and checking through all the rules, roles & policies I can find nothing obviously wrong.  The PC's in that area will work anywhere else as they are running the service and have the certs.  Any machine I take down there fails the same way.  I've gone through all the switch configs and they appear the same as the 5 other areas on site.  The only clue I have is that when I check the logs during testing is that I can see the PC fail through to the visitor network, then it passes and gets the corporate VLAN, then fails through again.  This cycle seems to repeat continuously (see pic attached).

    The server was updated a few days ago to 6.12.5.306119, well after the issue surfaced.  None of the other areas set up in the system are affected so I assume it's something in that specific rule set since I can't see anything different in the switch configs or the PC's.  Anyone run into something similar with a constant flipping between authorised and failing?  I'm stumped.



  • 2.  RE: Clearpass authorisation flipping off and on

    Posted 22 days ago

    Everything looks fine in the access tracker, an Accept and VLAN enforcement are displayed there.

    Have you checked whether the VLANs (e.g. 95, 501) actually exist on the switches? With VLAN name-based enforcement, the name must be written case-sensitively. If the VLAN ID or VLAN name is missing in the switch, you will see an Accept in the ClearPass, but the switch will reject the authentication - without informing the Radius server about this reject. And then the port is moved to the unauth VLAN.

    Activate NAC on the switch on one port only and check the client state. You can also enable debugging for port-access on the switch to get more information.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: Clearpass authorisation flipping off and on

    Posted 21 days ago

    Hi. 

    Check the logs on the switch and maybe enable 802.1x debugging. Lioks like something in send by enforcement profile is not what switch is expecting.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2025
    ------------------------------

    Original Message


  • 4.  RE: Clearpass authorisation flipping off and on

    Posted 19 days ago
    Edited by Kenny_10_Bellys 19 days ago

    Thanks for the replies, gents.  The VLANs exist and are correct.  I've tried to get debugging working but there's no guide to actually debugging for the AOS used on the 2930M's that our network uses.  Every search for 802.1x or NAC debugging takes me straight to the HPE page for debugging 802.1x on OS-CX switches instead.

    What I have discovered today is that it appears to be the MAC side of things that's causing the issue.  The actual 802.1x is working fine.  The port-access authenticator assigns the corporate VLAN correctly and the PC works.  If I turn on the MAC-based check that comes after it in the config the port fails through to the visitor VLAN immediately.  The check can't match the corporate PC's to a phone or printer MAC so it fails.  Why it's doing the check even through the first test has passed is what I don't know.  This config works elsewhere on the network but something must be different for the rule set here.  It is not stopping the checks and moves on to the MAC check which will always fail the corporate PC's.

    For reference, here's an example of the aaa config on our switch ports.  

    aaa accounting commands stop-only tacacs
    aaa accounting exec start-stop tacacs
    aaa accounting system stop-only tacacs
    aaa authentication login privilege-mode
    aaa authentication ssh login tacacs
    aaa authentication ssh enable tacacs
    aaa authentication port-access eap-radius
    aaa port-access authenticator 1
    aaa port-access authenticator 1 client-limit 2
    aaa port-access authenticator active aaa port-access mac-based 1

    aaa port-access mac-based 2 mac-pin

    aaa port-access mac-based addr-format multi-colon


    Original Message


  • 5.  RE: Clearpass authorisation flipping off and on

    Posted 19 days ago

    Based on the info it looks like the switch is ignoring the response. AOS-S does MAC and 802.1x auth at the same time. In the access tracker you see requests every minute.

    Is it possible that you're hitting the configured client limit? Enabling debugging is possible with the following command:

    debug security port-access

    debug destination session

    Did you check the events logs on the switch?



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 6.  RE: Clearpass authorisation flipping off and on

    Posted 19 days ago

    Hi Kenny,
    heir is an example to enable debugging on an AOS-S switch. You can enable it globally for all ports or for a specific port.

    deb security port-access authenticator include port 2
    deb security port-access mac-based include port 2

    You can also use debug security radius-server. However, this command is used for all sessions, depending on what is currently going on on the switch, it can become unmanageable.

    It is more easier if you send debug output to a separate CLI session. Just open an additional session and enter debug destination session there.

    The port configuration looks OK. I would also set auth-order and auth-priority explicitly and specify the unauth-vid.
    I always use the following config:

    aaa port-access authenticator 2
    aaa port-access mac-based 2
    aaa port-access mac-based 2 mac-pin
    aaa port-access mac-based 2 unauth-vid 500
    aaa port-access 2 auth-order authenticator mac-based
    aaa port-access 2 auth-priority authenticator mac-based
    aaa port-access 2 controlled-direction in



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 7.  RE: Clearpass authorisation flipping off and on

    Posted 19 days ago
      |   view attached

    Hi again.  Thanks for the correct debug commands gents, they worked fine.  I've attached a sample text showing the loop I'm seeing.

    Waldemar - thanks for the config, I'll look into adding the additional commands you recommend.

    Willem - we are not hitting our client limits.  I've got around 800 spare access licenses and 1100 spare OnGuard licenses so it's not that.  It looks like the switch is doing exactly what it is being told to do.  It seems to be authenticating using 802.1x and then being de-authenticated by the MAC check immediately after it.  I can see the VLAN flicking constantly between the corporate (501) and the visitor (95).

    I have attached a copy of the debug log when I activated MAC authentication again as well as 802.1x on the port.  It seems to confirm that the user is authenticating properly and then the MAC address fail through check runs immediately after and kicks it into the visitor VLAN.  I don't know why the MAC check is running after a successful authentication but that seems to be the problem.

    My network covers a large industrial site of 6 square miles so is split into 6 network areas.  Each area has its own distributions switches (8320x's) feeding the access switches (2930M's) and each area has its own group of data, voice and visitor VLANs.  Clearpass has profiles and rules for each VLAN in each area and the problem only affects this one area.  The other areas have near identical configuration on the switches and rules with only the VLAN numbers changing.   


    Attachment(s)

    txt
    Authentication debug.txt   6 KB 1 version
    Original Message


  • 8.  RE: Clearpass authorisation flipping off and on

    Posted 19 days ago

    In the logs I see the message "Deauthentication request received".

    Can you check in the access tracker if ClearPass is sending a CoA? In the access tracker details there should be an additional tab when a CoA is send



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 9.  RE: Clearpass authorisation flipping off and on

    Posted 19 days ago

    Hi Willem.  I do not see any change of authentication notification or additional tab in the access tracker.  The 802.1 and MAC notifications look like every other notification with no additions.  It authenticates correctly using 802.1x, then it authenticates twice using the MAC rule which fails it through to the visitor VLAN.  For some reason it is authenticating against the MAC twice every time but I'm not sure why.  They look identical.


    Attachment(s)

    txt
    Authentication dashboard details.txt   4 KB 1 version
    Original Message


  • 10.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    The log doesn't show CoA.

    Can you enable more debug logs on the switch. Just enable all the security logs for now

    debug security
debug destination session


    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 11.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago
      |   view attached

    Hi again.  I've attached the debug output from the moment I applied the config to the port again to turn on authentication.

    One thing that might be of interest is that I just applied auth-order and auth-priority as suggested above by Lord.  I set it to authenticator and then MAC and turned on the port.  The result was that the port stuck on the default 'fake' VLAN 666 which all our ports are set to when nothing is plugged in.  The access tracker shows that 802.1x authentication worked but the VLAN does not get applied.


    Attachment(s)

    txt
    Authentication debug 2.txt   21 KB 1 version
    Original Message


  • 12.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    In majority of cases this mean that vlan in radius response is not found on switch.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2025
    ------------------------------

    Original Message


  • 13.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    The VLAN's are definitely on the switches.  There's data, voice, visitor and quarantine VLANs on all switches.  There are 10 switches in this area and all are configured the same and were working previously.  All switches in this area stopped working late on a Friday afternoon at the same time and I had to deactivate the authentication to get everyone back online.  The problem only affects this one area.  I am the only one who normally works on the Clearpass system and I made no changes to the switches or servers that day.  However, others do have access to the system who know even less than I do and one of them may have made a change. :-(  I think it more likely something on the server has been messed with rather than config on 10 switches. 


    Original Message


  • 14.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Can you share a show tech all of the switch?  (maybe better via a DM)



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 15.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    I'll grab a show tech from some of the switches and send them


    Original Message


  • 16.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Hi Kenny.

    Can you please post Output tab result from access tracker and show vlan <802.1x vlan> on switch? Behaviour is consistent with wrong vlan value on radius response.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2025
    ------------------------------

    Original Message


  • 17.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Hi Gorazd.  Here's the output and I've attached 2 screenshots.  One is when the 802.1x works and the PC is authorised as normal, and the second is when the MAC check then immediately fails it through to the visitor VLAN (95).  Let me know if you need anything else.

    VLAN output


    Original Message


  • 18.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago
    Edited by willembargeman 18 days ago

    Hi Kenny,

    Thank you for sharing the show tech. Please can you share a "show tech all" and not "show tech"?

    The configuration it self does like correct.

    In the logs I see mac-moves. Can there be a loop in the network? Please share the "show tech all" so I have more information available.



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 19.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Hi Willem,

     

    I've sent links to the sh tech all for the largest switch in that area and the one I've been using for testing with a single user on it.

     

    I'm not aware of any links and had no notifications from IMC or the switch logs.  We have loop protect running on the ports and all the links back to the distribution switches run LACP when there's more than one fibre link.  Beyond that it's routed links to the core using VRRP.  I'll go through the area and see if there's anything unusual.

     

     

    https://res.cloudinary.com/ineoslive/image/upload/a_auto/v1695821982/email-logos/op-uk-logo-qxxcunk3ucqxcqesgfgg.png

    Kenny Mitchell

    Network Engineer | Global Network Team

    IT Dept

    Ineos HQ

    Inchyra Road

    Grangemouth

    t: 01324 497134

    e: kenny.mitchell@ineos.com

     

     

     

     




    Original Message


  • 20.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Hi Ken,

    I see a lot of MAC-moves for MAC d89ef3-04837d. The MAC address flaps between port 18 and Trk1.

    addrmgrmovelist
mac address     vid    old port   new port   timestamp
-------------   ----   --------   --------   -----------------
d89ef3-04837d    501      18         Trk1    06/25/25 09:00:42
d89ef3-04837d    501      Trk1       18      06/25/25 09:02:43
d89ef3-04837d    501      18         Trk1    06/25/25 09:02:43
d89ef3-04837d    501      Trk1       18      06/25/25 09:02:43
d89ef3-04837d    501      18         Trk1    06/25/25 09:02:44
d89ef3-04837d    501      Trk1       18      06/25/25 09:04:45
d89ef3-04837d    501      18         Trk1    06/25/25 09:04:46
d89ef3-04837d    501      Trk1       18      06/25/25 09:04:46
d89ef3-04837d    501      18         Trk1    06/25/25 09:04:46
d89ef3-04837d    501      Trk1       18      06/25/25 09:06:48
d89ef3-04837d    501      18         Trk1    06/25/25 09:06:48
d89ef3-04837d    501      Trk1       18      06/25/25 09:06:48
d89ef3-04837d    501      18         Trk1    06/25/25 09:06:48
d89ef3-04837d    501      Trk1       18      06/25/25 09:08:50
d89ef3-04837d    501      18         Trk1    06/25/25 09:08:50
d89ef3-04837d    501      Trk1       18      06/25/25 09:08:50
d89ef3-04837d    501      18         Trk1    06/25/25 09:08:53
d89ef3-04837d    501      Trk1       18      06/25/25 09:10:52
d89ef3-04837d    501      18         Trk1    06/25/25 09:10:53
d89ef3-04837d    501      Trk1       18      06/25/25 09:10:53
d89ef3-04837d    501      18         Trk1    06/25/25 09:10:53
d89ef3-04837d    501      Trk1       18      06/25/25 09:12:55
d89ef3-04837d    501      18         Trk1    06/25/25 09:12:55
d89ef3-04837d    501      Trk1       18      06/25/25 09:12:55
d89ef3-04837d    501      18         Trk1    06/25/25 09:12:55

    Can you trace down this MAC? I'm curious why this MAC is also seen on the uplink. 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 21.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Hi Willem,

     

    The MAC address is a Dell desktop PC in a control room in our harbour area.  That's network area 5, the one area where Clearpass is giving us this problem.

     

    It's the PC I've been using as a test case because it's in an old control room that is rarely visited.  The PC is sitting idle so it doesn't bother anyone when I knock it off the network by turning the aaa off and on.  I copy in config to turn on the authentication after turning on debugging.  When I finish I remove the config and set the PC statically to VLAN 501 again.

     

    Kenny Mitchell

    GNT Network Engineer - O&P/FPS/Petroineos

    01324 497134

    kenny.mitchell@ineos.com

     

     

     

     

     




    Original Message


  • 22.  RE: Clearpass authorisation flipping off and on
    Best Answer

    Posted 18 days ago

    you didn't physically move the network connection of the device right? I don't understand why the MAC is flapping between the uplink and downlink (for the same VLAN). Normally that indicates a loop in the network. Can you check the core/distribution layer if you see MAC flaps for the MAC? And also try to remove the mac-pin configuration 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 23.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    The connection was never physically touched.  It takes 20 minutes for me to drive to that location from here and the building is locked.  I checked the MAC on the distribution switches and it just shows it being on VLAN 501 on lag10.  No error messages or anything obvious.

     

    In fact the logs on both distribution switches only show our IMC server logging in each night to check and copy the configuration.  There is almost nothing else other than the occasional message saying a module is using 21% memory.

     

    Area 5 is our smallest on the network and very few changes happen there.  It has 12 access switches but only about 50 users spread across them.  If you like I can find a PC in a more populated building to run the debug tests on?  All PC's in the area were affected by the issue at the same time so it should not make a difference.

     

    Kenny Mitchell

    GNT Network Engineer - O&P/FPS/Petroineos

    01324 497134

    kenny.mitchell@ineos.com

     

     

     

     

     




    Original Message


  • 24.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    I took another look at the debugoutput (Authentication debug.txt) that Kenny shared.
    In line 87 it says  "Switch Mac move indication received", the client is then deauthenticated.


    This matches the MAC is flapping between the uplink and accessport.
    Is there really a loop in this LAN segment?



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 25.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago

    Kenny,

    What type of switch is the distribution layer (EUGRAC501)? If it is AOS-S you can you the following commands to check the MAC moves.

    show mac-address d89ef3-04837d detail
edomtset
edomtset
addrmgrmovelist



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 26.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago
    Edited by Kenny_10_Bellys 17 days ago

    Hi again,

     

    The distribution switches are 8320X 48 port fibre switches running OS-CX 10.14.1000.  The only similar command I found showed detailed output of MAC's on the vsx-peer.

     

    I've just gone through the logs on every switch looking for a loop and there's nothing in any logs.  Just normal ports going off and on through the week.  Loop protect is on and there's nothing logged in the IMC server either.  The only times I've had a loop it's been by people plugging 2 leads into a phone with pass thru and that basically brought down the entire switch making it easy to see there was a problem.  I'm not getting any symptoms like that or any logs of fibre ports going off and on or changing priorities.

     

     

     

     




    Original Message


  • 27.  RE: Clearpass authorisation flipping off and on

    Posted 17 days ago

    Can you try to use the following commands on the CX switch to see the mac moves?

    show mac-address-table mac-move
show mac-address-table mac-move address <mac-address>


    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 28.  RE: Clearpass authorisation flipping off and on

    Posted 17 days ago
    Edited by Kenny_10_Bellys 17 days ago

    Hi Willem,

     

    EUGRAC501# show mac-address-table mac-move address d8:9e:f3:04:83:7d vlan 501

    Number of MAC Move addresses : 1

     

    MAC Address        VLAN   Current Port    Previous Port   Move Count   Last Move         

    ----------------------------------------------------------------------------------------------

    d8:9e:f3:04:83:7d  501    lag10           lag128          35238        Wed Jun 25 12:59:22 2025

     

    It looks like it's jumping across the normal connection (lag10) between access &  distribution and lag128 which is the interlink between the two distribution switches (EUGRAC501 and 502).

     

    The network layout on our site was designed for resilience and uses dual cores to dual distribution with dual fibre links to each access switch.  Due to the remote location of this area only a few of the switches have dual link between distribution and access currently.  There are meant to be 4 fibres in the interlink between distribution switches.

     

     

     




    Original Message


  • 29.  RE: Clearpass authorisation flipping off and on

    Posted 17 days ago

    How is the configuration of the lag interface to the access switches?

    Is there something change on that layer? On the other distribution switch, how does the MAC move looks? Which two links do you see there?



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 30.  RE: Clearpass authorisation flipping off and on

    Posted 17 days ago
    Edited by Kenny_10_Bellys 17 days ago

    Hi again,

     

    You are on to something.  We see the MAC on the second distribution switch is flicking between the vsx link to EUGRAC501 and then to port 1/1/10.  The fibre in 1/1/10 leads to switch EUGRAC515 which is on the other side of the docks.

     

    The only recent work in that area was to install a Wi-Fi bridge to a muster station and emergency telephone.  Our first thought is that perhaps a Wifi loop is somehow being created between this bridge and another on the other side of the docks.  We will run some tests by cutting off connectivity to the new bridge to see what happens.

     

     

     

     




    Original Message


  • 31.  RE: Clearpass authorisation flipping off and on

    Posted 18 days ago
    Edited by Kenny_10_Bellys 17 days ago

    Hi there,

     

    I've just finished going through the logs of all the switches in this area and I can find no evidence of a loop.  There is nothing on our IMC server and nothing in the local logs on the access or distribution switches.  All the switches have loop protect running on the copper ports.  If there is a loop it's not showing in any logs and not causing traffic problems that anyone has reported.  There are a couple of switches in this area which connect through another access switch to reach the distribution (via wireless links) but the rest all link to the distribution via fibre.  Nothing in any logs to suggest an issue.

     

     

     

     




    Original Message


  • 32.  RE: Clearpass authorisation flipping off and on

    Posted 17 days ago

    So it appears that there is some kind of loop in this network area.  At the far end of the docks is a safety 'muster point' where people have to go during an emergency.  A couple of months ago a Ligowave wireless bridge and an 8-port switch was installed in a cabinet at the point to run a phone and an access control card scanner.  After many assists and pointers from Willem and yourselves I discovered that the wireless bridge is injecting lots of MAC addresses into the network from PC's and devices elsewhere in the area.  This is causing Clearpass to see PC's randomly move buildings for a split second hundreds of times a day.  I believe it's also the cause of other issues we've been investigating such as Teams calls dropping randomly just in this area.

    At this time I have no clue what the actual mechanism of the loop is.  Initial thoughts were that it was picking up a link from another bridge about a kilometre away on top of the control building.  However, the wireless bridges are secured by individual SSID's & passwords and tied by MAC address to each peer unit.  I've also now put a MAC filter ACL on the wireless station to allow only the phone, switch and card scanner but still it's pumping in random MACs from around the area.  More investigation needed!

    Thank you all for your input and assistance.  It has been an education.  :-)


    Original Message


  • 33.  RE: Clearpass authorisation flipping off and on

    Posted 17 days ago

    You're welcome Kenny! Thank you for sharing the source of the issue.



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


Related Content