Security

 View Only
last person joined: 2 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass client limit on port not working. Weird port fault?

Jump to Best Answer
This thread has been viewed 18 times
  • 1.  Clearpass client limit on port not working. Weird port fault?

    Posted Aug 03, 2022 07:21 AM
    Hi there.  I am rolling out Clearpass across my Aruba based campus and have reached the boardroom network switch.  Before I apply Clearpass I go through the ports looking for anything odd or something I need to add to static hosts, etc.  Imagine my surprise when I find that the port marked as the boardroom AV computer has 10 MAC addresses showing on it.  This is a basic Dell PC used to run MS Teams for meetings, with a conference camera & speaker plugged into via USB.

    I suspected a hub or something so visited the building and can find nothing.  The cabling runs from the cabinet to the port next to the PC and the only thing plugged in is the PC.  I confirmed it was all ok with with my Fluke tester and plugged it back in.  I checked the port and there was only the PC's MAC address.  A few minutes later there were now 6 MAC addresses showing.  All had Dell vendor codes, none had picked up DHCP addresses and did not show up anywhere else on the network.

    I put my Clearpass config on the port and set the client-limit to 1 and the addr-limit to 1.  Usually it's set to 2 for a PC and Voip phone but I wanted to try and kill these spurious MAC addresses.  After a couple of minutes I have 2 MAC addresses on the port, the boardroom PC and a spurious Dell one that does not authenticate and gets kicked to our guest VLAN.  On a port set to a single client?

    Do I have this wrong?  Is the single client or address limit a 'per VLAN' or 'per port' limit, because it doesn't seem to work.  I also have no clue where all these spurious MAC addresses are coming from, I've never seen anything like it.  Any ideas?


  • 2.  RE: Clearpass client limit on port not working. Weird port fault?

    Posted Aug 03, 2022 07:36 AM
    Personally, I would investigate the PC itself first.  Does it have any VM software on it, etc?


  • 3.  RE: Clearpass client limit on port not working. Weird port fault?

    Posted Aug 03, 2022 10:34 AM
    We've checked the PC and can find nothing.  It's a bog standard desktop that has the video conference camera and speaker plugged into it.  In addition it's running Carbon Black, MacAfee and Redcloak and nothing is triggering to show a possible exploit.  My plan is to update the 2930M switch tonight to the latest firmware and put Clearpass on all suitable ports, not just the one this PC is on.  I'll check again tomorrow to see if this persists.

    Also, any idea why restricting the port to a single user isn't working?


  • 4.  RE: Clearpass client limit on port not working. Weird port fault?

    EMPLOYEE
    Posted Aug 04, 2022 09:24 AM
    I'm confused. You mention about the client, that is has around 10 MAC addresses, and you mention the addr-limit set to 1 and not working.

    You also mention that the other MACs don't get an IP... doesn't that mean that the addr-limit is working?? It may be that a rejected/denied MAC still shows up on the mac-address table; but it should not have further access.

    I would first check why a client uses multiple MAC addresses, and running a port mirror with packet capture for some time may give an indication of what is going on with that PC.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Clearpass client limit on port not working. Weird port fault?

    Posted Aug 05, 2022 03:09 AM
    I checked the physical wiring and it's basically going straight from my network switch to a desktop PC being used to run video conferences.  It has a VC  camera and speaker system plugged in the USB.  That's it.  When I look at the port I see anywhere from 6 to 10 MAC addresses.  We use Dell desktop PC's on site and all the MAC's show Dell vendor codes of varying types.  I looked for the MAC's anywhere else on the network thinking it might be PC's elsewhere.  Nope.  Nor do they pick up IP addresses when I check that.

    I turned on Clearpass and checked again.  I see the actual PC authenticate and get assigned the correct data VLAN and the spurious MAC's are assigned to our visitor network which is our fail through.  I adjusted Clearpass to allow only a single client and single address.  What I get now are the actual PC AND a spurious MAC address which changes every few minutes.  So it's not limiting to a single anything.  We're going to replace the PC with a fresh built one and see if the problem persists or goes with the PC.


  • 6.  RE: Clearpass client limit on port not working. Weird port fault?
    Best Answer

    Posted Aug 25, 2022 10:53 AM
    OK, just to close this off.  Replacing the PC sorted the issue.  We believe it was related to the video conference kit and drivers on the machine.  The replacement machine works as expected and no issue.