Security

 View Only
Expand all | Collapse all

ClearPass Profiler disconnect MAC authenticated clients every 10 minutes

This thread has been viewed 13 times
  • 1.  ClearPass Profiler disconnect MAC authenticated clients every 10 minutes

    Posted May 14, 2021 01:55 AM
    I see similar posts in the past but no analysis or resolution yet. I have implemented profiling of wired clients via separate vlan with DHCP and DHCP relay to clearpass and it is working great. Unclassified clients are put in this separate vlan, receive a message that profiling is taking place and after about 1,5 minutes are redirected to their work vlan. As it was described in Wired Deployment Guide by TimC.

    This all works great except that MAC authenticated clients get CoA Disconnect message every 10 minutes. I have enabled Profiling on the Wired MAC authentication service.  All these clients are already successfully profiled.

    I'm working with TAC on this issue.  We narrow down that the problem is as the Profiler send those CoAs disconnects. Switches are ArubaOS 16.10.0012. Ports are configured with mac and 802.1x authentication. auth-order is authenticator mac-based and auth-priority is mac-based authenticator.

    Does anybody already suggestions on how to resolve this problem?

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------


  • 2.  RE: ClearPass Profiler disconnect MAC authenticated clients every 10 minutes

    Posted May 17, 2021 10:12 AM
    Profile only sends out CoA if there is a device classification change that matches the device types in the Service's Profiler tab.

    Do you see the device changing classification? The 'every 10 minutes' does not trigger a bell to me, does not make sense. TAC can see in the logs for profiler or post-auth what is triggering the CoA. If you do a 'Collect Logs' in the Server Manager you can download the logs as well and have a look yourself.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: ClearPass Profiler disconnect MAC authenticated clients every 10 minutes

    Posted May 17, 2021 10:19 AM
    Hi Herman.

    I'm waiting for TAC to complete the analysis of debug logs and packet traces. It is also mystery for me why profiler trigger CoA every 10 minutes. Never seen this before. There is no change in classifications. All those endpoints are already profiled. For now I can confirm this behavior on wired MAC authenticated clients. For 802.1x I didn't found such a pattern yet.

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------