Wired Intelligent Edge

Hi,

I have network running on fw 10.13.1030 with fully functional FreeRadius setup and mac authentication enabled in switch ports with following configuration:

interface 1/1/4
    no shutdown 
    flow-control rxtx
    vlan access 1
    aaa authentication port-access client-limit 8
    aaa authentication port-access mac-auth
        enable
 

At this moment in this port there is 100mbps video controller with static ip connected at the moment and last log entry for the port says:
2024-08-25T14:01:29.896816+03:00 ..... hpe-mstpd[2642]: Event|2012|LOG_INFO|AMM|1/1|CIST - Topology Change generated on port 1/1/4 going in to forwarding...

But mac-address table for the port is empty?!? How is that possible? Does port-access drop mac off in some situations? Another thing is that I cannot see mac-address in log entries either.

I have about 1500 devices in this network and from that count about 99% works just fine with port-access configuration above but there seems to be few device models wich refuses to pass mac-address to switch if device has static ip address (I'm not absolutely sure if dhcp/static ip addressing has nothing to do with this problem) Rest of the devices does not have any problems what so ever.

Is there something missing from my configuration?

If the device does not send any traffic, you won't see a mac address (nor for authentication, nor in the mac-address table).

Some devices, when configured with a static IP, behave like that. And they may need some incoming traffic first before they respond and start sending traffic. Please verify that the device is sending traffic.... Some devices can be configured with NTP, which in many cases is a good way to force sending traffic; or use DHCP (with a fixed lease allocation to make sure it always gets the IP address that you want).

If you configure a port-mirror on the device's port, you may be able to see if there is something coming in on the port.

Hi,

I have network running on fw 10.13.1030 with fully functional FreeRadius setup and mac authentication enabled in switch ports with following configuration:

interface 1/1/4
    no shutdown 
    flow-control rxtx
    vlan access 1
    aaa authentication port-access client-limit 8
    aaa authentication port-access mac-auth
        enable
 

At this moment in this port there is 100mbps video controller with static ip connected at the moment and last log entry for the port says:
2024-08-25T14:01:29.896816+03:00 ..... hpe-mstpd[2642]: Event|2012|LOG_INFO|AMM|1/1|CIST - Topology Change generated on port 1/1/4 going in to forwarding...

But mac-address table for the port is empty?!? How is that possible? Does port-access drop mac off in some situations? Another thing is that I cannot see mac-address in log entries either.

I have about 1500 devices in this network and from that count about 99% works just fine with port-access configuration above but there seems to be few device models wich refuses to pass mac-address to switch if device has static ip address (I'm not absolutely sure if dhcp/static ip addressing has nothing to do with this problem) Rest of the devices does not have any problems what so ever.

Is there something missing from my configuration?

This was good one, thanks! I checked out traffic situation with port mirror and device did not communicate with network at all. I tested also with static vlan (no auth stuff what so ever) and there still were no mac address available in port so I wonder how can there be incoming traffic at all to trigger device to send something if there is no mac address available in first place?

If the device does not send any traffic, you won't see a mac address (nor for authentication, nor in the mac-address table).

Some devices, when configured with a static IP, behave like that. And they may need some incoming traffic first before they respond and start sending traffic. Please verify that the device is sending traffic.... Some devices can be configured with NTP, which in many cases is a good way to force sending traffic; or use DHCP (with a fixed lease allocation to make sure it always gets the IP address that you want).

If you configure a port-mirror on the device's port, you may be able to see if there is something coming in on the port.

Hi,

I have network running on fw 10.13.1030 with fully functional FreeRadius setup and mac authentication enabled in switch ports with following configuration:

interface 1/1/4
    no shutdown 
    flow-control rxtx
    vlan access 1
    aaa authentication port-access client-limit 8
    aaa authentication port-access mac-auth
        enable
 

At this moment in this port there is 100mbps video controller with static ip connected at the moment and last log entry for the port says:
2024-08-25T14:01:29.896816+03:00 ..... hpe-mstpd[2642]: Event|2012|LOG_INFO|AMM|1/1|CIST - Topology Change generated on port 1/1/4 going in to forwarding...

But mac-address table for the port is empty?!? How is that possible? Does port-access drop mac off in some situations? Another thing is that I cannot see mac-address in log entries either.

I have about 1500 devices in this network and from that count about 99% works just fine with port-access configuration above but there seems to be few device models wich refuses to pass mac-address to switch if device has static ip address (I'm not absolutely sure if dhcp/static ip addressing has nothing to do with this problem) Rest of the devices does not have any problems what so ever.

Is there something missing from my configuration?

This was good one, thanks! I checked out traffic situation with port mirror and device did not communicate with network at all. I tested also with static vlan (no auth stuff what so ever) and there still were no mac address available in port so I wonder how can there be incoming traffic at all to trigger device to send something if there is no mac address available in first place?

If the device does not send any traffic, you won't see a mac address (nor for authentication, nor in the mac-address table).

Some devices, when configured with a static IP, behave like that. And they may need some incoming traffic first before they respond and start sending traffic. Please verify that the device is sending traffic.... Some devices can be configured with NTP, which in many cases is a good way to force sending traffic; or use DHCP (with a fixed lease allocation to make sure it always gets the IP address that you want).

If you configure a port-mirror on the device's port, you may be able to see if there is something coming in on the port.

Hi,

I have network running on fw 10.13.1030 with fully functional FreeRadius setup and mac authentication enabled in switch ports with following configuration:

interface 1/1/4
    no shutdown 
    flow-control rxtx
    vlan access 1
    aaa authentication port-access client-limit 8
    aaa authentication port-access mac-auth
        enable
 

At this moment in this port there is 100mbps video controller with static ip connected at the moment and last log entry for the port says:
2024-08-25T14:01:29.896816+03:00 ..... hpe-mstpd[2642]: Event|2012|LOG_INFO|AMM|1/1|CIST - Topology Change generated on port 1/1/4 going in to forwarding...

But mac-address table for the port is empty?!? How is that possible? Does port-access drop mac off in some situations? Another thing is that I cannot see mac-address in log entries either.

I have about 1500 devices in this network and from that count about 99% works just fine with port-access configuration above but there seems to be few device models wich refuses to pass mac-address to switch if device has static ip address (I'm not absolutely sure if dhcp/static ip addressing has nothing to do with this problem) Rest of the devices does not have any problems what so ever.

Is there something missing from my configuration?

Such silent devices are terrible for MAC-Auth. The authentication type is dependent on data traffic, no incoming packets at the switch port means no authentication. 

• The AOS-CX knows a few commands that will make your life easier. The solution is described in this post: https://community.arubanetworks.com/discussion/hpe-anw-cx-switches-silent-client-support 
• Configure "client-inactivity timeout", allow "allow-flood-traffic" and activate "Client IP Tracker".

This was good one, thanks! I checked out traffic situation with port mirror and device did not communicate with network at all. I tested also with static vlan (no auth stuff what so ever) and there still were no mac address available in port so I wonder how can there be incoming traffic at all to trigger device to send something if there is no mac address available in first place?

If the device does not send any traffic, you won't see a mac address (nor for authentication, nor in the mac-address table).

Some devices, when configured with a static IP, behave like that. And they may need some incoming traffic first before they respond and start sending traffic. Please verify that the device is sending traffic.... Some devices can be configured with NTP, which in many cases is a good way to force sending traffic; or use DHCP (with a fixed lease allocation to make sure it always gets the IP address that you want).

If you configure a port-mirror on the device's port, you may be able to see if there is something coming in on the port.

Hi,

I have network running on fw 10.13.1030 with fully functional FreeRadius setup and mac authentication enabled in switch ports with following configuration:

interface 1/1/4
    no shutdown 
    flow-control rxtx
    vlan access 1
    aaa authentication port-access client-limit 8
    aaa authentication port-access mac-auth
        enable
 

At this moment in this port there is 100mbps video controller with static ip connected at the moment and last log entry for the port says:
2024-08-25T14:01:29.896816+03:00 ..... hpe-mstpd[2642]: Event|2012|LOG_INFO|AMM|1/1|CIST - Topology Change generated on port 1/1/4 going in to forwarding...

But mac-address table for the port is empty?!? How is that possible? Does port-access drop mac off in some situations? Another thing is that I cannot see mac-address in log entries either.

I have about 1500 devices in this network and from that count about 99% works just fine with port-access configuration above but there seems to be few device models wich refuses to pass mac-address to switch if device has static ip address (I'm not absolutely sure if dhcp/static ip addressing has nothing to do with this problem) Rest of the devices does not have any problems what so ever.

Is there something missing from my configuration?