Network Management

 View Only

  • 1.  mac auth and printers not working

    Posted Jul 25, 2024 05:45 AM

    Hello,

    I have to manage some printers with mac authentication and clearpass.
    They are working fine with aruba cx serie switches.

    My problem is with 25XX series switches (ex procurve).
    I have read docs and discussions, but I'm unable to resolve some printers issue.

    The switch is configured with a vlan fake, after mac auth pass, the port is set in a printers vlan and working fine for some times (about 5 min).

    After this time the printers aren't reaceble anymore, I need to unplug o reboot the device.

    I tried some configurations and advices found on post, but nothing seems to work for me.

    aaa port-access mac-based 3 logoff-period 999999          doesn't work

    Last trying conf is:

    interface 6
     
       untagged vlan 50
       aaa port-access mac-based
       aaa port-access mac-based mac-pin
       aaa port-access mac-based reauth-period 120
       spanning-tree admin-edge-port
       spanning-tree point-to-point-mac false
       exit



    This is also not working.

    Please, o someone know what it's workg?

    Do you have any working conf?

    thanks



    ------------------------------
    carabina5
    ------------------------------


  • 2.  RE: mac auth and printers not working

    Posted Jul 25, 2024 07:23 AM

    Have you checked the port-access status detail after the client is authenticated and when the device becomes unreachable?

    And does the switch log show something about ports going down or de-authenticated?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: mac auth and printers not working

    Posted Jul 26, 2024 08:25 AM
    Edited by HB Jul 26, 2024 08:26 AM

    Hi Herman,

    I rebuild the port configuration, I deleted all aaa command for the port, then restart with new commands:

     
    aaa port-access authenticator 3
    aaa port-access authenticator 3 client-limit 1
    aaa port-access mac-based 3
    aaa port-access mac-based 3 mac-pin
    int 3 
    unt vlan 999
     

    The interface is 3, vlan 999 is fake vlan. Once connected, the printers should have vlan 12.

    I disabled the port and enabled after 10 seconds.

    The printers then was working, answer to ping.

    ====================================================================================

    show vlans 12
     
     Status and Counters - VLAN Information - VLAN 12
     
      VLAN ID : 12
      Name : Clients
      Status : Port-based
      Voice : No
      Jumbo : No
     
      Port Information Mode     Unknown VLAN Status
      ---------------- -------- ------------ ----------
      3                Untagged Learn        Up
      5                802.1x   Learn        Up
      6                802.1x   Learn        Up
      12               802.1x   Learn        Up
      13               MACAUTH  Learn        Up
      18               MACAUTH  Learn        Up
      23               802.1x   Learn        Up
      26               802.1x   Learn        Up
      37               Tagged   Learn        Up
      38               Tagged   Learn        Up
      39               Tagged   Learn        Up
      40               Tagged   Learn        Up
      41               802.1x   Learn        Up
      47               Tagged   Learn        Down
      49               Tagged   Learn        Down
      50               Tagged   Learn        Down
      51               Tagged   Learn        Up
      52               Tagged   Learn        Up
     
      Overridden Port VLAN configuration
     
      Port  Mode
      ----- ------------
      5     No
      6     No
      12    No
      13    No
      18    No
      23    No
      26    No
      41    No
      
    ==================================================================================================
    show interfaces 3
     
     Status and Counters - Port Counters for port 3
     
      Name  :  3071 - 
      MAC Address      : 08f1
      Link Status      : Up
      Port Enabled     : Yes
      Totals (Since boot or last clear) :
       Bytes Rx        : 227,470,949          Bytes Tx        : 1,679,040,614
       Unicast Rx      : 1,010,544            Unicast Tx      : 1,829,231
       Bcast/Mcast Rx  : 4,513                Bcast/Mcast Tx  : 7,406,170
      Errors (Since boot or last clear) :
       FCS Rx          : 0                    Drops Tx        : 1,861,328
       Alignment Rx    : 0                    Collisions Tx   : 0
       Runts Rx        : 0                    Late Colln Tx   : 0
       Giants Rx       : 0                    Excessive Colln : 0
       Total Rx Errors : 0                    Deferred Tx     : 0
      Others (Since boot or last clear) :
       Discard Rx      : 0                    Out Queue Len   : 0
       Unknown Protos  : 0
      Rates (5 minute weighted average) :
       Total Rx (bps) : 3,768                 Total Tx (bps) : 19,992
       Unicast Rx (Pkts/sec) : 4              Unicast Tx (Pkts/sec) : 5
       B/Mcast Rx (Pkts/sec) : 0              B/Mcast Tx (Pkts/sec) : 5
       Utilization Rx  :     0 %              Utilization Tx  : 00.01 %
       
       ===========================================================================================
    show port-access clients
     
     Port Access Client Status
     
      Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
      ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
      3                   mac 3     n/a                               8021X 12
      3     mac3     n/a                               MAC   12
      5     host     n/a                               8021X 12
      6     host/     n/a                               8021X 12
      7     001a     n/a                               MAC   10
      12    host     n/a                               8021X 12
      13    00d0    n/a                               MAC   12
      18    80e82     n/a                               MAC   12
      19    001a     n/a                               MAC   10
      23    host/3     n/a                               8021X 12
      25    001a     n/a                               MAC   10
      26    host/     n/a                               8021X 12
      27    001ae     n/a                               MAC   10
      28    001a     n/a                               MAC   10
      30    001a     n/a                               MAC   10
      33    001     n/a                               MAC   10
      34    000b8c     n/a                               MAC   10
      41    host/     n/a                               8021X 12
      42    001a0     n/a                               MAC   10
      43    001ae     n/a                               MAC   10
      44    e45f01c     n/a                               MAC   18
      
    after few time 802.1X disappear from port 3
      ========================================================================================
    show port-access mac-based clients
     
     Port Access MAC-Based Client Status
     
      Port  MAC Address       IP Address                       Mode Client Status
      ----- ----------------- -------------------------------- ---- --------------------
      3     mac3     n/a                              User authenticated
      7     001a    n/a                              User authenticated
      13    00df     n/a                              User authenticated
      18    80e     n/a                              User authenticated
      19    001     n/a                              User authenticated
      25    001     n/a                              User authenticated
      27    001a     n/a                              User authenticated
      28    001     n/a                              User authenticated
      30    001     n/a                              User authenticated
      33    001a     n/a                              User authenticated
      34    000    n/a                              User authenticated
      42    001a     n/a                              User authenticated
      43    001     n/a                              User authenticated
      44    e45     n/a                              User authenticated
    =============================================================================================================================
    ===============================================================================================================================
    the customer, from time to time was checking the printer. After some ours it said the printer was again unreacheable.
    show time
    Fri Jul 26 13:34:08 2024
    ntp is in sync
    show interfaces brief
     
     Status and Counters - Port Status
     
                              | Intrusion                           MDI  Flow Bcast
      Port         Type       | Alert     Enabled Status Mode       Mode Ctrl Limit
      ------------ ---------- + --------- ------- ------ ---------- ---- ---- -----
      1            100/1000T  | No        Yes     Down   1000FDx    Auto off  0
      2            100/1000T  | No        Yes     Down   1000FDx    Auto off  0
      3            100/1000T  | No        Yes     Up     100FDx     MDIX off  0
      4            100/1000T  | No        Yes     Down   1000FDx    NA   off  0
      5            100/1000T  | No        Yes     Up     1000FDx    MDIX off  0
      6            100/1000T  | No        Yes     Up     10FDx      MDI  off  0
      7            100/1000T  | No        Yes     Up     100FDx     MDIX off  0
      8            100/1000T  | No        Yes     Down   1000FDx    Auto off  0
    ===========================================================================
    show vlans 12
     
     Status and Counters - VLAN Information - VLAN 12
     
      VLAN ID : 12
      Name : Clients
      Status : Port-based
      Voice : No
      Jumbo : No
     
      Port Information Mode     Unknown VLAN Status
      ---------------- -------- ------------ ----------
      5                802.1x   Learn        Up
      12               802.1x   Learn        Up
      13               MACAUTH  Learn        Up
      18               MACAUTH  Learn        Up
      Overridden Port VLAN configuration
     
      Port  Mode
      ----- ------------
      5     No
      12    No
      13    No
    not assigned to port 3
    ==============================================
    show interfaces 3
     
     Status and Counters - Port Counters for port 3
     
      Name  :  3071 -
      MAC Address      : 08f
      Link Status      : Up
      Port Enabled     : Yes
      Totals (Since boot or last clear) :
       Bytes Rx        : 230,544,170          Bytes Tx        : 1,694,811,906
       Unicast Rx      : 1,027,525            Unicast Tx      : 1,845,838
       Bcast/Mcast Rx  : 4,674                Bcast/Mcast Tx  : 7,475,156
      Errors (Since boot or last clear) :
       FCS Rx          : 0                    Drops Tx        : 1,861,328
       Alignment Rx    : 0                    Collisions Tx   : 0
       Runts Rx        : 0                    Late Colln Tx   : 0
       Giants Rx       : 0                    Excessive Colln : 0
       Total Rx Errors : 0                    Deferred Tx     : 0
      Others (Since boot or last clear) :
       Discard Rx      : 0                    Out Queue Len   : 0
       Unknown Protos  : 0
      Rates (5 minute weighted average) :
       Total Rx (bps) : 0                     Total Tx (bps) : 0
       Unicast Rx (Pkts/sec) : 0              Unicast Tx (Pkts/sec) : 0
       B/Mcast Rx (Pkts/sec) : 0              B/Mcast Tx (Pkts/sec) : 0
       Utilization Rx  :     0 %              Utilization Tx  :     0 %

    =============================================================================

    show port-access clients
     
     Port Access Client Status
     
      Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
      ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
      5     host/     n/a                               8021X 12
      7     001a     n/a                               MAC   10
      12    host     n/a                               8021X 12
      13    00d     n/a                               MAC   12
      18    80e     n/a                               MAC   12
      19    001a     n/a                               MAC   10
      23    host/     n/a                               8021X 12

    port 3 is missing

    =============================================================================

    show port-access mac-based clients
     
     Port Access MAC-Based Client Status
     
      Port  MAC Address       IP Address                       Mode Client Status
      ----- ----------------- -------------------------------- ---- --------------------
      7     001a     n/a                              User authenticated
      13    00d     n/a                              User authenticated
      18    80e     n/a                              User authenticated
      19    0018     n/a                              User authenticated
      25    001     n/a                              User authenticated

    ==========================================================================================

    show port-access 3 clients
     
     Port Access Client Status
     
      Port  Client Name   MAC Address       IP Address      User Role         Type  VLAN
      ----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
     
    # show running-config interface 3
     
    Running configuration:
     
    interface 3
        untagged vlan 999
       aaa port-access authenticator
       aaa port-access authenticator client-limit 1
       aaa port-access mac-based
       aaa port-access mac-based mac-pin
       spanning-tree admin-edge-port
       spanning-tree point-to-point-mac false
       exit

    =================================================================================================================

     
    Aruba-2540-48G-PoEP-4SFPP-BZ31# show logging -r | incl "port 3"
    I 07/26/24 13:28:08 00076 ports: port 36 is now on-line
    I 07/26/24 13:28:08 00435 ports: port 36 is Blocked by STP
    I 07/26/24 13:28:08 00435 ports: port 36 is Blocked by AAA
    I 07/26/24 13:27:47 00077 ports: port 36 is now off-line
    I 07/26/24 13:27:47 00435 ports: port 36 is Blocked by AAA
    I 07/26/24 13:27:25 00077 ports: port 36 is now off-line
    I 07/26/24 13:09:23 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 13:09:22 00077 ports: port 3 is now off-line
    I 07/26/24 13:09:21 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 13:09:19 00077 ports: port 3 is now off-line
    I 07/26/24 11:49:20 00076 ports: port 3 is now on-line
    I 07/26/24 11:49:20 00435 ports: port 3 is Blocked by STP
    I 07/26/24 11:49:00 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:48:59 00077 ports: port 3 is now off-line
    I 07/26/24 11:47:00 00076 ports: port 3 is now on-line
    I 07/26/24 11:47:00 00435 ports: port 3 is Blocked by STP
    I 07/26/24 11:46:50 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:46:35 00077 ports: port 3 is now off-line
    I 07/26/24 11:44:38 00076 ports: port 3 is now on-line
    I 07/26/24 11:44:38 00435 ports: port 3 is Blocked by STP
    I 07/26/24 11:44:02 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:43:57 00077 ports: port 3 is now off-line
    I 07/26/24 11:42:17 00076 ports: port 3 is now on-line
    I 07/26/24 11:42:17 00435 ports: port 3 is Blocked by STP
    I 07/26/24 11:42:08 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:42:06 00077 ports: port 3 is now off-line
    I 07/26/24 11:42:06 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:42:04 00077 ports: port 3 is now off-line
    I 07/26/24 11:42:04 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:42:03 00077 ports: port 3 is now off-line
    I 07/26/24 11:38:54 00076 ports: port 3 is now on-line
    I 07/26/24 11:38:54 00435 ports: port 3 is Blocked by STP
    I 07/26/24 11:38:53 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:38:42 00077 ports: port 3 is now off-line
    I 07/26/24 11:37:32 05385 auth: mac-pinning is enabled on port 3 for mac-based
    I 07/26/24 11:36:38 00435 ports: port 3 is Blocked by AAA
    I 07/26/24 11:30:51 05385 auth: mac-pinning is disabled on port 3 for mac-based

    These are logs for port 3 since I disabled and enable aaa auth

    ============================================================================

    Another printer model is working fine, but we have more like this one.

    Thanks



    ------------------------------
    carabina5
    ------------------------------

    Original Message


  • 4.  RE: mac auth and printers not working
    Best Answer

    Posted Jul 30, 2024 05:09 AM

    From the logging (low log) it seems like the printer is dropping it's connection. My suspicion is that the printer goes in power-save mode, drops from 1 Gbps to 100 Mbps to save power. In the show interface brief, you can see that when the printer is unreachable, it's connected at 100FDx; but I don't see the same when the printer is reachable. Please check when the printer is fully connected. If the printer drops from 1000FDx to 100FDx, the link is lost, and it's expected that the authorization on the port is removed.

    If you can check the power-saving settings in your printer, and (temporarily) disable them, you can verify if this is the reason. Fixing the port to 100FDx may help as well, if the printer switches between 1000FDx and 100FDx, but not guaranteed.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: mac auth and printers not working

    Posted Jul 30, 2024 09:37 AM

    Thank you Herman.



    ------------------------------
    carabina5
    ------------------------------

    Original Message


  • 6.  RE: mac auth and printers not working

    Posted Sep 07, 2024 02:56 AM

    Hi All,

    after a long time of testing with different models and devices (not just printers), these are my conclusions:

     
    printers and devices respond differently, so there are 3 commands on procurve devices that work (depending on the device):
    aaa port-access mac-based mac-pin
    aaa port-access 3 controlled-direction in
    aaa  port-access mac-based 3 logoff-period 99999
    If anyone else encounters the problem, try these commands.


    ------------------------------
    carabina5
    ------------------------------

    Original Message


  • 7.  RE: mac auth and printers not working

    Posted Sep 07, 2024 02:57 AM

    Hi,

    Does anyone know the corresponding controls on the CX series?

    Thanks



    ------------------------------
    carabina5
    ------------------------------

    Original Message


Related Content