Please check the firmware version that you are running, and if that is recent. The Boot ROM version is different from the firmware version. Latest version at the
moment is 16.10.0022.
For AOS Switch, it is expected that you see both MAC and 802.1X, and if you have a successful 802.1X that should override what you see from the MAC Authentication. Authentication indeed happens when ever a port is plugged (and it is released when you unplug the cable), although when you have an IP Phone in between the link to the switch will not go down so the switch will not re-auth when you plug in again. After a switch port bounce you will have a re-authentication, and if you logout/restart Windows it will probably do a 'EAP-Logoff' which unauthenticates the 802.1X session, and may do a MAC authentication afterwards. Some phones do, or can be configured to do the EAP-Logoff 'on behalf of' for the PC if you unplug the secondary port of the phone. If phone and PC are on separate ports, that is not an issue of course.
I would recommend checking the
Wired Policy Enforcement (Solution Guide) , which is available from the
documentation portal, for the right configuration of your switch and ClearPass.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 03, 2022 11:10 AM
From: Mohanad Abdelrazik
Subject: mac auth happens after successful 802.1x auth
Yes, all PC's behind phones
2920-24G-PoE+ Switch
Boot ROM Version: WB.16.01
This behavior not for all users, some of them.
GPO is the same for all 350 users.
Switch port config for Mac and 802.1x but i can see also different configs like the follow (applied only on 50 ports)
aaa port-access authenticator 4/2 tx-period 10
aaa port-access authenticator 4/2 supplicant-timeout 10
I have another questions when Auth happens. i.e. I came to the office at the morning and plugged the cable and successfully authenticated, after 2 hours i attend to meeting room for 1 hour and came back to my desk and plugged the cable so i will re-auth right?
so auth and re-auth happend after plug/unplug , switch port bonus, windows restart/logoff?
------------------------------
BR,
Mohanad
Original Message:
Sent: Sep 02, 2022 10:36 AM
From: Herman Robers
Subject: mac auth happens after successful 802.1x auth
Are you using a PC behind a phone?
What type of switch is this? Looks like ArubaOS-Switch (2930/3810/5400). In most switches (either default, or by configuration) an 802.1X authentication should take precedence over MAC authentication. It could be that when a client 'drops' 802.1X (like logging out, switching off, going in sleep), MAC authentication takes over. If 802.1X authentication succeeds for a client, the MAC authentication should be ignored (in AOS-Switch).
What switch firmware are you running?
What does 'show port-access clients' show for that client? Or 'show port-access clients <port number> detail'?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 01, 2022 09:54 AM
From: Mohanad Abdelrazik
Subject: mac auth happens after successful 802.1x auth
We notice some of users disconnect from the network and we check the logs and found mac auth happens after successful 802.1x auth they stucked and OnGuard is not known
Users VLAN is 25
Voice VLAN is 13
Switch port configuration: (for avaya IP Phones and Laptops)
interface 1/4
name "User_25"
tagged vlan 13
untagged vlan 25
aaa port-access authenticator
aaa port-access authenticator client-limit 2
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
exit
is there a way to not do Mac Auth for the laptops. i know because the switch port contain auth configs for both MAC & Dot1x
------------------------------
BR,
Mohanad
------------------------------