Comware

 View Only
last person joined: 2 days ago 

Expand all | Collapse all

MAC auth on AP port blocking clients

This thread has been viewed 14 times
  • 1.  MAC auth on AP port blocking clients

    Posted Aug 31, 2022 05:56 AM
    Hi All,

    Switch 5130 (R3208P12)

    I've got MAC auth and 802.1X configured on my Comware switch with ClearPass being the Auth server. We have Aruba IAP with authentication configured on the switchports they're patched into.

    The issue is I'm seeing Wi-Fi clients connected to the APs failing MAC auth. We have no client limit set in the MAC auth config.

    Is this the expected behavior? Do I need to explicitly set a client limit?

    Cheers


  • 2.  RE: MAC auth on AP port blocking clients

    Posted Oct 28, 2023 04:56 AM

    any update for this issue ???????




  • 3.  RE: MAC auth on AP port blocking clients

    Posted Oct 29, 2023 06:12 AM

    Hi, from the description there could be a lot of reasons why you are seeing failing MAC Auth. You can narrow down the reason if you work out if some wifi users are auth'd and not others. On our 5130 we set a max, which protects against problems we've seen during user-induced-loops. However with nothing set the max should be very high. Setting a max of 2000 for a test would rule that out but I can't imagine it being an issue. On old procurve the default was a low number but not 5130.

    Using dis mac-authentication int g1/0/1 gives good clues. In particular the authentication attempts. A high failed figure suggests an auth server problem but also suggests an attempt to auth has happened. An example output below from a happy edge port with no max set.

    Double check traffic is sent to the port untagged. 

     GigabitEthernet1/0/1  is link-up
       MAC authentication               : Enabled
       Carry User-IP                    : Disabled
       Authentication domain            : mac_domain
       Auth-delay timer                 : Disabled
       Periodic reauth                  : Disabled
       Re-auth server-unreachable       : Logoff
       Guest VLAN                       : 3721
       Guest VLAN reauthentication      : Enabled
         Guest VLAN auth-period         : 30 s
       Critical VLAN                    : 3721
       Critical voice VLAN              : Disabled
       Host mode                        : Single VLAN
       Offline detection                : Disabled
       Authentication order             : Default
       User aging                       : Enabled
       Server-recovery online-user-sync : Disabled

       Auto-tag feature                 : Disabled
       VLAN tag configuration ignoring  : Disabled
       Max online users                 : 4294967295
       Authentication attempts          : successful 3754, failed 0
       Current online users             : 1
              MAC address       Auth state
              c442-680a-cf3a    Authenticated