Comware

Hi All,

Switch 5130 (R3208P12)

I've got MAC auth and 802.1X configured on my Comware switch with ClearPass being the Auth server. We have Aruba IAP with authentication configured on the switchports they're patched into.

The issue is I'm seeing Wi-Fi clients connected to the APs failing MAC auth. We have no client limit set in the MAC auth config.

Is this the expected behavior? Do I need to explicitly set a client limit?

Cheers

any update for this issue ???????

Original Message:
Sent: Aug 31, 2022 05:55 AM
From: jrwhitehead
Subject: MAC auth on AP port blocking clients

Hi All,

Switch 5130 (R3208P12)

I've got MAC auth and 802.1X configured on my Comware switch with ClearPass being the Auth server. We have Aruba IAP with authentication configured on the switchports they're patched into.

The issue is I'm seeing Wi-Fi clients connected to the APs failing MAC auth. We have no client limit set in the MAC auth config.

Is this the expected behavior? Do I need to explicitly set a client limit?

Cheers

Hi, from the description there could be a lot of reasons why you are seeing failing MAC Auth. You can narrow down the reason if you work out if some wifi users are auth'd and not others. On our 5130 we set a max, which protects against problems we've seen during user-induced-loops. However with nothing set the max should be very high. Setting a max of 2000 for a test would rule that out but I can't imagine it being an issue. On old procurve the default was a low number but not 5130.

Using dis mac-authentication int g1/0/1 gives good clues. In particular the authentication attempts. A high failed figure suggests an auth server problem but also suggests an attempt to auth has happened. An example output below from a happy edge port with no max set.

Double check traffic is sent to the port untagged. 

 GigabitEthernet1/0/1  is link-up
   MAC authentication               : Enabled
   Carry User-IP                    : Disabled
   Authentication domain            : mac_domain
   Auth-delay timer                 : Disabled
   Periodic reauth                  : Disabled
   Re-auth server-unreachable       : Logoff
   Guest VLAN                       : 3721
   Guest VLAN reauthentication      : Enabled
     Guest VLAN auth-period         : 30 s
   Critical VLAN                    : 3721
   Critical voice VLAN              : Disabled
   Host mode                        : Single VLAN
   Offline detection                : Disabled
   Authentication order             : Default
   User aging                       : Enabled
   Server-recovery online-user-sync : Disabled

   Auto-tag feature                 : Disabled
   VLAN tag configuration ignoring  : Disabled
   Max online users                 : 4294967295
   Authentication attempts          : successful 3754, failed 0
   Current online users             : 1
          MAC address       Auth state
          c442-680a-cf3a    Authenticated

Original Message:
Sent: Aug 31, 2022 05:55 AM
From: jrwhitehead
Subject: MAC auth on AP port blocking clients

Hi All,

Switch 5130 (R3208P12)

I've got MAC auth and 802.1X configured on my Comware switch with ClearPass being the Auth server. We have Aruba IAP with authentication configured on the switchports they're patched into.

The issue is I'm seeing Wi-Fi clients connected to the APs failing MAC auth. We have no client limit set in the MAC auth config.

Is this the expected behavior? Do I need to explicitly set a client limit?

Cheers