If the problem is caused by silent printer you will see log messages like the following every time the client is deauthenticated due to inactivity. Which is by default 300sec=5 min inactivity:
2024-08-23T09:53:13.245770+02:00 Switch port-accessd[4483]: Event|10533|LOG_INFO|CDTR|1|Interface 1/1/10 is blocked by port-access.
When the printer sends a new frame it is authenticated again:
2024-08-23T09:59:03.329640+02:00 Switch port-accessd[4483]: Event|10534|LOG_INFO|CDTR|1|Interface 1/1/10 is unblocked by port-access.
If you configure "port-access event-log client" you see a bit more:
Deauthentication:
2024-08-23T10:07:43.748530+02:00 Switch port-accessd[4483]: Event|10513|LOG_INFO|CDTR|1|Client with MAC address 38:10:f0:36:06:80 deleted on port 1/1/10.
2024-08-23T10:07:43.750990+02:00 Switch port-accessd[4483]: Event|10533|LOG_INFO|CDTR|1|Interface 1/1/10 is blocked by port-access.
Authentication:
2024-08-23T10:16:58.014473+0200 port-accessd[4483] <INFO> Event|10512|LOG_INFO|CDTR|1|Client with MAC address 38:10:f0:36:06:80 learnt on port 1/1/10.
2024-08-23T10:16:58.015359+0200 port-accessd[4483] <INFO> Event|10527|LOG_INFO|CDTR|1|MAC Authentication triggered for client 38:10:f0:36:06:80 on port 1/1/10 with ID 98 to server (cppm.example.info:1812, udp, vrf default).
2024-08-23T10:16:58.032421+0200 port-accessd[4483] <INFO> Event|10528|LOG_INFO|CDTR|1|MAC Authentication succeeded for client 38:10:f0:36:06:80 on port 1/1/10 with ID 98 from server (cppm.example.info:1812, udp, vrf default).
2024-08-23T10:16:58.033000+0200 ops-switchd[1146] <INFO> Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 30 is mapped to client 38:10:f0:36:06:80 on port 1/1/10
2024-08-23T10:16:58.033029+0200 port-accessd[4483] <INFO> Event|10514|LOG_INFO|CDTR|1|Client with MAC address 38:10:f0:36:06:80 authorized on port 1/1/10 with role PRINTER.
2024-08-23T10:16:58.033346+0200 port-accessd[4483] <INFO> Event|10534|LOG_INFO|CDTR|1|Interface 1/1/10 is unblocked by port-access.
The deauthentication can be prohibited by using what was called on AOS-S switches "MAC-pinning / loggoff-period in user roles". On AOS-CX switches this is configured using the "client-inactivity timeout" in the user role which you may set to "0" for printers.
You may also have a look here: https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=76fa9f72-e114-453a-9930-018d634f945f&CommunityKey=22dc38ea-a1e1-4059-b55e-a622fedecf32&tab=librarydocuments
Original Message:
Sent: Aug 23, 2024 03:15 AM
From: Herman Robers
Subject: MAC Authentication reauth period is different from configured value
Please be aware that printers tend to go in a sleep/powersaving mode when they are not in use, effectively stopping to send any traffic while in sleep. Authentications only happen when the connected device sends traffic (on a regular basis).
If this just happens to printers, it may be expected behavior. If the printer appears to be 'dropped' or unreachable from the network, have a look at mac-pinning to overcome that.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 22, 2024 07:37 PM
From: simon168
Subject: MAC Authentication reauth period is different from configured value
Hi Holger
Thanks for the reply and the steps. Appreciate it.
Both troubleshooting steps shows that the reauth interval is 43200.
"pae-list": {
"1c:7d:22:5c:bc:15": {
...
"reAuthCount": 0,
"reAuthEnabled": "true",
"reAuthMax": 1,
"reAuthPeriod": 43200,
"reAuthWhen": 39046,
"reAuthenticate": "false",
Notice that the device (printer) reauthenticates every 10 min interval except for the latest entry which is about 1.5 hr gap. That's when I was doing this troubleshoot grab. Interesting.
Original Message:
Sent: Aug 22, 2024 07:49 AM
From: Holger Hasenaug
Subject: MAC Authentication reauth period is different from configured value
You may use the following commands for troubleshooting:
- Check the "Reauthentication Period" with this command:
switch# show port-access clients interface <id> detail
- Check the assigned and remaining value with this commands:
switch# diag
switch# diag-dump port-access
Search for your client MAC-address and the following values on the output. Here is an example:
"pae-list": {
"38:10:f0:36:06:98": {
...
"reAuthCount": 0,
"reAuthEnabled": "true",
"reAuthMax": 1,
"reAuthPeriod": 43200,
"reAuthWhen": 43178,
"reAuthenticate": "false",
"reauth_timer_state": 0,
Take into account that reauthentication can be initiated also from the client side.
Original Message:
Sent: Aug 22, 2024 03:21 AM
From: simon168
Subject: MAC Authentication reauth period is different from configured value
Hi all,
I am configuring wired NAC on the CX-6200 switch on firmware 10.13.1010. ClearPass authenticates the device through device profile and returns a LUR back to the switch. There's a corresponding role on the switch and reauth-period set to 43200 sec (12 hr). Configurations for the role as shown below:
port-access role SH-Device
description Role for SH devices (e.g. Printer)
associate policy Allow-all
auth-mode client-mode
trust-mode none
reauth-period 43200
vlan access 13
#
The port is configured as shown below:
interface 1/1/25
no shutdown
no routing
vlan access 3999
port-access onboarding-method precedence device-profile aaa
aaa authentication port-access allow-cdp-bpdu
aaa authentication port-access allow-lldp-bpdu
aaa authentication port-access client-limit multi-domain 2
aaa authentication port-access client-limit 2
aaa authentication port-access critical-role No-NAC
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
reauth
enable
aaa authentication port-access mac-auth
reauth
enable
client track ip enable
exit
The authentication is working and the device is placed into the correct VLAN. The issue is that the device reauthenticates at every 10 mins interval. I even added the reauth-period 43200 under mac-auth on the port itself but result is still the same.
Appreciate any advice.
Thanks.