Wired Intelligent Edge

 View Only
  • 1.  MAC Authentication reauth period is different from configured value

    Posted Aug 22, 2024 03:21 AM

    Hi all,

    I am configuring wired NAC on the CX-6200 switch on firmware 10.13.1010. ClearPass authenticates the device through device profile and returns a LUR back to the switch. There's a corresponding role on the switch and reauth-period set to 43200 sec (12 hr). Configurations for the role as shown below:

    port-access role SH-Device
        description Role for SH devices (e.g. Printer)
        associate policy Allow-all
        auth-mode client-mode
        trust-mode none
        reauth-period 43200
        vlan access 13

    #
    The port is configured as shown below:

    interface 1/1/25
        no shutdown
        no routing
        vlan access 3999
        port-access onboarding-method precedence device-profile aaa
        aaa authentication port-access allow-cdp-bpdu
        aaa authentication port-access allow-lldp-bpdu
        aaa authentication port-access client-limit multi-domain 2
        aaa authentication port-access client-limit 2
        aaa authentication port-access critical-role No-NAC
        aaa authentication port-access dot1x authenticator
            max-eapol-requests 1
            max-retries 1
            reauth
            enable
        aaa authentication port-access mac-auth
            reauth
            enable
        client track ip enable
        exit

    The authentication is working and the device is placed into the correct VLAN. The issue is that the device reauthenticates at every 10 mins interval. I even added the reauth-period 43200 under mac-auth on the port itself but result is still the same. 

    Appreciate any advice.

    Thanks. 



  • 2.  RE: MAC Authentication reauth period is different from configured value

    Posted Aug 22, 2024 07:50 AM
    Edited by Holger Hasenaug Aug 22, 2024 07:52 AM

    You may use the following commands for troubleshooting:

    • Check the "Reauthentication Period" with this command:
    switch# show port-access clients interface <id> detail
     
    • Check the assigned and remaining value with this commands:
     switch# diag
    switch# diag-dump port-access
     
    Search for your client MAC-address and the following values on the output. Here is an example:
     
            "pae-list": {
              "38:10:f0:36:06:98": {
    ...
                  "reAuthCount": 0,
                  "reAuthEnabled": "true",
                  "reAuthMax": 1,
                  "reAuthPeriod": 43200,
                  "reAuthWhen": 43178,
                  "reAuthenticate": "false",
                  "reauth_timer_state": 0,
     
     
    Take into account that reauthentication can be initiated also from the client side.




  • 3.  RE: MAC Authentication reauth period is different from configured value

    Posted Aug 22, 2024 07:37 PM

    Hi Holger

    Thanks for the reply and the steps. Appreciate it. 

    Both troubleshooting steps shows that the reauth interval is 43200. 

    "pae-list": {
              "1c:7d:22:5c:bc:15": {
       ...
                  "reAuthCount": 0,
                  "reAuthEnabled": "true",
                  "reAuthMax": 1,
                  "reAuthPeriod": 43200,
                  "reAuthWhen": 39046,
                  "reAuthenticate": "false",

    Notice that the device (printer) reauthenticates every 10 min interval except for the latest entry which is about 1.5 hr gap. That's when I was doing this troubleshoot grab. Interesting.




  • 4.  RE: MAC Authentication reauth period is different from configured value

    Posted Aug 23, 2024 03:15 AM

    Please be aware that printers tend to go in a sleep/powersaving mode when they are not in use, effectively stopping to send any traffic while in sleep. Authentications only happen when the connected device sends traffic (on a regular basis).

    If this just happens to printers, it may be expected behavior. If the printer appears to be 'dropped' or unreachable from the network, have a look at mac-pinning to overcome that.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: MAC Authentication reauth period is different from configured value
    Best Answer

    Posted Aug 23, 2024 04:50 AM

    If the problem is caused by silent printer you will see log messages like the following every time the client is deauthenticated due to inactivity. Which is by default 300sec=5 min inactivity:

    2024-08-23T09:53:13.245770+02:00 Switch port-accessd[4483]: Event|10533|LOG_INFO|CDTR|1|Interface 1/1/10 is blocked by port-access.

    When the printer sends a new frame it is authenticated again:

    2024-08-23T09:59:03.329640+02:00 Switch port-accessd[4483]: Event|10534|LOG_INFO|CDTR|1|Interface 1/1/10 is unblocked by port-access.

    If you configure "port-access event-log client" you see a bit more:

    Deauthentication:

    2024-08-23T10:07:43.748530+02:00 Switch port-accessd[4483]: Event|10513|LOG_INFO|CDTR|1|Client with MAC address 38:10:f0:36:06:80 deleted on port 1/1/10.

    2024-08-23T10:07:43.750990+02:00 Switch port-accessd[4483]: Event|10533|LOG_INFO|CDTR|1|Interface 1/1/10 is blocked by port-access.

    Authentication:

    2024-08-23T10:16:58.014473+0200 port-accessd[4483] <INFO> Event|10512|LOG_INFO|CDTR|1|Client with MAC address 38:10:f0:36:06:80 learnt on port 1/1/10.

    2024-08-23T10:16:58.015359+0200 port-accessd[4483] <INFO> Event|10527|LOG_INFO|CDTR|1|MAC Authentication triggered for client 38:10:f0:36:06:80 on port 1/1/10 with ID 98 to server (cppm.example.info:1812, udp, vrf default).

    2024-08-23T10:16:58.032421+0200 port-accessd[4483] <INFO> Event|10528|LOG_INFO|CDTR|1|MAC Authentication succeeded for client 38:10:f0:36:06:80 on port 1/1/10 with ID 98 from server (cppm.example.info:1812, udp, vrf default).

    2024-08-23T10:16:58.033000+0200 ops-switchd[1146] <INFO> Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 30 is mapped to client 38:10:f0:36:06:80 on port 1/1/10

    2024-08-23T10:16:58.033029+0200 port-accessd[4483] <INFO> Event|10514|LOG_INFO|CDTR|1|Client with MAC address 38:10:f0:36:06:80 authorized on port 1/1/10 with role PRINTER.

    2024-08-23T10:16:58.033346+0200 port-accessd[4483] <INFO> Event|10534|LOG_INFO|CDTR|1|Interface 1/1/10 is unblocked by port-access.

    The deauthentication can be prohibited by using what was called on AOS-S switches "MAC-pinning / loggoff-period in user roles". On AOS-CX switches this is configured using the "client-inactivity timeout" in the user role which you may set to "0" for printers.

    You may also have a look here: https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=76fa9f72-e114-453a-9930-018d634f945f&CommunityKey=22dc38ea-a1e1-4059-b55e-a622fedecf32&tab=librarydocuments