Security

 View Only
last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

many 802.1x auth requests in short periods of time

This thread has been viewed 47 times
  • 1.  many 802.1x auth requests in short periods of time

    Posted Sep 15, 2022 07:15 PM
    Hello everyone,

    a few users complain about keep getting disconnect/reconnect from the network. i checked the access tracker and found many 802.1x auth requests in short periods of time

    Here is the Flow and Configs

    Windows 10 PC behind Avaya IP phones

    1. User default token is unknown = VLAN 4 and session termination

    2. User will be healthy = VLAN 3 and bonus (Healthy Check interval is 10 hours) to not cause re-auth every 4-5 minutes

    3. Quarantine = VLAN 4 and session termination

    dot1x service

    Health Check only service

    Switch Port: VLAN 11 for voice and 3 for data

    MAC auth for IP phones and 802.1x for PC's

    interface 1/6
    name "U_9"
    tagged vlan 11
    untagged vlan 3
    aaa port-access authenticator
    aaa port-access authenticator tx-period 15
    aaa port-access authenticator supplicant-timeout 15
    aaa port-access authenticator client-limit 2
    aaa port-access authenticator cached-reauth-period 86400
    aaa port-access mac-based
    aaa port-access mac-based reauth-period 86400
    exit


    any thoughts?


    ------------------------------
    BR,
    Mohanad
    ------------------------------


  • 2.  RE: many 802.1x auth requests in short periods of time

    Posted Sep 16, 2022 01:48 AM
    Why are you changing VLANs at all?  Why not use a local user role or downloadable user for each of the Posture states?  VLAN switching causes problems when the client does not know it needs to request a new IP address.


  • 3.  RE: many 802.1x auth requests in short periods of time

    Posted Sep 16, 2022 01:40 PM
    Thank you @ahollifield for your reply, actually I didn't implement this solution I am completing a colleague's project i'm trying to getting management approval to change the solution for user role.

    i had many issue related to DHCP after switching between VLAN but ​​after adding session termination and agent bonus profiles working fine for the most of the users.

    now i'm having 2  Big issues.

    1- Users working fine for 3/4 hours then getting temp disconnect/reconnect from the network and sending many 802.1x auth requests

    2- Users not sending any auth requests at restart they send auth request and get access to the network and i can see logs on access tracker. but i don't think it's windows 10 issue because at the network adaptor it's saying attempting to authenticate then auth failed, at the switch the log was blocking by aaa the port xxx on-line , i have identical configs on the switches and GPO for windows clients, im suspecting it's switch issue because it's happing only switches i will upgrade to 16.10.0022.


    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 4.  RE: many 802.1x auth requests in short periods of time

    EMPLOYEE
    Posted Sep 16, 2022 09:14 AM
    +1 on roles preferred over VLAN switching.

    Can you check on the switch, probably 'show logging -r' will give that data, if there are reasons there for the re-authentication?
    Do these 802.1X (re)authentications relate to WebAuths for the same client (and may a port bounce be triggered on every WebAuth)?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: many 802.1x auth requests in short periods of time

    Posted Sep 16, 2022 01:56 PM
    Hello @Herman Robers , i'm trying to getting management approval to change the solution for user role. VLAN switching It was suggested by aruba partner in Egypt, I called them to discus about user role over VLAN switching they told me vlan switching worked fine for them and a lot of companies.

    on switch i didn't see any flaps over the port. and show port-access x/x clients , I can see both ip phones and pc are authenticated.

    regarding 802.1X (re)authentications relate to WebAuths , if the user is healthy will not send any request before 10 hours. i changed the default 5 minutes interval because it's causing many re-auth in the past, and i can confirm there is no WebAuths requesting from the client during 802.1x re-auth




    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 6.  RE: many 802.1x auth requests in short periods of time

    Posted Sep 17, 2022 08:08 PM
    Hello

    Please correct me if i'm wrong

    I will create 2 user roles for healthy and quarantine users


    ------------ for healthy users------------
    healthy will get permit-all and filtering done on the firewall us usual

    class ipv4 permit-all
    10 match ip any any

    policy user healthy_policy
    10 class ipv4 permit-all action permit

    aaa authorization user-role name healthy_user_role
    policy healthy_policy
    reauth-period 86400
    vlan-name users
    vlan-name-tagged voice


    ------------ for unhealthy users------------
    They will get limited access to dns, dhcp, symantec, domain, and wsus

    class ipv4 internal_services
    10 match udp any 192.168.104.5/32
    20 match tcp any 192.168.104.5/32
    30 match udp any 192.168.104.6/32
    40 match tcp any 192.168.104.6/32
    50 match udp any 192.168.100.6/32
    60 match tcp any 192.168.100.6/32
    70 match tcp any 192.168.104.15/32 eq 8014
    80 match tcp any 192.168.104.15/32 eq 1688
    90 match tcp any 192.168.167.10/32 eq 443
    100 match tcp any 192.168.167.11/32 eq 443
    110 match tcp any 192.168.167.12/32 eq 443

    class ipv4 liveupdate
    10 match tcp any 152.195.132.156/32 eq 443
    20 match tcp any 152.195.132.120/32 eq 443

    policy user quarantine_policy
    10 class ipv4 internal_services action permit
    20 class ipv4 liveupdate action permit

    aaa authorization user-role name quarantine_user_role
    policy quarantine_policy
    reauth-period 86400
    vlan-name users
    vlan-name-tagged voice

    ------------ enforcement profile and policy------------


    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 7.  RE: many 802.1x auth requests in short periods of time

    EMPLOYEE
    Posted Sep 21, 2022 07:40 AM
    I think you missed the DHCP to 255.255.255.255 and to the client's subnet broadcast address. But further, if the listed IP addresses include all required services for a client to recover from quarantine, that looks good. Also make sure that ClearPass is reachable, OnGuard is port 6658, full port overview here, otherwise the client cannot post the new Posture status to ClearPass.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: many 802.1x auth requests in short periods of time

    Posted Sep 21, 2022 09:23 AM
    i have adjusted the class configs, because we have fortigate firewall for filtering

    class ipv4 "dns-dhcp"
    10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
    20 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67


    class ipv4 "cppm"
    10 match ip 0.0.0.0 255.255.255.255 192.168.167.10 0.0.0.0
    20 match ip 0.0.0.0 255.255.255.255 192.168.167.11 0.0.0.0
    30 match ip 0.0.0.0 255.255.255.255 192.168.167.12 0.0.0.0


    class ipv4 "liveupdate"
    10 match ip 0.0.0.0 255.255.255.255 152.195.132.156 0.0.0.0
    20 match ip 0.0.0.0 255.255.255.255 152.195.132.120 0.0.0.0


    class ipv4 "internal_services"
    10 match ip 0.0.0.0 255.255.255.255 192.168.104.5 0.0.0.0
    20 match ip 0.0.0.0 255.255.255.255 192.168.104.6 0.0.0.0
    30 match ip 0.0.0.0 255.255.255.255 192.168.100.6 0.0.0.0
    40 match ip 0.0.0.0 255.255.255.255 192.168.104.15 0.0.0.0


    if my dhcp servers are 192.168.104.5 and 192.168.104.6
    this class will not work beacuse the dest ip is 255.255.255.255?? or must be match udp any any eq 67

    class ipv4 internal_services
    10 match udp any 192.168.104.5/32
    30 match udp any 192.168.104.6/32

    class ipv4 internal_services_ip     (only looking up to layer 3)
    10 match ip any 192.168.104.5/32
    30 match ip any 192.168.104.6/32


    ------------------------------
    BR,
    Mohanad
    ------------------------------



  • 9.  RE: many 802.1x auth requests in short periods of time

    EMPLOYEE
    Posted Sep 21, 2022 10:23 AM
    When clients first come on the network, they will send a DHCP request to 255.255.255.255, because it does not know the DHCP server's address. Either the DHCP server will respond (if it is in the same subnet/VLAN) or it will be forwarded and handled by an ip helper or dhcp relay (if the DHCP server is in a differnt subnet). The renewal of the IP will go directly to the DHCP server, so make sure the client can sent DHCP to the global broadcast (255.255.255.255), the subnet's broadcast, and to the DHCP servers directly.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------