HelloDoes anyone have seen this behaviour and found the source of it? Not sure if it is switch or clearpass related, but it uses up Access Licenses and pushes the total license count of our customer above the maximum licenses they bought...They have a ClearPass setup with Aruba A-OS and OS-CX switches and see following behaviour on both switches:When a Windows 10/11 domain client with USB-C docking station is connected, sometimes the switchport sees multiple (random?) mac-addresses and triggers authentication. The client is directly connected to the switch and authenticates correct with dot1x. Whe don't see the mac-addresses that the switch sees on the windows clients.With "sometimes", I meen this behaviour is not always present for all clients and sometimes gone after a client reboot (port shut/no shut).I have tried replicating this and was first thinking the USB-C Dockings are the root cause, but the issues is seen onmultiple vendors/types of dockings.This is an example of the mac-addresses seen alongside the dot1x authentication:
# show port-access clients 16
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN ----- ------------- ------------- --------------- ----------------- ----- ------------------------------------------------------- 16 000000-17df02 n/a 8021X 16 000000-180de9 n/a 8021X 16 000000-1828e5 n/a 8021X 16 203230-30204f n/a 8021X 16 400001-000000 n/a 8021X 16 4297ef-7ed70f n/a 8021X 16 Kristel.Ae... 84a93e-235389 n/a 8021X 3 16 9c004c-002f0c n/a 8021X 16 00000017df02 000000-17df02 n/a MAC 16 000000180de9 000000-180de9 n/a MAC 16 0000001828e5 000000-1828e5 n/a MAC 16 02313007696e 023130-07696e n/a MAC 22 16 0a030a2f0088 0a030a-2f0088 n/a MAC 22 16 400001000000 400001-000000 n/a MAC 16 4297ef7ed70f 4297ef-7ed70f n/a MAC 16 447754754562 447754-754562 n/a MAC 22 16 9c004c002f0c 9c004c-002f0c n/a MAC 16 d66b73c6ae57 d66b73-c6ae57 n/a MAC 22 16 fc0303c62575 fc0303-c62575 n/a MAC 22
This is the port config on the A-OS switch:interface 16 name "1.9.08 - BH -" tagged vlan 40 untagged vlan 254 lldp enable-notification aaa port-access authenticator aaa port-access authenticator max-requests 1 aaa port-access authenticator client-limit 2 aaa port-access mac-based aaa port-access mac-based addr-limit 5 aaa port-access mac-based logoff-period 28800 aaa port-access mac-based unauth-vid 22 spanning-tree bpdu-protection exitand this is the config on the OS-CX switch:interface 2/1/18 description LAN_Clients no shutdown no routing vlan access 254 rate-limit broadcast 300 pps spanning-tree bpdu-guard aaa authentication port-access client-limit 2 aaa authentication port-access critical-role GUEST-VLAN aaa authentication port-access dot1x authenticator max-eapol-requests 3 max-retries 1 enable aaa authentication port-access mac-auth reauth-period 28800 enable loop-protect exitKind regardsWouter
No unmanaged layer2 switch here right? Any VMs on this endpoint? I have also seen some video conference applications doing this. Updated drivers on the USB dongle?
no unmanaged switch for sure and no vms on the endpoints.Did not check USB docking drivers yet, but sinse multimple make/models are infected, I doubt this will be the issue. Although, we will check this to be sure.The conference applications will be checked, thanks for the tip!
as it looks, incoming and outgoing packets are authenticated on the A-OS switch. By default direction-mode both is enabled.
You need to change this, use the command "aaa port-access 16 controlled-direction in". This will only authenticate packets that the client sends into the switch.
Check the config with "sh port-access config".In my example, ports 1,2,3 and 8 are set to direction "in". Ports 4-7 and 9-10 are set to direction "both".
SW01# sh port-access config
Port Access Status Summary
Port-access authenticator activated [No] : Yes Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No Use LLDP data to authenticate [No] : No Dot1X EAP Identifier Compliance [Disabled] : Disabled Allow incremental EAP identifier only [Disabled] : Disabled
802.1X 802.1X Web Mac LMA Cntrl Mixed Speed Port Supp Auth Auth Auth Auth Dir Mode VSA MBV ----- ------- -------- -------- -------- ----- ----- -------- ----- --- 1 No No No No No in No No Yes 2 No Yes No Yes No in No No Yes 3 No No No No No in No No Yes 4 No No No No No both No No Yes 5 No No No No No both No No Yes 6 No No No No No both No No Yes 7 No No No No No both No No Yes 8 No No No No No in No No Yes 9 No No No No No both No No Yes 10 No No No No No both No No Yes
Hi LordI don't think you understand the functionality of the command "aaa port-access <int> controlled-direction in", this only allows egress traffic to the client without the client being authenticated.The authentication of the MAC-address is done because the switch sees this mac-addresses as connected to this port. unless this would be a bug, but since we see this on both A-OS and OS-CX switches, I don't think that is the case.
Hi Wouter,you are right, I did not use the command for a while. I looked in the guide and tried it in the lab, the command behaves as you describe.
The question is what is causing the problem. If there is a bug, the problem would occur on aos switches or cx switches, but not on both models at the same time.
Do you see the mac addresses on the switch on other ports as well? Or on the windows pc in the arp cache or with wireshark?
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.