I'm glad that the problem has been solved.
You have correctly recognized that "port-access allow-flood-traffic" only works if the VLAN is not changed dynamically during authentication. Then the response packet from device is used for authentication. This is useful if there are silent devices in the network that do not generate any network traffic themselves, but only answer requests. In our case, these were temperature sensors that did not even send arp broadcasts. However, they were regularly queried by a server. So we configured the ports on the switch statically in the access vlan and were able to authenticate the sensors using this feature.
Original Message:
Sent: Aug 02, 2024 02:01 PM
From: procopius1980
Subject: New Copiers Losing Network Access Due to Supplicant-Timeout
I apologize for the delay in writing back. I believe I have the issue resolved. On Friday, July 26, I went into Clearpass and made the following change to the printer's DUR. I happened to find the very document you referenced in your post. That is what let me to make the change. If I understand the caveats of "port-access allow-flood-traffic", that only works when the client device IP Address is part of the port's default vlan. If the client device is not part of that subnet, then this feature will not help. In this particular case, disabling client inactivity timeout within the DUR was all that was needed. Thank you!
Original Message:
Sent: Jul 29, 2024 06:59 AM
From: lord
Subject: New Copiers Losing Network Access Due to Supplicant-Timeout
The switch deletes the Raduis session as soon as the client-inactivity timeout is reached. The solution is described in this post. You have to configure "client-inactivity timeout", allow "allow-flood-traffic" and activate "Client IP Tracker".
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 25, 2024 09:58 AM
From: procopius1980
Subject: New Copiers Losing Network Access Due to Supplicant-Timeout
That is a good thought as well, but unfortunately I can confirm the interface is not transitioning to a lower network speed. From a presently working copier, I can confirm the copiers negotiate at 1000mbps when working, and I can confirm that a non-working copier is still connected at the same speed. Here is the relevant output. At present, I am being told the copiers are not configured for any power saving settings. I'll see if I am able to get a copy of the credentials of the copier to verify that for myself.
Original Message:
Sent: Jul 25, 2024 03:45 AM
From: Herman Robers
Subject: New Copiers Losing Network Access Due to Supplicant-Timeout
Because the port seems to go down, what may be the reason is power-saving. I've seen some devices that drop from 1Gbps to 100 or 10 Mbps on their network interface to save power. Changing speed may drop the connection, and de-authenticate the client. You may have a look at the interface speed when the device is operational, and when it has dropped the connection.
You may check, disable or relax the power saving setting in your copier. Once you know the root-cause, you can think of the best solution.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 24, 2024 12:05 PM
From: procopius1980
Subject: New Copiers Losing Network Access Due to Supplicant-Timeout
Helllo everyone, firs time posting. I searched the archives for a similar thread before posting this. I have a cusomter with Aruba 6300M switches that is authenticating at the wired edge using both dot1x and mac-auth. We are using Clearpass (6.12.x) for RADIUS. Since we are still in the early phases of this transition, we transition the edge device in to the generic "data" vlan provided the supplicant provides a MAC-Address if they do not meet a more specific criteria, such as being a camera, phone, or access point. This was worked really well until last week. The change is that the customer is having Xerox printers installed throughout their site. Immediately I received complaints that the copiers were randomly going offline (not reachable over the network). The workaround to the issue has been to either wait until the copier comes back online, or re-seat the network connection.
I initially confirmed the issue was dot1x/mac-auth related by taking a "control group" of printers and configuring their ports to statically assign the data vlan (so just basic vlan access 10, or whatever the VLAN is at that campus).
Here is a sample of what I am seeing in the switch logs. Thank you in advance for any help that can be provided.
Clearpass shows the re-auth each time the client drops, but nothing about why the client is dropping.
This is what I think is the most significant detail. The interface indicates the failure took place because the supplicant timed out. Is there a setting or a parameter that I can tweak to keep this from happening?
Here is the interface-configuration.