Wired Intelligent Edge

 View Only
last person joined: 23 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

New Copiers Losing Network Access Due to Supplicant-Timeout

This thread has been viewed 31 times
  • 1.  New Copiers Losing Network Access Due to Supplicant-Timeout

    Posted Jul 24, 2024 12:06 PM

    Helllo everyone, firs time posting.  I searched the archives for a similar thread before posting this.  I have a cusomter with Aruba 6300M switches that is authenticating at the wired edge using both dot1x and mac-auth.  We are using Clearpass (6.12.x) for RADIUS.  Since we are still in the early phases of this transition, we transition the edge device in to the generic "data" vlan provided the supplicant provides a MAC-Address if they do not meet a more specific criteria, such as being a camera, phone, or access point.  This was worked really well until last week.  The change is that the customer is having Xerox printers installed throughout their site.  Immediately I received complaints that the copiers were randomly going offline (not reachable over the network).  The workaround to the issue has been to either wait until the copier comes back online, or re-seat the network connection.  

    I initially confirmed the issue was dot1x/mac-auth related by taking a "control group" of printers and configuring their ports to statically assign the data vlan (so just basic vlan access 10, or whatever the VLAN is at that campus).

    Here is a sample of what I am seeing in the switch logs.  Thank you in advance for any help that can be provided.

    Clearpass shows the re-auth each time the client drops, but nothing about why the client is dropping.  

    This is what I think is the most significant detail.  The interface indicates the failure took place because the supplicant timed out.  Is there a setting or a parameter that I can tweak to keep this from happening?

    Here is the interface-configuration.



  • 2.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout

    EMPLOYEE
    Posted Jul 24, 2024 07:37 PM

    the supplicant timeout is referring to dot1x that your Xerox printers are not using. So that is not relevant. 

    perhaps the cause is that the printer is not being used and it goes to standby state. You can use mac-pinning commands for longer session timeout.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout

    Posted Jul 25, 2024 09:53 AM

    Thank you for pointing that out.  A collegue and I went over this issue a few hours after I posted this, and that is the conclusion we came to as well.  The copier vendor claims there are no power settings presently configured.  We are still in the process of switching out the entire customer to Aruba switches.  I can confirm that the copiers stay online if they are connected to the previous vendor switches, and they stay online if I configure the Aruba switchport to a static vlan assignment.  I'll look into the mac-pinning commands to see if that helps.  I also have a TAC case opened.  Again, thank you for your time and information.




  • 4.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout

    Posted Jul 25, 2024 03:46 AM

    Because the port seems to go down, what may be the reason is power-saving. I've seen some devices that drop from 1Gbps to 100 or 10 Mbps on their network interface to save power. Changing speed may drop the connection, and de-authenticate the client. You may have a look at the interface speed when the device is operational, and when it has dropped the connection.

    You may check, disable or relax the power saving setting in your copier. Once you know the root-cause, you can think of the best solution.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout

    Posted Jul 25, 2024 09:59 AM

    That is a good thought as well, but unfortunately I can confirm the interface is not transitioning to a lower network speed.  From a presently working copier, I can confirm the copiers negotiate at 1000mbps when working, and I can confirm that a non-working copier is still connected at the same speed.  Here is the relevant output.  At present, I am being told the copiers are not configured for any power saving settings.  I'll see if I am able to get a copy of the credentials of the copier to verify that for myself.




  • 6.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout
    Best Answer

    Posted Jul 29, 2024 06:59 AM

    The switch deletes the Raduis session as soon as the client-inactivity timeout is reached. The solution is described in this post. You have to configure "client-inactivity timeout", allow "allow-flood-traffic" and activate "Client IP Tracker".



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout

    Posted Aug 02, 2024 02:01 PM

    I apologize for the delay in writing back.  I believe I have the issue resolved.  On Friday, July 26, I went into Clearpass and made the following change to the printer's DUR.  I happened to find the very document you referenced in your post.  That is what let me to make the change.  If I understand the caveats of "port-access allow-flood-traffic", that only works when the client device IP Address is part of the port's default vlan.  If the client device is not part of that subnet, then this feature will not help.  In this particular case, disabling client inactivity timeout within the DUR was all that was needed.  Thank you!




  • 8.  RE: New Copiers Losing Network Access Due to Supplicant-Timeout

    Posted Aug 03, 2024 04:47 AM

    I'm glad that the problem has been solved.
    You have correctly recognized that "port-access allow-flood-traffic" only works if the VLAN is not changed dynamically during authentication. Then the response packet from device is used for authentication. This is useful if there are silent devices in the network that do not generate any network traffic themselves, but only answer requests. In our case, these were temperature sensors that did not even send arp broadcasts. However, they were regularly queried by a server. So we configured the ports on the switch statically in the access vlan and were able to authenticate the sensors using this feature.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------