Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Reauth on AP wired port not working

This thread has been viewed 9 times
  • 1.  Reauth on AP wired port not working

    MVP EXPERT
    Posted Sep 20, 2022 11:07 AM
    Hi,
    I have an AP 503H that has a requirement to perform mac base auth  on devices conected to ethernet port E1 ( controller running 8.10.0.3)

    In clearpass I'm  returning

    Aruba-User-Role: authenticated - i.e using the default mobility controller  "authenticated" role
    Session-Timeout = 3600
    Termination-Action = 1

    Tunnel-Medium-Type = 6
    Tunnel-Private -Group-Id = 333
    Tunel-Type = 13

    So everything works in that the  client is placed in vlan 333 and gets an ip adress via dhcp ... except ... i don't get  a reauth  time of 1 hour .. reauths seem to be fairly random.

    Normally use DUPs now so its been a while doing it this way, but fairly convinced that  it should work. The mobiliy controller is set to  accept reauths from cppm and recognise  Termination-Action

    The client in question is a baby NEOPI02  Ubuntu box

    Am i missing anything?

    BTW, notice that 8.10.0.3 seems to have been pulled form asp.arubanetworks.com, certainly  cant see it being available  for download ... was there an issue with it ?

    Rgds
    Alex





  • 2.  RE: Reauth on AP wired port not working

    Posted Sep 20, 2022 11:18 AM
    does "show user Mac <mac-address>"  give you any detail about session timeout received from ClearPass?

    ------------------------------
    ACNSA | ACEA | ACCP | ACMP
    ------------------------------



  • 3.  RE: Reauth on AP wired port not working

    MVP EXPERT
    Posted Sep 20, 2022 11:51 AM
    Yup

    Name: 02-01-7C-B3-A0-25, IP: 192.168.230.6, MAC: 02:01:7c:b3:a0:25, Age: 00:00:03
    Role: authenticated (how: ROLE_DERIVATION_MBA_VSA), ACL: 86/0
    Authentication: Yes, status: successful, method: 802.1x, protocol: PAP, server: cppmndvip
    Authentication Servers: dot1x authserver: , mac authserver: cppmndvip
    Bandwidth = No Limit
    Bandwidth = No Limit
    Role Derivation: ROLE_DERIVATION_MBA_VSA
    VLAN Derivation: MBA MSFT Attributes
    Idle timeout (global): 300 seconds, Age: 00:00:00
    Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=0, mba=1, vpnflags=0, u_stm_ageout=0
    Flags: innerip=0, outerip=0, vpn_outer_ind:0, download=1, wispr=0
    IP User termcause: 10
    phy_type: Wired, l3 reauth: 0, BW Contract: up:0 down:0, user-how: 1
    Vlan default: 333, Assigned: 333, Current: 333 vlan-how: 12 DP assigned vlan:0
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, Flags=0x0
    SlotPort=0x1f, Port=0x1001f (tunnel 31)
    Essid: 192.168.4.6:0/1, Bssid: 00:00:00:00:00:00 AP name/group: ND-503H-1/NorthDalton OIAB Phy-type: Wired Forward Mode: tunnel
    AP IP: 192.168.4.6
    RadAcct sessionID:02-01-7C02017CB3A025-6329DF7B-68065
    RadAcct Traffic In 0/0 Out 0/0 (0:0/0:0:0:0,0:0/0:0:0:0)
    Timers: L3 reauth 0, mac reauth 3600 (Reason: Radius Server Session Timeout), dot1x reauth 0 (Reason: )
    Profiles AAA:ND-OIAB-AAA-Wired, dot1x:cotwmm_dot1_aut, mac:ND-OIAB-MAC-Auth CP:n/a def-role:'logon' via-auth-profile:''
    ncfg flags udr 0, mac 1, dot1x 1, RADIUS interim accounting 1
    IP Born: 1663688570 (Tue Sep 20 16:42:50 2022)
    Core User Born: 1663688570 (Tue Sep 20 16:42:50 2022)
    Upstream AP ID: 0, Downstream AP ID: 0
    User Agent String:
    L3-Auth Session Timeout from RADIUS: 0
    Mac-Auth Session Timeout Value from RADIUS: 3600




  • 4.  RE: Reauth on AP wired port not working

    EMPLOYEE
    Posted Sep 21, 2022 08:59 AM
    Please note that the reauth will only happen if the client sends any traffic. If the client is 'silent', it may take till the next packet that the client sends before the MAC reauth will happen.

    And have you enabled the reauthentication checkbox on the MAC Authentication profile? I can imagine that without set, there is no reauth.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Reauth on AP wired port not working

    MVP EXPERT
    Posted Sep 21, 2022 09:29 AM
    Did wonder if the client snoozing would affect things . Yes reauth enabled. A s also to recognise the termination - action ...... but will triple check 

    Sent from my iPhone