I am part way through rolling out Clearpass across my Aruba campus network and a strange issue is starting to show up. I am getting reports from users around the site that they are being randomly dropped from the network for a few seconds maybe 3 or 4 times a day. More and more people are reporting this and when I check the network switches I'm seeing something odd.
When I look at the ports of the affected users there's additional MAC addresses showing up. I have the client and address limit settings on the port to limit it to 2 devices, basically a VoIP phone and a PC. When I look at the switch I see 3 MAC addresses, the expected addresses getting the correct VLANs and then a third PC's MAC address getting put onto the visitor/fail through VLAN. If I increase the clearpass client limit on the port I will get more spurious MAC addresses showing up on the port, all being assigned to the fail through VLAN. The MAC's are not related to the client directly connected to the port, and there are no other devices connected to that port.
The MAC addresses appear to be real, in that the MAC vendor codes are real, but I cannot see them anywhere on our network. The users start picking up 2 gateways, one for the correct VLAN and one from the fail through VLAN or a 192.168.0.1. This effectively knocks them off the network. I have also seen them get a DNS server in the 192 range as well. I have no clue where it's coming from. I have DHCP snooping on my switches so I don't believe it's a local port with a home router plugged in or something.
Anyone any idea why ports with a single PC or a PC & phone plugged in will start randomly looking like I've plugged additional devices in? It seems to flip through them and the actual user gets disconnected for a few seconds. I've no clue why this is happening. I've rebooted the switches to get them up to the latest firmware levels just in case. Switches are Aruba 2930M's and 5400's and Clearpass was updated a couple of months ago. Very odd.