Security

Long story short, dot1x is working. However, I would like to try and reduce the load on my CPPM server by figuring out why the ports are authenticating so often.

I had a very similar problem with my HP 1910/3com switches and the fix was to disable the multicast-trigger setting on all of the dot1x ports.

We just got this new switch to replace those switches and we're running into the same problem we were, but now I don't seem to be able to find a way to turn off multicast-triggers.

This is what the config on an example port looks like:

HP-2530-48G-PoEP(config)# display dot1x interface 2
 Equipment 802.1X protocol is enabled

 CHAP authentication is n/a
 Proxy trap checker is n/a
 Proxy logoff checker is n/a
 EAD quick deploy is n/a

 Configuration: Transmit Period     30 s,  Handshake Period      n/a
                Quiet Period        60 s,  Quiet Period Timer is n/a
                Supp Timeout        15 s,  Server Timeout        300 s
                Reauth Period     7200 s
                The maximal retransmitting times    2
 EAD quick deploy configuration:
                EAD timeout:   n/a

 The maximum 802.1X user resource number is n/a per slot
 Total current used 802.1X resource number is n/a

 2     is link-up
   802.1X protocol is enabled
   Proxy trap checker is   n/a
   Proxy logoff checker is n/a
   Handshake is n/a
   Handshake secure is n/a
   802.1X unicast-trigger is n/a
   Periodic reauthentication is enabled
   The port is an authenticator
   Authentication Mode is Auto
   Port Control Type is n/a
   802.1X Multicast-trigger is n/a
   Mandatory authentication domain: n/a
   Guest VLAN: 0
   Auth-Fail VLAN: n/a
   Max number of on-line users is 8

   EAPOL Packet: Tx n/a, Rx n/a
   Sent EAP Request/Identity Packets : 317
        EAP Request/Challenge Packets: 914
        EAP Request/Challenge Packets: 914
   Received EAPOL Start Packets : 18
            EAPOL LogOff Packets: 0
            EAP Response/Identity Packets : 284
            EAP Response/Challenge Packets: 906
            Error Packets: 0

   Controlled User(s) amount to n/a

Can anyone help me out?

Did you follow the Solution Guide for Wired Policy Enforcement that contains validated configurations?

I was unaware it existed. 

Would this be the most recent version?

http://community.arubanetworks.com/t5/Security/ClearPass-Solution-Guide-Wired-Policy-Enforcement/td-p/298161

I'll give it a look.

OK- I gave that a read through, and we have a valid, but greatly simplified, Wired 802.1x config.

This config has been working for months exceptionally, and we've only run into authentication frequency issues with the introduction of this new switch. Our new switch is an Aruba 2530, which doesn't appear anywhere in the documentation I linked.

I guess I'm not sure what I'm missing if the answer is supposed to be in the Wired Policy Enforecement guide. Our configuration works, but the new switch just reauthenticates every 3 minutes to the second.

Best to work with Aruba TAC so they can debug in realtime.

Will do. Thanks for your time.