Security

Hi community,

we configured aaa 802.1x and mac auth on the switch. As radius we use a Clearpass 6.7. All devices work great, both with 802.1x EAP peap and MAC auth.
But we have an alarm that we want to authenticate via mac, once 802.1x and mac auth are enabled on the ports of the alarm, the switch doesn't see a MAC on the port, the status of the port is up, but the switch doesn't see a Mac.

neither on the command:
show mac-address still at
show port-access clients

 

What could be the reason?

 

If you switch off the authentication on these ports, the alarm system works again.

It is an Aruba 2930m switch with the firmware version: WC.16.07.0002

 

Thanks

What alarm do you have ?

We are facing the same issues with printers and some security ACU's( controllers that connect to door card readers). Since these devices are not very chatty, our assumption is that they reach the logoff period timer, get unauthenticated but then are not allowed to reauth. Documentation since to state that the broadcast ARP should be allowed on unauthenticated ports(even with mac/802.1x turned on) but as mentioned, the only way to regain proper network connectivity is to remove NAC, let the device connect back in, and then re-NAC the port. Obviously, we cannot do this across all our sites at all times. We have a case open with TAC but so far their recommendation is a workaround that is not adequate for our network.

 

 

To enforce the non-chatty clients to talk to the network you can enable ip client tracker, this will poll the client on a regular base.

Please set the probe delay in a value so it will probe before the client reaches the logoff period. (for example 30 minutes logoff periode and 10 minutes probe delay).

I was looking into that possibility Fabian, but when we first deployed our Aruba 2930m's(on firmware 16.05.011, ip tracker had issues with losing pings on uplinks with switches having multiples vlans. We are currently running 16.07.02 which still has the issue, but I noticed the new release notes for the latest code 16.08.02 seems to have it fixed : 

 

IP Client Tracker
CR_0000246816
Symptom: In certain conditions, the switch may experience some packet loss on uplink ports.
Scenario: When IP client-tracker is enabled on an L2 switch where clients are connected on different VLANs that
have dhcp-relay configured, if the VLANs communicate with each other using a router on the uplink port, some
packet loss occurs.
Workaround: Enable IP client-tracker with the trusted option, using the CLI command ip client-tracker
trusted.

 

I can definitely lab this and test out the value as you mentioned, but it will be a while before we apply this across the network.

 

Thanks for the info

I've applied this on my test switch,but just as an FYI, probe delay is maxed out at 300 seconds. It cannot be longer. I will try it at that to start and play around with the settings. 

 

Thanks again for the info!

There is a new option for this with last firmware (but don't remenber the name...)

It is for kept MAC address info

I think you mean mac-pinning, it basicly sets the loggoff period en re-auth timer to 0 so it will stick the mac to the port untill it goes physicly down

 

---

@Fabian Klaring wrote:

I think you mean mac-pinning, it basicly sets the loggoff period en re-auth timer to 0 so it will stick the mac to the port untill it goes physicly down

 

---

Yes !

mac pinning was the suggestion made by TAC, but we cannot take the chance of implementing it. Since it sticks even after reboot, it could be disastrous for our remote sites as we use some Pharos devices that allow for badge logins on printers. These devices somehow take over other MAC`s, and sometimes have taken over our router MAC and would take a site down. A simple reboot would fix the issue until the next time. We have tickets open with the company but they have yet to find a resolution. This happens on both Cisco and Aruba switching. But because of that behavior, we cannot use mac-pin on those ports as in the event it takes over the router mac, we will no longer have remote access to our site and even a local reboot of the hardware would not release it. We would have to modifiy the addr-limit value on individual ports, but in some rare cases, we have unmanaged switches uplinked to the switch that may have those printers connected to it, which again, is just bad news for us. 

 

I will be testing client tracker on the new version and see if that fixes the issue. 

 

Thanks all for the comments

I'm facing the same issue.
And enabled the ip client-tracker probe-delay 150 and ip client-tracker (tried this, but also trusted and untrusted), but I can't see any periodic probes being sent by the switch.
It sends one the first time I connect, and then stays silent.
Am I missing something here?

------------------------------
Ricardo Duarte
------------------------------

Original Message:
Sent: Apr 08, 2019 11:23 AM
From: Benoit C�t�
Subject: Aruba 2930m mac authentication problems

mac pinning was the suggestion made by TAC, but we cannot take the chance of implementing it. Since it sticks even after reboot, it could be disastrous for our remote sites as we use some Pharos devices that allow for badge logins on printers. These devices somehow take over other MAC`s, and sometimes have taken over our router MAC and would take a site down. A simple reboot would fix the issue until the next time. We have tickets open with the company but they have yet to find a resolution. This happens on both Cisco and Aruba switching. But because of that behavior, we cannot use mac-pin on those ports as in the event it takes over the router mac, we will no longer have remote access to our site and even a local reboot of the hardware would not release it. We would have to modifiy the addr-limit value on individual ports, but in some rare cases, we have unmanaged switches uplinked to the switch that may have those printers connected to it, which again, is just bad news for us. 

 

I will be testing client tracker on the new version and see if that fixes the issue. 

 

Thanks all for the comments