Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

This thread has been viewed 25 times

  • 1.  CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    Posted Feb 24, 2020 09:54 AM

    Hello,

     

    I'm running into a strange issue with a handful of computers (all Windows 10).

     

    The computers will pass over my 802.1x service. The computers will then be placed in the untrusted VLAN per my MAC-Auth service.

     

    The 802.1x service is only checking computer certificates (machine auth). If I do a Bounce Switch Port, then the devices will hit the correct 802.1x service and get placed in the correct VLAN.

     

    The strange thing is, its only a handful of computers that are doing this. I've tried changing ports, removing the machines from AD and rebinding, forcing new certificates etc. I can't figure out why they are passing over the 802.1x service.

     

    This only seems to happen in the morning when the user logs in to their machine. I'm seeing an error message in the MAC-Auth log too:

    ERROR Core.MacAuthSessionQueryEventHandler - Failed to get MacAuth session info for [mac address]

     

    I'm happy to provide full logs or information on the services in question. I'm just curious what would cause this to happen in general. Other machines on the same switches (Aruba 2530) are authentication with no problems. The certificates are requested by all of the machines via GPO and there does not seem to be any similarities between the machines other than we only buy Dell endpoints.

     

    Thank you in advance

     



  • 2.  RE: CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    Posted Feb 24, 2020 11:27 AM

    Hi,

     

    The computers go through the 802.1x service first and then receive unauth vlan from the mac auth service ok?

     

    Do computers receive a reject on 802.1x service? If yes, they received [machine authentication] role?

     

    Could you print the two access tracker inputs? (802.1x and MAC-AUTH)

     

     



  • 3.  RE: CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    Posted Feb 24, 2020 11:36 AM

    Hello,

     

    The computers don't even hit the 802.1x service. There is no reject.

     

    Again, if I run a change status on the MAC-Auth request that they DO hit, then they'll see the 802.1x service perfectly fine and authenticate to the network. This is a certificate based EAP-TLS authentication using certificates generated from an ADCS server.

     

    Here is the MAC-Auth access tracker input:

    Spoiler
    Username: 	
1866da1691ea
End-Host Identifier: 	
18-66-da-16-91-ea
(Computer / Windows / Windows 10)
Access Device IP/Port: 	
10.101.5.29:33
(phx-accsw-clock1 / Hewlett-Packard-Enterprise)
 
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	A
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	0x011a0000000b19 [.......]
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	0x011a0000000b2e [.......]
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	8
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	0x011a0000000b30 [......0]
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	Q
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	@
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	0x011a0000000b3d [......=]
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	0x011a0000000b18 [.......]
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	:
Radius:Hewlett-Packard-Enterprise:HPE-Capability-Advertisement 	0x011a0000000b28 [......(]
Radius:IETF:Called-Station-Id 	50-65-f3-94-19-df
Radius:IETF:Calling-Station-Id 	18-66-da-16-91-ea
Radius:IETF:Connect-Info 	CONNECT Ethernet 1000Mbps Full duplex
Radius:IETF:Framed-MTU 	1492
Radius:IETF:Framed-Protocol 	1
Radius:IETF:NAS-Identifier 	[removed]
Radius:IETF:NAS-IP-Address 	10.101.5.29
Radius:IETF:NAS-Port 	33
Radius:IETF:NAS-Port-Id 	33
Radius:IETF:NAS-Port-Type 	15
Radius:IETF:Service-Type 	10
Radius:IETF:User-Name 	1866da1691ea
Radius:Microsoft:MS-RAS-Vendor 	11
 
Authorization:[Endpoints Repository]:Category 	Computer
Authorization:[Endpoints Repository]:Conflict 	false
Authorization:[Endpoints Repository]:Device Name 	Windows 10
Authorization:[Endpoints Repository]:Hostname 	[removed]
Authorization:[Endpoints Repository]:OS Family 	Windows
Authorization:[Endpoints Repository]:Other Category 	
Authorization:[Endpoints Repository]:Other Device Name 	
Authorization:[Endpoints Repository]:Other OS Family 	
Authorization:[Endpoints Repository]:StaticIp 	false
 
Authentication:ErrorCode 	0
Authentication:Full-Username 	1866da1691ea
Authentication:Full-Username-Normalized 	1866da1691ea
Authentication:MacAuth 	KnownClient
Authentication:OuterMethod 	MAC-AUTH
Authentication:Posture 	Unknown
Authentication:Source 	[Endpoints Repository]
Authentication:Status 	MAB
Authentication:Username 	1866da1691ea
Authorization:Sources 	[Endpoints Repository]
Connection:Client-Mac-Address 	18-66-da-16-91-ea
Connection:Client-Mac-Address-Colon 	18:66:da:16:91:ea
Connection:Client-Mac-Address-Dot 	1866.da16.91ea
Connection:Client-Mac-Address-Hyphen 	18-66-da-16-91-ea
Connection:Client-Mac-Address-NoDelim 	1866da1691ea
Connection:Client-Mac-Address-Upper-Hyphen 	18-66-DA-16-91-EA
Connection:Client-Mac-Vendor 	Dell Inc.
Connection:Dest-IP-Address 	10.101.12.11
Connection:Dest-Port 	1812
Connection:NAD-IP-Address 	10.101.5.29
Connection:Protocol 	RADIUS
Connection:Src-IP-Address 	10.101.5.29
Connection:Src-Port 	1812
Date:Date-Time 	2020-02-24 07:40:36
 
MAC Vendor 	Dell Inc.
Added by 	Policy Manager
Status 	Known
Device Category 	Computer
Device OS Family 	Windows
Device Name 	Windows 10
MAC Address 	1866da1691ea
IP Address 	10.101.184.71
Static IP 	false
Hostname 	[removed]
Profiler Conflict 	false
Added Date 	Feb 19, 2020 10:48:03 MST
Updated Date 	Feb 24, 2020 09:11:33 MST
Fingerprint Details -
DHCP Option55 	["1,3,6,15,31,33,43,44,46,47,119,121,249,252"]
DHCP Option60 	["MSFT 5.0"]
DHCP Options 	["53,61,50,54,12,81,60,55"]
MAC Vendor 	["Dell Inc."]

     

    MAC-Auth logs:

    Spoiler
    Request log details for session: R000015f2-01-5e53e064
Time 	Message
2020-02-24 07:40:36,699 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 248:356:18-66-da-16-91-ea
2020-02-24 07:40:36,707 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12348 h=223 r=R000015f2-01-5e53e064] INFO Core.ServiceReqHandler - Service classification result = fh_ArubaOS-Switch-MAC
2020-02-24 07:40:36,708 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - Service Categorization time = 9 ms
2020-02-24 07:40:36,708 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "fh_ArubaOS-Switch-MAC"
2020-02-24 07:40:36,708 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_sql: searching for user 1866da1691ea in Local:localhost
2020-02-24 07:40:36,710 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_sql: found user 1866da1691ea in Local:localhost
2020-02-24 07:40:36,710 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - SQL User lookup time = 2 ms
2020-02-24 07:40:36,710 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 1866da1691ea
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3027 entity id = 29
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3027
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3027|entityId=29
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3027|entity=Device
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 4509 entity id = 72
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for Endpoint instance=4509
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for instanceId=4509|entityId=72|entityName=Endpoint
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=4509|entity=Endpoint
2020-02-24 07:40:36,715 	[RequestHandler-1-0x7f57a33f9700 r=psauto-1581650706-12349 h=239 r=R000015f2-01-5e53e064] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2020-02-24 07:40:36,716 	[RequestHandler-1-0x7f57a33f9700 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2020-02-24 07:40:36,716 	[RequestHandler-1-0x7f57a33f9700 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
2020-02-24 07:40:36,716 	[RequestHandler-1-0x7f57a33f9700 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
2020-02-24 07:40:36,716 	[RequestHandler-1-0x7f57a33f9700 h=118961 c=R000015f2-01-5e53e064] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2020-02-24 07:40:36,716 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2020-02-24 07:40:36,718 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118962 c=R000015f2-01-5e53e064] INFO Core.PETaskRoleMapping - Roles: User Authenticated]
2020-02-24 07:40:36,718 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
2020-02-24 07:40:36,718 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
2020-02-24 07:40:36,718 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
2020-02-24 07:40:36,718 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 h=118965 c=R000015f2-01-5e53e064] INFO Core.PETaskEnforcement - EnfProfiles: fh_vlan113_untrusted
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
2020-02-24 07:40:36,723 	[RequestHandler-1-0x7f57a33f9700 h=118972 c=R000015f2-01-5e53e064] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2020-02-24 07:40:36,724 	[RequestHandler-1-0x7f57a33f9700 h=118967 c=R000015f2-01-5e53e064] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2020-02-24 07:40:36,724 	[RequestHandler-1-0x7f57a33f9700 h=118967 c=R000015f2-01-5e53e064] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: fh_vlan113_untrusted
2020-02-24 07:40:36,724 	[RequestHandler-1-0x7f57a33f9700 h=118967 c=R000015f2-01-5e53e064] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 10800
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 h=118973 c=R000015f2-01-5e53e064] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **
2020-02-24 07:40:36,725 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
2020-02-24 07:40:36,726 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118968 c=R000015f2-01-5e53e064] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2020-02-24 07:40:36,727 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118971 c=R000015f2-01-5e53e064] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2020-02-24 07:40:36,727 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
2020-02-24 07:40:36,727 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
2020-02-24 07:40:36,727 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
2020-02-24 07:40:36,728 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskMacAuthResetHandler **
2020-02-24 07:40:36,728 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
2020-02-24 07:40:36,728 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
2020-02-24 07:40:36,737 	[RequestHandler-1-0x7f57a33f9700 h=118976 c=R000015f2-01-5e53e064] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2020-02-24 07:40:36,737 	[RequestHandler-1-0x7f57a33f9700 h=118976 c=R000015f2-01-5e53e064] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2020-02-24 07:40:36,737 	[RequestHandler-1-0x7f57a33f9700 h=118974 c=R000015f2-01-5e53e064] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2020-02-24 07:40:36,737 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
2020-02-24 07:40:36,738 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - Policy Evaluation time = 28 ms
2020-02-24 07:40:36,738 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2020-02-24 07:40:36,738 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0xf7002019f7fb433487225787181757a1c10b0000000000005230303030313566322d30312d35653533653036340000000000000000000000
2020-02-24 07:40:36,738 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2020-02-24 07:40:36,738 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
2020-02-24 07:40:36,738 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
2020-02-24 07:40:36,739 	[Th 45 Req 171359 SessId R000015f2-01-5e53e064] INFO RadiusServer.Radius - Request processing time = 40 ms
2020-02-24 07:40:36,739 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118978] ERROR Core.MacAuthSessionQueryEventHandler - Failed to get MacAuth session info for 1866da1691ea
2020-02-24 07:40:36,739 	[RequestHandler-1-0x7f57a33f9700 h=118975 c=R000015f2-01-5e53e064] WARN Core.PETaskMacAuthResetHandler - handleMacAuthSessionResponseEv: Error reading MacAuth session info. Error=Failed to get MacAuth session info for 1866da1691ea
2020-02-24 07:40:36,739 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - ** Completed PETaskMacAuthResetHandler **
2020-02-24 07:40:36,739 	[RequestHandler-1-0x7f57a33f9700 r=R000015f2-01-5e53e064 h=118960 c=R000015f2-01-5e53e064] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***
2020-02-24 07:40:51,459 	[RequestHandler-1-0x7f57a33f9700 r=R000015f1-01-5e53e064 h=118990 c=R000015f1-01-5e53e064] INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content":{"auth_source_id":3001,"mac_address":"1866da1691ea","nas_ip":"10.101.5.29","post_auth_actions":{"enf_profile_name":"Update Endpoint Known]","enf_profile_type":"EntityUpdate","params":null}],"user_id":"[removed]"},"id":"R000015f2-01-5e53e064","name":"pactrl_enf_request"}
2020-02-24 07:40:51,497 	[RequestHandler-1-0x7f57a33f9700 h=118997] INFO Core.SessionStopReqHandler - handleMacAuthSessionResponseEv: Found valid MAC auth session to remove: MacAuthSessionInfo::<SessionId=R000015f2-01-5e53e064 LocationId=10.101.5.29:33 VLAN=113 Timestamp=1582555236>]

     



  • 4.  RE: CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    Posted Feb 24, 2020 10:29 PM

    I already implemented a very similar environment, with 2530 switches as well.

    Have you tried to analyze the MAC-AUTH and DOT1X logs on the switch port at the time the error happens? Use the following commands,

    <SW> # debug destination session
    <SW> # debug event
    <SW> # debug security
    <SW> # debug security port-access mac-based include port <port_number> [Debug MAC-AUTH]
    <SW> # debug security port-access authenticator include port <port_number> [Debug DOT1X]

     

     



  • 5.  RE: CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    Posted Feb 25, 2020 12:43 PM

    That's a great idea. I had done some brief debugging with no luck, but I'm going to load it up and ship it off to our syslog so I can try to pin point the exact attempts that are failing.

     

    Thank you for your help so far!

     



  • 6.  RE: CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    Posted Mar 27, 2023 11:28 AM

    Did you find a resolution to this issue?


    Original Message


  • 7.  RE: CPPM 6.8: Certain computers are skipping 802.1x service and going straight to MAC-Auth service

    EMPLOYEE
    Posted Mar 29, 2023 06:09 AM

    You responded to an old discussion. Please open your own discussion and share logs/configuration/device types/versions to describe what you see in your case.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message