Security

Hello

I have CPPM acts as radius auth server and HPE Procurve 2930F switch with port-access mac-base authentication enabled. I have very strange issue. Namely I see multiple auth request in very short period of time when clients on switch port exceed addr-limit value. For example if addr-limit is configured to 1 and I connect second client to this port using unmanaged switch I receive flood requests on CPPM access tracker. I must increase addr-limit value to avoid problem. But this is not the solution for me because I need to restrict access to only 1 client/MAC on port.

As i mentioned above I have configured mac-base authentication on switch port and enabled user-role for dynamically assign vlan :

untagged vlan 1
   aaa port-access mac-based
   aaa port-access mac-based addr-limit 1
   aaa port-access mac-based addr-moves
   spanning-tree admin-edge-port
   spanning-tree bpdu-protection
   loop-protect
   exit

Radius:

radius-server host 10.90.0.3 key secret
radius-server host 10.90.0.3 dyn-authorization
radius-server host 10.90.0.3 time-window plus-or-minus-time-window
radius-server host 10.90.0.3 time-window 30
radius-server dead-time 5

AAA:

aaa server-group radius CPPM host 10.90.0.3
aaa accounting update periodic 5
aaa accounting network start-stop radius server-group CPPM

aaa authorization user-role enable
aaa authentication port-access eap-radius server-group CPPM
aaa authentication mac-based chap-radius server-group CPPM

I even try change port-security learn mode on switch to port-access from continuous but without any results. Can anyone help me resolve this issue and explain why CPPM receive so many request from NAS switch.

What is the status of the authenticated user?

show port-access mac-based clients <port number> detailed

Do you send a role back to the switch? what is the content of that role? And is that role applied correctly? 

I've seen such behavoiour earlier when the radius auth was successfull in clearpass but the role was not applied correctly, so the switch initiates a new request again.

The first client is authenticated and working correctly i.e role is assigned and client is visible properly in show port-access mac-based clients <port number> detailed command. Second client is too visible in show port-access command but role is not assigned to it. I think that the cause of this is that addr-limit was exhaused. When I increase addr-limit secondary clients authenticating seamlessly

If you don't get an answer on a short term, please open a TAC case. From what you read, it could be that you hit an unforeseen scenario (or unsupported). TAC can give you a more definitive answer.

Thank you very much. I appreciate your hints. I must have active support to open TAC case? I purchase Aruba ClearPass NL AC 5K CE E-LTU last year

Yes, you should have active support. In this case, I think you should open the case on the switches as ClearPass appears to be doing what it should do (answering authentication requests). 

Please work with your Aruba partner to find out what support is active on your equipment if you don't know.

Can you share the port RADIUSconfiguration?

Which command did you mean?

I below pasted output from following command:

show port-access summaryshow port-access configshow port-access mac-base config