Security

Hi,

got ClearPass working but started receiving random people complaining that they could not login.

Switchport gets turned off/on several times while the user logins causing all sort of issues:

I 01/21/19 10:14:19 00076 ports: ST1-CMDR: port 1/21 is now on-line
I 01/21/19 10:14:19 00435 ports: ST1-CMDR: port 1/21 is Blocked by STP
I 01/21/19 10:14:19 00435 ports: ST1-CMDR: port 1/21 is Blocked by AAA
I 01/21/19 10:14:16 00077 ports: ST1-CMDR: port 1/21 is now off-line
I 01/21/19 10:14:10 00076 ports: ST1-CMDR: port 1/21 is now on-line
I 01/21/19 10:14:10 00435 ports: ST1-CMDR: port 1/21 is Blocked by STP
I 01/21/19 10:14:10 00435 ports: ST1-CMDR: port 1/21 is Blocked by AAA
I 01/21/19 10:14:07 00077 ports: ST1-CMDR: port 1/21 is now off-line
I 01/21/19 10:14:06 00076 ports: ST1-CMDR: port 1/21 is now on-line
I 01/21/19 10:14:06 00435 ports: ST1-CMDR: port 1/21 is Blocked by STP
I 01/21/19 10:14:06 00435 ports: ST1-CMDR: port 1/21 is Blocked by AAA
I 01/21/19 10:14:04 00077 ports: ST1-CMDR: port 1/21 is now off-line

Port configuraiton:

untagged vlan 11
no port-security eavesdrop-prevention
aaa port-access authenticator
aaa port-access authenticator auth-vid 11
aaa port-access authenticator client-limit 2
aaa port-access authenticator cached-reauth-period 86400
aaa port-access mac-based
aaa port-access mac-based addr-limit 4
aaa port-access mac-based logoff-period 9999999
aaa port-access mac-based reauth-period 86400
aaa port-access mac-based cached-reauth-period 86400
aaa port-access controlled-direction in
spanning-tree admin-edge-port

ClearPass does not report any issues. Also logs in ClearPass are 30 seconds behind vs switch logs, but switch and ClearPass are on the same exact time to the second.

I have opened a case but wondering if you have any clues.

thanks

Thanks. I went through that document a million times and that configuration never worked for a number of reasons, mostly related for headless devices and MAC auth. In fact we went on for about a month with HPE support (and a thread that went unanswered here) because printer would never pass MAC address auth (with the configuration in the document you are referring to) and neither support could find the cause, blamed us, and closed the case.

We have found the answer on a reddit post purely by chance which solved the problem (control direction in and disabling eavesdrop prevention).

I find ClearPass/Procurve auth extremely incosistent at best and I wonder how on earth people got it to work.

Sorry for the rant.

we have procurve switches and it works well.  Assuming you have the latest firmware on them our config is as follows for a single port number 1

aaa port-access authenticator 1
aaa port-access authenticator 1 auth-vid 104
aaa port-access authenticator 1 Client-limit 1
aaa port-access authenticator 1 quiet-period 30
aaa port-access authenticator 1 logoff-period 862400
aaa port-access authenticator active
aaa port-access mac-based 1
aaa port-access mac-based 1 logoff-period 862400
aaa port-access mac-based 1 quiet-period 30
aaa port-access mac-based 1 auth-vid 104

you don't need controlled direction in (unless you are using wake on lan) and I havent seen eavesdrop prevention in the documentation HP sent us

Hi,

thanks for your answer. Yes the issue was resolved (problem on ClearPass not the switch).