Security

Hello!

 

Odd situation here.  A lot of our computers are using 802.1x (which are not affected).

 

BUT We have some computers on a static mac auth list (insecure, will change it to 802.1x soon) on many different switches across the site.

 

A few times, (sometimes separared by a few weeks) the whole lot of the computers on mac auth drop off the network - at the same time (other devices, cameras, wifi etc do not).

 

You have to restart the computers or unplug and plug back in again for them to re-auth and then they are OK.

 

Even though it is probably not a problem with CPPM itself, I wonder if anyone knew what could cause this?  Some sort of networking issue?

 

They are HP 5412zl switches

 

Thanks for you time.

Hi mnicholls,

 

If I understand correctly, you have a ClearPass service configured for wired MAC auth and using Static Host List as an authentication source, right?

 

Do the devices that are not affected by the issue use same CPPM service?

What is the port config at your HP 5412zl?

Do you see any activity in the CPPM Access Tracker at the time when the connection of the PC's is lost?

Does your HP 5412zl display any log events for the affected ports at the time of the issue?

Is it possible that your HP 5412zl loses connection to the CPPM at the time of the issue?

Hello, thanks for the reply, here are the answers to those questions

 

If I understand correctly, you have a ClearPass service configured for wired MAC auth and using Static Host List as an authentication source, right?

 

CORRECT

 

Do the devices that are not affected by the issue use same CPPM service?

 

THEY DO

 

What is the port config at your HP 5412zl?

 

aaa port-access authenticator B1-B24
aaa port-access authenticator B1-B24 auth-vid 104
aaa port-access authenticator B1-B24 Client-limit 1
aaa port-access authenticator B1-B24 quiet-period 30
aaa port-access authenticator B1-B24 logoff-period 862400
aaa port-access authenticator active
aaa port-access mac-based B1-B24
aaa port-access mac-based B1-B24 logoff-period 862400
aaa port-access mac-based B1-B24 quiet-period 30
aaa port-access mac-based B1-B24 auth-vid 104

 

Do you see any activity in the CPPM Access Tracker at the time when the connection of the PC's is lost?

 

No and when plugged in again/rebooted they reconnect normally

 

Does your HP 5412zl display any log events for the affected ports at the time of the issue? 

 

Actually I double checked this and I found some port messages on the log around the same time:

Port xxx is now off-line

Port xxx is blocked by STP

Port xxx is blocked by AAA

Port xxx is now online

 

seems to repeat several times - but might be normal behaviour

 

Is it possible that your HP 5412zl loses connection to the CPPM at the time of the issue?

 

It is possible, would that cause them to disconnect?

Is the issue happening around every 10 days which is inline with the logoff period value you have used. From the HP docs:

 

Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state.

Default: 300 seconds

 

What does the switch say the state of the users are when the issue occurs? You can run the command 'show port-access mac-based clients' to find out.

Hi, had a busy few days.

 

The computers are turned off every night and turned back on and are not affected by the logoff period.

 

It happened twice so far and the first time, it happened several times in one day.

 

I cannot verify that right now, it hasn't happened again, so far - but they appear to be not authenticated anymore and need reauthenticating.

I have resurrected this because I am having a confusing easter week.  I came from two days off and we are having some sort of mac auth issue.

 

Clearpass seems to be same it has been for the last year.  But PCs that are mac authenticated seem to have dropped off the network all at once everywhere across the network.

 

According to clearpass nothing has changed.   The switch seems to show they are on the correct vlan and are OK, but they will only come back to network connectivity by unplugging and replugging in or restarting.   Trying to obtain an IP address from the computer results in no IP address.

 

The PCs havent been online long for mac auth timers to expire.

 

802.1x PCs are not affected and other types of devices seem to working OK. 

 

Havent been able to work this out so far

I suppose this has nothing to do with ClearPass. Because this happens with all machines at the same time you should look at the switch.
Which version are you running at the switch?

I agree, probably not clearpass.

 

They are HP Switch 5412zl (J8698A) K.16.02.0026, ROM K.15.30

 

It has happened for the last two days on all the switches simultaneously, which is a bit baffling.

 

 

Can you try to upgrade to version 16.08.0002? Don't know if this is a know issue but the release is little bit old now

Thanks for the reply.

 

Unfortunately most of our switches are quite old and they are stuck on that level of firmware - no new features... :(