Wired Intelligent Edge

We have a number of Aruba 2930F PoE+ edge swiches (stacked) that we have enabled mac-address authentication on via radius using peap-mschapv2. 

I've found that on a cold boot, authentication will fail for many ports because port-authentication is attempted before the sntp sync service can set the correct time on the switch and the default date (with a year of 1990 I think) is well outside the active date range for the certificate provided by the radius server. Once sntp sets the time on the switch, authentication succeeds.

Is there a way to prevent this issue from happening? I was hoping there might be a way to code a date that's inside the certificate date range right onto the startup config or some other simple solution. It would have been really nice if these switches had a battery to maintain time.

Thank you for any assistance or suggestions you can make.

Greetings!

Regarding the authentication failures you're observing — are the successful authentications happening automatically after the time sync occurs, or are you having to take action to manually re-authenticate the clients once the switch is at the correct time?  

They always work if the time is correct. No issues. They only fail if the time is incorrect.

If they failed the initial authentication and we don't realize right away, we have to go through each one and reauthenticate. Usually I just disable and reenable the interface that the device is plugged into.

So I called Aruba support earlier this week to see if they had any suggestions and had a pretty poor experience. I got a low-level tech who basically told me I had to redesign our entire network to "have an external power supply." We already have UPS battery backups for all our edge switches. But this issue will still crop up during other times we have a cold boot of the device (such as switch location move) or if for some reason power is out for an extended period time and runs through the UPS's battery.

What I was hoping for was a way to have the switch ignore the date validity period on the RADIUS peap MSCHAPv2 certificate or have a date hard-coded into the startup config that sets the date to a period within the certificate valid period or maybe detect ports with a status of "rejected,unauth vlan" then disable and enable those individual ports or a way to delay bringing up certain interfaces upon a cold boot so that SNTP can sync first before authenticating devices. Something...

But, she kept repeating we needed to redesign our network and that she couldn't offer any suggestions because I was not actually experiencing a device malfunction. All the other companyies I've worked with have offered to assist in our configuration needs so this was really a let down.

I asked to escalate the case and she said she would instead check with a senior engineer and let me know. She called back and said they said the same thing she told me earlier. I asked again to see if they could provide some sort of workaround for this issue and she said she would check again with a senior tech. Later that day my case was closed without further contact from the her.

So... I'm resorting back to this post in hopes I can get some suggestions as a workaround.

Michael,

I will raise to engineering to investigate this behavior and we should have an answer soon on a workaround or an esitmated fix date.

Thank you.

To set an approximate time after reboot, please configure job-scheduler to set the time after reboot as in the example below:-

Aruba-2930F-24G-4SFP(config)# job "set_time" at reboot "time 05/25/2018"