Wired Intelligent Edge

last person joined: 7 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Strange behaviour when addr-limit is reached with mac-authentication on radius

This thread has been viewed 5 times

  • 1.  Strange behaviour when addr-limit is reached with mac-authentication on radius

    Posted Nov 14, 2018 08:55 AM

    Hi,

     

    I have noticed if addr-limit is set to 1 on port where mac-auth on with CPPM is enabled with command:

     

    aaa port-access mac-based 7 addr-limit 1

     

    First client is authenticated normally, if second client is present on the port, switch denied his access to the network but floods Radius server with access requests for this client. It can be over 50 requests for second. 

     

    I would like to know if this behavior is normal or is it a software bug ?



  • 2.  RE: Strange behaviour when addr-limit is reached with mac-authentication on radius

    Posted Apr 16, 2019 08:18 AM

    Any progress on this or some other thread I have overlooked? We recently ran into the same issue.



  • 3.  RE: Strange behaviour when addr-limit is reached with mac-authentication on radius

    EMPLOYEE
    Posted Apr 16, 2019 02:43 PM

    Greetings!

     

    Do you have any switch event log entries, or the access log from ClearPass, from when this issue was observed? What was the model of switch and software version it was running?



  • 4.  RE: Strange behaviour when addr-limit is reached with mac-authentication on radius

    Posted Apr 17, 2019 01:52 AM

    Hi Matthew,

     

    thanks for your reply. Since the issue is reproducable at any time I can provide the information you requested.

     

    In my case Access Tracker looks like this:

    2019-04-17_07-37.png2019-04-17_07-47.png

    At this time the switch log only gives:

    I 04/17/19 07:34:09 05385 auth: mac-pinning is disabled on port 26 for mac-based
            authentication.
I 04/17/19 07:33:38 05385 auth: mac-pinning is disabled on port 26 for mac-based
            authentication.

    The switch is an Aruba 2530 48G (J9775A) with software YA.16.08.0001.