Hello
Please correct me if i'm wrong
I will create 2 user roles for healthy and quarantine users
------------ for healthy users------------
healthy will get permit-all and filtering done on the firewall us usual
class ipv4 permit-all
10 match ip any any
policy user healthy_policy
10 class ipv4 permit-all action permit
aaa authorization user-role name healthy_user_role
policy healthy_policy
reauth-period 86400
vlan-name users
vlan-name-tagged voice
------------ for unhealthy users------------
They will get limited access to dns, dhcp, symantec, domain, and wsus
class ipv4 internal_services
10 match udp any 192.168.104.5/32
20 match tcp any 192.168.104.5/32
30 match udp any 192.168.104.6/32
40 match tcp any 192.168.104.6/32
50 match udp any 192.168.100.6/32
60 match tcp any 192.168.100.6/32
70 match tcp any 192.168.104.15/32 eq 8014
80 match tcp any 192.168.104.15/32 eq 1688
90 match tcp any 192.168.167.10/32 eq 443
100 match tcp any 192.168.167.11/32 eq 443
110 match tcp any 192.168.167.12/32 eq 443
class ipv4 liveupdate
10 match tcp any 152.195.132.156/32 eq 443
20 match tcp any 152.195.132.120/32 eq 443
policy user quarantine_policy
10 class ipv4 internal_services action permit
20 class ipv4 liveupdate action permit
aaa authorization user-role name quarantine_user_role
policy quarantine_policy
reauth-period 86400
vlan-name users
vlan-name-tagged voice
------------ enforcement profile and policy------------
------------------------------
BR,
Mohanad
------------------------------
Original Message:
Sent: Sep 16, 2022 09:13 AM
From: Herman Robers
Subject: many 802.1x auth requests in short periods of time
+1 on roles preferred over VLAN switching.
Can you check on the switch, probably 'show logging -r' will give that data, if there are reasons there for the re-authentication?
Do these 802.1X (re)authentications relate to WebAuths for the same client (and may a port bounce be triggered on every WebAuth)?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 15, 2022 07:14 PM
From: Mohanad Abdelrazik
Subject: many 802.1x auth requests in short periods of time
Hello everyone,
a few users complain about keep getting disconnect/reconnect from the network. i checked the access tracker and found many 802.1x auth requests in short periods of time
Here is the Flow and Configs
Windows 10 PC behind Avaya IP phones
1. User default token is unknown = VLAN 4 and session termination
2. User will be healthy = VLAN 3 and bonus (Healthy Check interval is 10 hours) to not cause re-auth every 4-5 minutes
3. Quarantine = VLAN 4 and session termination
dot1x service
Health Check only service
Switch Port: VLAN 11 for voice and 3 for data
MAC auth for IP phones and 802.1x for PC's
interface 1/6
name "U_9"
tagged vlan 11
untagged vlan 3
aaa port-access authenticator
aaa port-access authenticator tx-period 15
aaa port-access authenticator supplicant-timeout 15
aaa port-access authenticator client-limit 2
aaa port-access authenticator cached-reauth-period 86400
aaa port-access mac-based
aaa port-access mac-based reauth-period 86400
exit
any thoughts?
------------------------------
BR,
Mohanad
------------------------------