The question is what is causing the problem. If there is a bug, the problem would occur on aos switches or cx switches, but not on both models at the same time.
Do you see the mac addresses on the switch on other ports as well? Or on the windows pc in the arp cache or with wireshark?
Original Message:
Sent: May 09, 2023 05:57 AM
From: WouterVanWesemael
Subject: multiple mac-addresses on mac-auth port not seen on client
Hi Lord
I don't think you understand the functionality of the command "aaa port-access <int> controlled-direction in", this only allows egress traffic to the client without the client being authenticated.
The authentication of the MAC-address is done because the switch sees this mac-addresses as connected to this port. unless this would be a bug, but since we see this on both A-OS and OS-CX switches, I don't think that is the case.
Original Message:
Sent: May 04, 2023 01:35 PM
From: lord
Subject: multiple mac-addresses on mac-auth port not seen on client
Hi Wouter,
as it looks, incoming and outgoing packets are authenticated on the A-OS switch. By default direction-mode both is enabled.
You need to change this, use the command "aaa port-access 16 controlled-direction in". This will only authenticate packets that the client sends into the switch.
Check the config with "sh port-access config".
In my example, ports 1,2,3 and 8 are set to direction "in". Ports 4-7 and 9-10 are set to direction "both".
SW01# sh port-access config
Port Access Status Summary
Port-access authenticator activated [No] : Yes
Allow RADIUS-assigned dynamic (GVRP) VLANs [No] : No
Use LLDP data to authenticate [No] : No
Dot1X EAP Identifier Compliance [Disabled] : Disabled
Allow incremental EAP identifier only [Disabled] : Disabled
802.1X 802.1X Web Mac LMA Cntrl Mixed Speed
Port Supp Auth Auth Auth Auth Dir Mode VSA MBV
----- ------- -------- -------- -------- ----- ----- -------- ----- ---
1 No No No No No in No No Yes
2 No Yes No Yes No in No No Yes
3 No No No No No in No No Yes
4 No No No No No both No No Yes
5 No No No No No both No No Yes
6 No No No No No both No No Yes
7 No No No No No both No No Yes
8 No No No No No in No No Yes
9 No No No No No both No No Yes
10 No No No No No both No No Yes
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: May 04, 2023 10:25 AM
From: WouterVanWesemael
Subject: multiple mac-addresses on mac-auth port not seen on client
no unmanaged switch for sure and no vms on the endpoints.
Did not check USB docking drivers yet, but sinse multimple make/models are infected, I doubt this will be the issue. Although, we will check this to be sure.
The conference applications will be checked, thanks for the tip!
Original Message:
Sent: May 03, 2023 11:49 AM
From: ahollifield
Subject: multiple mac-addresses on mac-auth port not seen on client
No unmanaged layer2 switch here right? Any VMs on this endpoint? I have also seen some video conference applications doing this. Updated drivers on the USB dongle?
Original Message:
Sent: May 03, 2023 08:58 AM
From: WouterVanWesemael
Subject: multiple mac-addresses on mac-auth port not seen on client
Hello
Does anyone have seen this behaviour and found the source of it? Not sure if it is switch or clearpass related, but it uses up Access Licenses and pushes the total license count of our customer above the maximum licenses they bought...
They have a ClearPass setup with Aruba A-OS and OS-CX switches and see following behaviour on both switches:
When a Windows 10/11 domain client with USB-C docking station is connected, sometimes the switchport sees multiple (random?) mac-addresses and triggers authentication. The client is directly connected to the switch and authenticates correct with dot1x. Whe don't see the mac-addresses that the switch sees on the windows clients.
With "sometimes", I meen this behaviour is not always present for all clients and sometimes gone after a client reboot (port shut/no shut).
I have tried replicating this and was first thinking the USB-C Dockings are the root cause, but the issues is seen onmultiple vendors/types of dockings.
This is an example of the mac-addresses seen alongside the dot1x authentication:
# show port-access clients 16
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- ------------- --------------- ----------------- ----- -------------------------------------------------------
16 000000-17df02 n/a 8021X
16 000000-180de9 n/a 8021X
16 000000-1828e5 n/a 8021X
16 203230-30204f n/a 8021X
16 400001-000000 n/a 8021X
16 4297ef-7ed70f n/a 8021X
16 Kristel.Ae... 84a93e-235389 n/a 8021X 3
16 9c004c-002f0c n/a 8021X
16 00000017df02 000000-17df02 n/a MAC
16 000000180de9 000000-180de9 n/a MAC
16 0000001828e5 000000-1828e5 n/a MAC
16 02313007696e 023130-07696e n/a MAC 22
16 0a030a2f0088 0a030a-2f0088 n/a MAC 22
16 400001000000 400001-000000 n/a MAC
16 4297ef7ed70f 4297ef-7ed70f n/a MAC
16 447754754562 447754-754562 n/a MAC 22
16 9c004c002f0c 9c004c-002f0c n/a MAC
16 d66b73c6ae57 d66b73-c6ae57 n/a MAC 22
16 fc0303c62575 fc0303-c62575 n/a MAC 22
This is the port config on the A-OS switch:
interface 16
name "1.9.08 - BH -"
tagged vlan 40
untagged vlan 254
lldp enable-notification
aaa port-access authenticator
aaa port-access authenticator max-requests 1
aaa port-access authenticator client-limit 2
aaa port-access mac-based
aaa port-access mac-based addr-limit 5
aaa port-access mac-based logoff-period 28800
aaa port-access mac-based unauth-vid 22
spanning-tree bpdu-protection
exit
and this is the config on the OS-CX switch:
interface 2/1/18
description LAN_Clients
no shutdown
no routing
vlan access 254
rate-limit broadcast 300 pps
spanning-tree bpdu-guard
aaa authentication port-access client-limit 2
aaa authentication port-access critical-role GUEST-VLAN
aaa authentication port-access dot1x authenticator
max-eapol-requests 3
max-retries 1
enable
aaa authentication port-access mac-auth
reauth-period 28800
enable
loop-protect
exit
Kind regards
Wouter