Do you see the same issue on all three switch architectures? Or just on one?
If profiling finishes on MAC authentication, it should only send a bounce once when the profiling changes. On the next authentications, if the profiling does not change, there should not be another bounce. Also, your client should be much faster than 5 seconds before it would try 802.1X, so this needs investigation as well.
It will be hard to provide a further useful suggestion based on the available information.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 17, 2022 05:08 PM
From: Andreas Hofer
Subject: Onboarding Concurrent with Profiling
We have a CP with Profiling enabled for different switches (ACX, Cisco, AOS)
On AOS Switch it´s default to send both (MAB, 802.1x) to Clearpass
On ACX we have set the command "port-access onboarding-method concurrent enable" on every Port
Cisco´s order is 802.1x first and then MAB. After 5s of no EAP Response of the Client, it is sending the MAB to the Clearpass
So if some Computer restarts, the MAC Address is seen first on the Switchport and the Client isn´t ready for EAP. So the Switch is sending MAB Request to CP, CP is sending the Profiling Vlan back. In the meantime the Supplicant is ready for EAP Handshake, but unfortunatelly Clearpass is sending Port-Bounce to the Switch because Profiling is finish. And it reapeats and repeats all the time.
What is the solution for something like that? Unfortunatelly there is nothing in the Enforcement Guide of Clearpass