Hi,
Maybe you should contact RICHOH as well.
We do also have trouble with RICOH MFDs (using Aruba 6200F, but similar problems with Konica too, no problem on ProCurve Switches).
Every 9 minutes the authentification got lost for a minute.
We can see in the packet capture, that the printers sends a eap tls packet without the actual session id, resulting in no successful tls session.
Later the printer send a complete new authentification request, which is now successful.
Aruba Support says --> Problem on Ricoh side
2022-10-25T06:36:15.955872+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/38 is unblocked by port-access
2022-10-25T06:36:15.940967+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 2480 is mapped to client 58:38:79:4b:6f:2c on port 1/1/38
2022-10-25T06:34:48.993913+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for 58:38:79:4b:6f:2c with VLAN 2480 on port 1/1/38
2022-10-25T06:34:48.970868+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10502|LOG_INFO|CDTR|1|Port 1/1/38 is blocked by port-access
2022-10-25T06:21:54.698640+02:00 vsf-vw-2og-01 port-accessd[4037]: Event|10503|LOG_INFO|CDTR|1|Port 1/1/38 is unblocked by port-access
2022-10-25T06:21:54.679318+02:00 vsf-vw-2og-01 ops-switchd[644]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 2480 is mapped to client 58:38:79:4b:6f:2c on port 1/1/38
I really don't know why it is every 9 minutes, but we could solve this 9 minute issue with the mentioned command "client-inactivity timeout none".
But the problem with the reauth still exist, so now the issue occurs every x hours (as defines in the reauth interval)...
The answer from RICOH support was even not very helpful, if reauth does not work properly, please disable reauth...
Ricoh says probem is on switch or radius side.
Well I dont know why you have mac-auth enabled too, and why it is prior to dot1x, but okay. Here is our switch config, perhaps it can help you:
radius-server host "CPPM-IP" timeout 10 key ciphertext *** retries 2 tracking enable
radius dyn-authorization enable
radius dyn-authorization client "CPPM-IP" secret-key ciphertext ***
aaa authentication allow-fail-through
aaa group server radius EWR
server "CPPM-IP"
aaa radius-attribute group EWR
tunnel-private-group-id value static
tunnel-private-group-id request-type authentication
aaa authentication port-access dot1x authenticator
radius server-group EWR
eap-tls-fragment towards-server 1400
enable
vsf-vw-2og-01# sh run int 1/1/38
interface 1/1/38
no shutdown
speed auto 100m
description Drucker
no routing
vlan access 2480
spanning-tree bpdu-guard
spanning-tree root-guard
spanning-tree tcn-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 2
aaa authentication port-access auth-role DRUCKER
aaa authentication port-access radius-override enable
port-access allow-flood-traffic enable
aaa authentication port-access dot1x authenticator
cached-reauth
canned-eap-success
eapol-timeout 10
initial-auth-response-timeout 10
max-eapol-requests 1
max-retries 3
quiet-period 5
discovery-period 10
enable
client track ip update-interval 300
loop-protect
exit
vsf-vw-2og-01# sh run port-access role
port-access role DRUCKER
auth-mode client-mode
client-inactivity timeout none
session-timeout 86400
mtu 1400
trust-mode none
stp-admin-edge-port
reauth-period 28800
cached-reauth-period 360
vlan access 2480
exit
Original Message:
Sent: Oct 26, 2022 07:58 AM
From: Herman Robers
Subject: Printers going offline
The switch in general blocks access if it receives invalid configuration, like a user-role name that is not configured on the switch.
You may see something in the logging or the 'show port-access clients interface 1/1/1 detail' may provide a reason why the port access is blocked.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 25, 2022 06:56 AM
From: Inzamam Shahid
Subject: Printers going offline
when a device authenticates on a aaa port in the logs on the switch it shows the port is blocked by port-access.
CPPM is only returning a role and the role on the switch does not have anything in there that would down the port. Is there anyway to stop the port being downed after authenticating with CPPM.
Original Message:
Sent: Oct 22, 2022 02:10 AM
From: Ivan ivan.bondar@hpe.com
Subject: Printers going offline
Hi @danger ,
Try to add 'client-inactivity timeout <seconds>' to the role WIRED_PRINTERS. You can even set it to 'none'.
------------------------------
Ivan Bondar
Original Message:
Sent: Oct 21, 2022 10:48 AM
From: Inzamam Shahid
Subject: Printers going offline
Hi All,
We are seeing a weird issue where printers are going offline and the only way to get them back online is to bounce the switch port or reboot the printer.
They are connected to 6300 switches which are acting as edge and distribution. The ports have aaa enabled on them and authenticate against CPPM. The port config is:
no shutdown
no routing
vlan access 1
loop-protect
aaa authentication port-access auth-precedence mac-auth dot1x
aaa authentication port-access client-limit 2
aaa authentication port-access dot1x authenticator
enable
aaa authentication port-access mac-auth
enable
When the printers authenticates against CPPm they get this role with re-authentication configured on it:
port-access role WIRED_PRINTERS
stp-admin-edge-port
reauth-period 900
vlan access 2082
I have checked and MAC-pinning is not available on these switches and we are running version 10.09.1000.
These are RICOH printers, I am wondering if anyone else has experienced the same issue and has any recommendations?