Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

switch not forwarding 802.1x auth request to clearpass

This thread has been viewed 22 times

  • 1.  switch not forwarding 802.1x auth request to clearpass

    Posted Sep 20, 2022 09:17 AM
    many users complains about they can't access the network, i have check the logs on switch and clearpass

    mac-auth for avaya ip phone and 802.1x for windows 10 clients (pc behind ip phone)
    vlan 11 for voice
    vlan 3 for users

    windows client keep attempting to authenticate , then authentication failed (eap-tls)

    configs on the switch port:  WB.16.04.0013 

    interface 4/10
    name "U_27"
    tagged vlan 11
    untagged vlan 3
    aaa port-access authenticator
    aaa port-access authenticator tx-period 15
    aaa port-access authenticator supplicant-timeout 15
    aaa port-access authenticator client-limit 3
    aaa port-access authenticator cached-reauth-period 86400
    aaa port-access mac-based
    aaa port-access mac-based addr-limit 2
    aaa port-access mac-based reauth-period 86400
    exit

    No logs on clearpass for 802.1x only mac-auth and it's rejected for the users.

    switch logs:
    I 09/11/22 10:48:23 00435 ports: ST1-CMDR: port 4/10 is Blocked by AAA
    I 09/11/22 10:49:30 00076 ports: ST1-CMDR: port 4/10 is now on-line

    # show port-access 4/10 clients

    Port Access Client Status

    Port Client Name MAC Address IP Address User Role Type VLAN
    ----- ------------- ------------- --------------- ----------------- ----- -------------------------------------------------------
    4/10                   98e743-66ddaf n/a                                8021X
    4/10                   98e743-66ddaf n/a                                MAC
    4/10 b4475eaa3f0a b4475e-aa3f0a 192.168.102.63 MAC 11

    # show port-access 4/10 clients detailed

    Port Access Client Status Detail

    Client Base Details :
    Port : 4/10 Authentication Type : 802.1x
    Client Status : connecting Session Time : 0 seconds
    Client name : Session Timeout : 0 seconds
    MAC Address : 98e743-66ddaf
    IP : n/a

    Access Policy Details :
    COS Map : Not Defined In Limit Kbps : Not Set
    Untagged VLAN : Not Set Out Limit Kbps : Not Set
    Tagged VLANs : No Tagged VLANs
    Port Mode : 1000FDx
    RADIUS ACL List : No Radius ACL List

    Client Base Details :
    Port : 4/10 Authentication Type : mac-based
    Client Status : rejected no vlan Session Time : 60 seconds
    Client Name : Session Timeout : 0 seconds
    MAC Address : 98e743-66ddaf
    IP : n/a

    Access Policy Details :
    COS Map : Not Defined In Limit Kbps : Not Set
    Untagged VLAN : Not Set Out Limit Kbps : Not Set
    Tagged VLANs : No Tagged VLANs
    Port Mode : 1000FDx
    RADIUS ACL List : No Radius ACL List

    Client Base Details :
    Port : 4/10 Authentication Type : mac-based
    Client Status : authenticated Session Time : 80116 seconds
    Client Name : b4475eaa3f0a Session Timeout : 0 seconds
    MAC Address : b4475e-aa3f0a
    IP : 192.168.102.63

    Access Policy Details :
    COS Map : Not Defined In Limit Kbps : Not Set
    Untagged VLAN : 11 Out Limit Kbps : Not Set
    Tagged VLANs : No Tagged VLANs
    Port Mode : 1000FDx
    RADIUS ACL List : No Radius ACL List


    any missing configuration here??
    ------------------------------
    BR,
    Mohanad
    ------------------------------


  • 2.  RE: switch not forwarding 802.1x auth request to clearpass

    EMPLOYEE
    Posted Sep 20, 2022 07:03 PM
    i think you need the following port-level command as well.
    "aaa port-access authenticator active"

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: switch not forwarding 802.1x auth request to clearpass

    Posted Sep 20, 2022 07:41 PM
    hello ariyap,

    it's enable globally on the switch.

    50 users connect to that switch, only 15 of them facing this issue

    there is 2 solutions, restart the windows pc then it will work!!!!, add the mac address in mac service to be allowed, but i need to understand why this happning


    could you please explain to me, what is the use case for the following command:
    aaa port-access authenticator <port-list> [auth-vid <vid>]

    Configures an existing, static VLAN to be the Authorized-Client VLAN

    ------------------------------
    BR,
    Mohanad
    ------------------------------

    Original Message


  • 4.  RE: switch not forwarding 802.1x auth request to clearpass

    EMPLOYEE
    Posted Sep 21, 2022 08:37 AM
    Best to work with Aruba Support as this is not expected. With your config, if 802.1X times out, it will fallback to MAC Authentication. So that is the reason why it works if you authorize the MAC address for MAC Auth.

    In general, the message "rejected, no vlan" means that there is an issue with the returned RADIUS attributes. Here is a video that explains the debugging steps; but it assumes that there is a successful authentication on ClearPass, where you mentioned that you don't see an authentication. But going through the logging may reveal the issue.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message