Security

Hi,

Im authenticating certifcate clients EAP/TLS in clearpass and its reauthing every 30sec  viewed in auth history in switch  (sh aaa authentication port-access int 1/1/1 client-status) and in access tracker clearpass.

sending 600s session-timeout value from clearpass as radius attribute (Session time  is countdowning in "show cmd" above).

What is creating the 30 sec reauths? i  want 600sec reauth, cant find any settings that controls that.

Can add that in cisco ISE it worked flawless (with same switch config & radius attributes sent) but when i changed the NAC to clearpass the 30sec reauth appeared (so im guessing the setting is from clearpass?) . Also the MAB devices works fine with 600 sec reauth.

No error or fails in logs just the 30sec mass-spam logging :)

Any  ideas ??

-------------------------------------------

Can you share the output of 'show port-access client int 1/1/1 detail', and the 'show running interface 1/1/1'; and the configuration for the applied role?

The re-auth timeout normally would be taken from the 'IETF:Session-Timeout' RADIUS attribute, but it may be configured on the interface or role as well...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi Herman and  thanks for replying.

The port config is basic with no roles, and simpel port conf:

interface 1/1/1
    description dot1x-port-TEST
    no shutdown 
    no routing
    vlan access 1
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable
    loop-protect
    exit

and the attached picture ( 'show port-access client int 1/1/1 detail') shows the radius attr. & the working session-timeout, but still the Auth history shows the 30 sec reauths .

can add its a 6300M 10.16.1006 & cppm 6.12.7

-------------------------------------------

Original Message:
Sent: Mar 13, 2026 11:38 AM
From: Herman Robers
Subject: 30sec reauth on client

Can you share the output of 'show port-access client int 1/1/1 detail', and the 'show running interface 1/1/1'; and the configuration for the applied role?

The re-auth timeout normally would be taken from the 'IETF:Session-Timeout' RADIUS attribute, but it may be configured on the interface or role as well...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

From the config, I don't see even the reauth statement; so I would not know why the switch would trigger a reauth. For 802.1X, the only reason I can think of is that the client triggers a reauthentication, maybe because it didn't feel it was fully completed. Or that the client after authentication doesn't get network access, and just resets the interface and retries?

If you can, I would run a packet capture on the client and see who initiates the authentication, my guess is that it's the client.

Have you tried with other (types of) clients as well??

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Mar 16, 2026 08:39 AM
From: Niklas
Subject: 30sec reauth on client

Hi Herman and  thanks for replying.

The port config is basic with no roles, and simpel port conf:

interface 1/1/1
    description dot1x-port-TEST
    no shutdown 
    no routing
    vlan access 1
    aaa authentication port-access dot1x authenticator
        enable
    aaa authentication port-access mac-auth
        enable
    loop-protect
    exit

and the attached picture ( 'show port-access client int 1/1/1 detail') shows the radius attr. & the working session-timeout, but still the Auth history shows the 30 sec reauths .

can add its a 6300M 10.16.1006 & cppm 6.12.7