Wired Intelligent Edge

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

My use case for this is to provide user possibility to plugin their av-devices "whatever port" and radius drops their gear to right network. 
Similar system is already in use there (With Extreme Networks) but they want to change gear to Aruba because of several reasons... 

Disconnect happened again and I checked immediately mac-address-table which shows both mac addresses which should be there.

Also it seems that disconnect happens >1200secs rather than 300secs...

fin-032-kjk01-1-20# sh mac-address-table interface 1/1/12
MAC age-time            : 300 seconds
Number of MAC addresses : 2

MAC Address          VLAN     Type                      Interface
-------------------------------------------------------------------
e0:07:1b:8a:5b:bd    110      port-access-security      1/1/12
e0:07:1b:8a:5b:bf    1010     port-access-security      1/1/12

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

The default reauth-period is 3600 seconds so if the session is timing out after 1200 seconds it would make sense the that client is being disconnected.  Could you try adding the following config to each interface to see if shortening the reauth-period fixes the issue?

interface 1/1/1    aaa authentication port-access mac-auth reauth-period 250

My use case for this is to provide user possibility to plugin their av-devices "whatever port" and radius drops their gear to right network. 
Similar system is already in use there (With Extreme Networks) but they want to change gear to Aruba because of several reasons... 

Disconnect happened again and I checked immediately mac-address-table which shows both mac addresses which should be there.

Also it seems that disconnect happens >1200secs rather than 300secs...

fin-032-kjk01-1-20# sh mac-address-table interface 1/1/12
MAC age-time            : 300 seconds
Number of MAC addresses : 2

MAC Address          VLAN     Type                      Interface
-------------------------------------------------------------------
e0:07:1b:8a:5b:bd    110      port-access-security      1/1/12
e0:07:1b:8a:5b:bf    1010     port-access-security      1/1/12

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

What attributes does your RADIUS server return to this switch after authentication? Does it include a session-timeout?

Is the device actively sending traffic?

If the behavior is predictable, you could regularly run the command 'show port-access clients interface 1/1/12 detail' to check the port authentication status before and after the disconnect.

Best is to have a look with your Aruba partner or Aruba Support as there a many thing to have a look at, including your RADIUS configuration.

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

In successful authentication Radius sends only three attributes back to switch:

(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Private-Group-Id = "110"
(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Type = VLAN
(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Medium-Type = IEEE-802

This device is server which I install and test port-auth configuration at same time. One disconnect happened in a middle of downloading installation packets from network.

Now it seemed to drop again and here you can see working and non working "show port-access..." output:

*******************************
WORKING:
*******************************

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bf
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 761s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 1010
      Access          : 1010
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 761s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 1010

    RADIUS Role Name : RADIUS_2286567924

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bd
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 758s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 110
      Access          : 110
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 758s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 110

    RADIUS Role Name : RADIUS_4168821497

*******************************
NOT WORKING
*******************************

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bf
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 1308s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 1010
      Access          : 1010
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 1308s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 1010

    RADIUS Role Name : RADIUS_2286567924

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bd
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 1305s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 110
      Access          : 110
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 1305s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 110

    RADIUS Role Name : RADIUS_4168821497

Here is listing from mac-address-table when disconnect has happened (I assume it's not about clearing mac address table...):

fin-032-kjk01-1-20# sh mac-address-table interface 1/1/12
MAC age-time            : 300 seconds
Number of MAC addresses : 2

MAC Address          VLAN     Type                      Interface
-------------------------------------------------------------------
e0:07:1b:8a:5b:bd    110      port-access-security      1/1/12
e0:07:1b:8a:5b:bf    1010     port-access-security      1/1/12

What attributes does your RADIUS server return to this switch after authentication? Does it include a session-timeout?

Is the device actively sending traffic?

If the behavior is predictable, you could regularly run the command 'show port-access clients interface 1/1/12 detail' to check the port authentication status before and after the disconnect.

Best is to have a look with your Aruba partner or Aruba Support as there a many thing to have a look at, including your RADIUS configuration.

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

There seem to be 2 devices behind that port, one with MAC address ending :bf the other :bd. What is this for a device??

What is strange is that the :bd seems to be in VLAN 110; and the :bf in vlan 1010 but in your earlier logs it was in VLAN 130.

What is clear is that the port is authorized and it may be related to the device being silent for a while, then the MAC entry is removed after some time and after that if either the device sends traffic again it will get it's mac entry back, and if traffic is sent to the device it's flooded to all ports in the VLAN and if the device then responds back the MAC is placed back in the MAC forwarding table. I don't see an issue. How do you experience that the device is disconnected? The switch logs don't support such an observation in my view. This may be something to better investigate/work on with your Aruba partner as we don't have full access to all information.

In successful authentication Radius sends only three attributes back to switch:

(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Private-Group-Id = "110"
(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Type = VLAN
(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Medium-Type = IEEE-802

This device is server which I install and test port-auth configuration at same time. One disconnect happened in a middle of downloading installation packets from network.

Now it seemed to drop again and here you can see working and non working "show port-access..." output:

*******************************
WORKING:
*******************************

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bf
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 761s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 1010
      Access          : 1010
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 761s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 1010

    RADIUS Role Name : RADIUS_2286567924

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bd
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 758s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 110
      Access          : 110
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 758s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 110

    RADIUS Role Name : RADIUS_4168821497

*******************************
NOT WORKING
*******************************

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bf
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 1308s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 1010
      Access          : 1010
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 1308s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 1010

    RADIUS Role Name : RADIUS_2286567924

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bd
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 1305s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 110
      Access          : 110
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 1305s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 110

    RADIUS Role Name : RADIUS_4168821497

Here is listing from mac-address-table when disconnect has happened (I assume it's not about clearing mac address table...):

fin-032-kjk01-1-20# sh mac-address-table interface 1/1/12
MAC age-time            : 300 seconds
Number of MAC addresses : 2

MAC Address          VLAN     Type                      Interface
-------------------------------------------------------------------
e0:07:1b:8a:5b:bd    110      port-access-security      1/1/12
e0:07:1b:8a:5b:bf    1010     port-access-security      1/1/12

What attributes does your RADIUS server return to this switch after authentication? Does it include a session-timeout?

Is the device actively sending traffic?

If the behavior is predictable, you could regularly run the command 'show port-access clients interface 1/1/12 detail' to check the port authentication status before and after the disconnect.

Best is to have a look with your Aruba partner or Aruba Support as there a many thing to have a look at, including your RADIUS configuration.

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

Whoops sorry!

Because I got server installed and configured I had to change :bf to vlan 1010 so that is how it should be at this point.

:bd is HP iLO port in shared mode but in real life there can be either device having two macs in one port or (dump or not so dump) switch behind edge port to provide control network to few devices connected to dump switch.

------------------------------
Jori Luoto
AV-IT Specialist

Original Message:
Sent: Dec 19, 2023 09:31 AM
From: Herman Robers
Subject: aaa mac-auth deletes mac entry by itself... Timeout somewhere?

There seem to be 2 devices behind that port, one with MAC address ending :bf the other :bd. What is this for a device??

What is strange is that the :bd seems to be in VLAN 110; and the :bf in vlan 1010 but in your earlier logs it was in VLAN 130.

What is clear is that the port is authorized and it may be related to the device being silent for a while, then the MAC entry is removed after some time and after that if either the device sends traffic again it will get it's mac entry back, and if traffic is sent to the device it's flooded to all ports in the VLAN and if the device then responds back the MAC is placed back in the MAC forwarding table. I don't see an issue. How do you experience that the device is disconnected? The switch logs don't support such an observation in my view. This may be something to better investigate/work on with your Aruba partner as we don't have full access to all information.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 08:38 AM
From: JL24
Subject: aaa mac-auth deletes mac entry by itself... Timeout somewhere?

In successful authentication Radius sends only three attributes back to switch:

(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Private-Group-Id = "110"
(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Type = VLAN
(364281) Tue Dec 19 15:05:12 2023: Debug:   Tunnel-Medium-Type = IEEE-802

This device is server which I install and test port-auth configuration at same time. One disconnect happened in a middle of downloading installation packets from network.

Now it seemed to drop again and here you can see working and non working "show port-access..." output:

*******************************
WORKING:
*******************************

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bf
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 761s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 1010
      Access          : 1010
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 761s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 1010

    RADIUS Role Name : RADIUS_2286567924

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bd
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 758s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 110
      Access          : 110
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 758s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 110

    RADIUS Role Name : RADIUS_4168821497

*******************************
NOT WORKING
*******************************

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bf
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 1308s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 1010
      Access          : 1010
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 1308s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 1010

    RADIUS Role Name : RADIUS_2286567924

Port Access Client Status Details:

RADIUS overridden user roles are suffixed with '*'

Client e0:07:1b:8a:5b:bd
========================
  Session Details
  ---------------
    Port         : 1/1/12
    Session Time : 1305s
    IPv4 Address :
    IPv6 Address :
    Device Type  :

  VLAN Details
  ------------
    VLAN Group Name :
    VLANs Assigned  : 110
      Access          : 110
      Native Untagged :
      Allowed Trunk   :

  Authentication Details
  ----------------------
    Status          : mac-auth Authenticated
    Auth Precedence : mac-auth - Authenticated, dot1x - Not attempted
    Auth History    : mac-auth - Authenticated, 1305s ago

  MACsec Details
  --------------
    MKA Session Status :
    MACsec Status      :

  Authorization Details
  ----------------------
    Status : Applied

    RADIUS Attributes
    ------------------
    Tunnel-Type                  : 13
    Tunnel-Medium-Type           : 6
    Tunnel-Private-Group-ID      : 110

    RADIUS Role Name : RADIUS_4168821497

Here is listing from mac-address-table when disconnect has happened (I assume it's not about clearing mac address table...):

fin-032-kjk01-1-20# sh mac-address-table interface 1/1/12
MAC age-time            : 300 seconds
Number of MAC addresses : 2

MAC Address          VLAN     Type                      Interface
-------------------------------------------------------------------
e0:07:1b:8a:5b:bd    110      port-access-security      1/1/12
e0:07:1b:8a:5b:bf    1010     port-access-security      1/1/12

------------------------------
Jori Luoto
AV-IT Specialist

Original Message:
Sent: Dec 19, 2023 07:49 AM
From: Herman Robers
Subject: aaa mac-auth deletes mac entry by itself... Timeout somewhere?

What attributes does your RADIUS server return to this switch after authentication? Does it include a session-timeout?

Is the device actively sending traffic?

If the behavior is predictable, you could regularly run the command 'show port-access clients interface 1/1/12 detail' to check the port authentication status before and after the disconnect.

Best is to have a look with your Aruba partner or Aruba Support as there a many thing to have a look at, including your RADIUS configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 19, 2023 06:25 AM
From: JL24
Subject: aaa mac-auth deletes mac entry by itself... Timeout somewhere?

Hello,

I have project having Packetfence as NAC server (with FreeRadius) and 8360/6200/6300 switches... Mac auth works fine but from time to time I get disconnect (or rather disconnection)  from network and I don't understand where to disable such disconnection feature. I would like to have disconnection when sw port is resetted.

Disconnection happens between about 20-40 minutes and I cannot find anything from Radius logs which can prove that Radius sents disconnection to sw...

Here is partial log entries:

2023-12-19T12:44:57.956241+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 110 is mapped to client e0:07:1b:8a:5b:bd on port 1/1/12
2023-12-19T12:44:55.164955+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T12:44:43.888744+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bd with VLAN 110 on port 1/1/12
2023-12-19T12:34:19.511863+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12
2023-12-19T12:11:58.788321+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2108|LOG_INFO|CDTR|1|Created Mac based VLAN entry. VLAN 130 is mapped to client e0:07:1b:8a:5b:bf on port 1/1/12
2023-12-19T11:52:49.426641+02:00 fin-032-kjk01-1-20 ops-switchd[950]: Event|2110|LOG_INFO|CDTR|1|Deleted Mac based VLAN entry for e0:07:1b:8a:5b:bf with VLAN 130 on port 1/1/12

And here is partial configuration from edge sw...

radius-server host 172.20.15.7 key ****
aaa authentication allow-fail-through
!
!
aaa group server radius FBA-RAD
    server 172.20.15.7
!
*****
aaa authentication port-access mac-auth
    addr-format multi-colon
    radius server-group FBA-RAD
    enable
!
*****
interface 1/1/12
    no shutdown
    no routing
    vlan access 110
    aaa authentication port-access auth-precedence mac-auth dot1x
    aaa authentication port-access client-limit 50
    aaa authentication port-access mac-auth
        enable
!

Really appreciate suggestions to fix this.

------------------------------
Jori Luoto
AV-IT Specialist
------------------------------