ClearPass does it's job and block the unknown device. 60k authentication requests for 20 hours is quite high.
Investigate if you have changed how often the switch tries to authenticate. In moat cases MAC auth is sent every minute.
ClearPass servers doesn't have a limit on how many requests they can handle, except for the performance of the server.
Original Message:
Sent: May 28, 2025 09:11 AM
From: nw16
Subject: ClearPass Insight - Success vs Failed Authentication Trend
Thank you for your answer, @jonas.hammarback
Upon investigation, I observed one address with over 60K authentication attempts over the period of 20hrs [snap attached].
Tracing through it, that MAC address (belongs to a system) is blocked by policy & is listed under blacklist group. As of now, I am struggling to find the answer as to why the endpoint is still within the network and attempting to authenticate though being blocked.
Is there any limit to MAC authentication attempts per second?
"I have also seen environments where computers are using docking stations, and when the computer the docking station is still powered on and the MAC address can't MAC authenticate as it's the computer who has the 802.1x profile. This leads to high loads of rejects during times when the computers sleep or are disconnected like outside office hours. Clients connected behind dump switches may also be an issue if your Aruba switches tries to initiate MAC authentications for MAC addresses that was previously connected to a dumb switch but is no longer connected."
This might be the case in our environment since all the computers (approx. 2L) are using docking stations.
Original Message:
Sent: May 27, 2025 05:05 AM
From: jonas.hammarback
Subject: ClearPass Insight - Success vs Failed Authentication Trend
Hi
I have seen this behavior in some customer environments and it could be several reasons. One customer had implemented that any unknown wired devices should be placed on the guest network, but implemented it as a reject from ClearPass and configured the switches with the guest network as the reject VLAN. This caused the switches to send a RADIUS request for MAC auth every minute with a lot of rejects as a result. Another customer had a lot of Cisco IP phones and had issues to deploy correct 802.1x profiles and certificates resulting in the phones trying 802.1x about every minute and falling back to MAC auth to get them to work.
In the first case I changed the behavior from a reject in ClearPass to an accept for unknown MAC address and sending a guest role to the switches. As a result almost all rejects was removed and I could see "real" rejects, such as user with wrong passwords or devices with wrong authentication methods etc.
In the second case I had to work with the IP telephony team and help them to get valid certificates and configure 802.1x settings on the phones.
I have also seen environments where computers are using docking stations, and when the computer the docking station is still powered on and the MAC address can't MAC authenticate as it's the computer who has the 802.1x profile. This leads to high loads of rejects during times when the computers sleep or are disconnected like outside office hours. Clients connected behind dump switches may also be an issue if your Aruba switches tries to initiate MAC authentications for MAC addresses that was previously connected to a dumb switch but is no longer connected.
I would say the you should start to drill down the different reasons for all rejects as they bring quite a load on both your ClearPass servers and the network and work with different teams responsible for the device types that cause most of the rejects. Maybe just start look at the top 10 MAC address list in Insight.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution