Security

Hello,

We faceting a problem with Authentication 

Environment:
Switches: HPE 5130EI in IRF stacking (3-7 members per stack), multiple locations
NAC: Two VM Aruba ClearPass Policy Manager (CPPM)  verion C2000V Version: 6.12.7.308288
Authentication: 802.1X EAP-TLS for Windows PCs (computer certificates), MAB for other devices <---- the Authentication is working No problem.
Client Number: currently is 1000 but will go up to 10000 
OS: Windows 10/11 with Wired AutoConfig via GPO

---------------
Problem Description:
ClearPass is receiving continuous Accounting-Stop records with Termination-Cause = NAS-Error from all HPE 5130EI switches 24/7. The issue is random across different ports and all switch stacks at all locations. The storm never stops and causes ClearPass to become overloaded, resulting in legitimate authentications failing with Authorization VLAN process failed errors.

we have Aruba switch 2930F and we don't have any problem with them. 
------------------
what i understand root Causes Identified is:
1. DOT1X Offline-Detect (300s)
The switch checks every 300 seconds if authenticated users are still alive by sending unicast EAP-Request/Identity frames. Windows native supplicant treats this as a new authentication request → full EAP-TLS re-authentication → session torn down → NAS-Error sent to ClearPass → loop repeats every 5 minutes per authenticated PC.
2. Unicast-Trigger with Quiet-Period = 0
dot1x unicast-trigger was enabled on all ports with no quiet period. After successful authentication, the switch immediately starts sending unicast triggers → Windows supplicant responds with EAPOL-Start → full re-authentication → ErrCode=10 (supplicant timeout) logoff → NAS-Error → loop.
3. Guest VLAN Reauth Period (30s)
mac-authentication guest-vlan auth-period 30 was configured. When a device disconnects or goes to sleep, its ghost entry remains in Guest VLAN 4090 for 1000 seconds. During this time MAB re-authentication is triggered every 30 seconds → ~32 phantom RADIUS requests per disconnected device → ClearPass overload.
4. Guest VLAN User Aging (1000s)
Ghost MAC entries from disconnected devices stayed in Guest VLAN for ~16 minutes, continuously generating phantom MAB requests.
5. Termination-Action = RADIUS-Request (1) (pending fix)
ClearPass sends Session-Timeout = 10800 with Termination-Action = 1. When 3-hour session expires, switch attempts mid-session RADIUS reauthentication → ClearPass overloaded → Authorization VLAN process failed → authentication failure loop.

-------------------------------------
Switch Port Configuration (Per Port):
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 1100 tagged
 port hybrid vlan 4090 untagged
 port hybrid pvid vlan 4090
 undo voice-vlan mode auto
 voice-vlan 1100 enable
 stp edged-port
 stp tc-restriction
 poe enable
 undo dot1x handshake
 undo dot1x multicast-trigger
 dot1x guest-vlan 4090
 dot1x auth-fail vlan 4090
 dot1x critical vlan 4090
 dot1x re-authenticate server-unreachable keep-online
 dot1x offline-detect enable
 dot1x server-recovery online-user-sync
 mac-authentication carry user-ip
 mac-authentication re-authenticate server-unreachable keep-online
 mac-authentication guest-vlan 4090
 mac-authentication guest-vlan auth-period 120
 mac-authentication critical vlan 4090
 mac-authentication host-mode multi-vlan
 port-security port-mode userlogin-secure-or-mac
-------------------

our environment and what type of ClearPass servers and how many?

I open TAC support but still no help the case open now for couple of month.

any help i will be very Grateful. 
Thank you

-------------------------------------------

What is the rationale behind the 30 second auth-period on the guest VLAN?

I would configure this to a much higher setting.

How many clients, switches and access points do you have in the environment and what type of ClearPass servers and how many?

From my experience a ClearPass server can handle significant loads without becoming overwhelmed. Had a C1000 hardware server, designed to handled up to 40000 daily authentications, but due to faulty clients trying 802.1x and MAC auth multiple times per minute, the server was loaded with up to 200000 authentication requests per day. In this case the server became really slow.  

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Hello jonas.hammarback,

Thank you for you replay i update the information up, i post wrong configure for the port before currently the mac-authentication guest-vlan auth-period 120.

for our environment more than 160 switch HPE 5130EI in IRF stacking and Aruba Switch 2930F and about 50 AP Aruba.

Thank you

-------------------------------------------

Original Message:
Sent: Apr 30, 2026 07:57 AM
From: jonas.hammarback
Subject: Termination-Cause = NAS-Error

What is the rationale behind the 30 second auth-period on the guest VLAN?

I would configure this to a much higher setting.

How many clients, switches and access points do you have in the environment and what type of ClearPass servers and how many?

From my experience a ClearPass server can handle significant loads without becoming overwhelmed. Had a C1000 hardware server, designed to handled up to 40000 daily authentications, but due to faulty clients trying 802.1x and MAC auth multiple times per minute, the server was loaded with up to 200000 authentication requests per day. In this case the server became really slow.  

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------