Security

Hello,

We faceting a problem with Authentication 

Environment:
Switches: HPE 5130EI in IRF stacking (3-7 members per stack), multiple locations
NAC: Aruba ClearPass Policy Manager (CPPM)
Authentication: 802.1X EAP-TLS for Windows PCs (computer certificates), MAB for other devices <---- the Authentication is working No problem.
OS: Windows 10/11 with Wired AutoConfig via GPO

---------------
Problem Description:
ClearPass is receiving continuous Accounting-Stop records with Termination-Cause = NAS-Error from all HPE 5130EI switches 24/7. The issue is random across different ports and all switch stacks at all locations. The storm never stops and causes ClearPass to become overloaded, resulting in legitimate authentications failing with Authorization VLAN process failed errors.
------------------
what i understand root Causes Identified is:
1. DOT1X Offline-Detect (300s)
The switch checks every 300 seconds if authenticated users are still alive by sending unicast EAP-Request/Identity frames. Windows native supplicant treats this as a new authentication request → full EAP-TLS re-authentication → session torn down → NAS-Error sent to ClearPass → loop repeats every 5 minutes per authenticated PC.
2. Unicast-Trigger with Quiet-Period = 0
dot1x unicast-trigger was enabled on all ports with no quiet period. After successful authentication, the switch immediately starts sending unicast triggers → Windows supplicant responds with EAPOL-Start → full re-authentication → ErrCode=10 (supplicant timeout) logoff → NAS-Error → loop.
3. Guest VLAN Reauth Period (30s)
mac-authentication guest-vlan auth-period 30 was configured. When a device disconnects or goes to sleep, its ghost entry remains in Guest VLAN 4090 for 1000 seconds. During this time MAB re-authentication is triggered every 30 seconds → ~32 phantom RADIUS requests per disconnected device → ClearPass overload.
4. Guest VLAN User Aging (1000s)
Ghost MAC entries from disconnected devices stayed in Guest VLAN for ~16 minutes, continuously generating phantom MAB requests.
5. Termination-Action = RADIUS-Request (1) (pending fix)
ClearPass sends Session-Timeout = 10800 with Termination-Action = 1. When 3-hour session expires, switch attempts mid-session RADIUS reauthentication → ClearPass overloaded → Authorization VLAN process failed → authentication failure loop.

-------------------------------------
Switch Port Configuration (Per Port):
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 1100 tagged
port hybrid vlan 4090 untagged
port hybrid pvid vlan 4090
undo voice-vlan mode auto
voice-vlan 1100 enable
stp edged-port
stp tc-restriction
poe enable
undo dot1x handshake
undo dot1x multicast-trigger
dot1x guest-vlan 4090
dot1x auth-fail vlan 4090
dot1x critical vlan 4090
dot1x re-authenticate server-unreachable keep-online
dot1x offline-detect enable
dot1x server-recovery online-user-sync
mac-authentication carry user-ip
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication guest-vlan 4090
mac-authentication guest-vlan auth-period 30  ← problem
mac-authentication critical vlan 4090
mac-authentication host-mode multi-vlan
port-security port-mode userlogin-secure-or-mac
-------------------

I open TAC support but still no help the case open now for couple of month.

any help i will be very Grateful. 
Thank you

What is the rationale behind the 30 second auth-period on the guest VLAN?

I would configure this to a much higher setting.

How many clients, switches and access points do you have in the environment and what type of ClearPass servers and how many?

From my experience a ClearPass server can handle significant loads without becoming overwhelmed. Had a C1000 hardware server, designed to handled up to 40000 daily authentications, but due to faulty clients trying 802.1x and MAC auth multiple times per minute, the server was loaded with up to 200000 authentication requests per day. In this case the server became really slow.  

Hello,

We faceting a problem with Authentication 

Environment:
Switches: HPE 5130EI in IRF stacking (3-7 members per stack), multiple locations
NAC: Aruba ClearPass Policy Manager (CPPM)
Authentication: 802.1X EAP-TLS for Windows PCs (computer certificates), MAB for other devices <---- the Authentication is working No problem.
OS: Windows 10/11 with Wired AutoConfig via GPO

---------------
Problem Description:
ClearPass is receiving continuous Accounting-Stop records with Termination-Cause = NAS-Error from all HPE 5130EI switches 24/7. The issue is random across different ports and all switch stacks at all locations. The storm never stops and causes ClearPass to become overloaded, resulting in legitimate authentications failing with Authorization VLAN process failed errors.
------------------
what i understand root Causes Identified is:
1. DOT1X Offline-Detect (300s)
The switch checks every 300 seconds if authenticated users are still alive by sending unicast EAP-Request/Identity frames. Windows native supplicant treats this as a new authentication request → full EAP-TLS re-authentication → session torn down → NAS-Error sent to ClearPass → loop repeats every 5 minutes per authenticated PC.
2. Unicast-Trigger with Quiet-Period = 0
dot1x unicast-trigger was enabled on all ports with no quiet period. After successful authentication, the switch immediately starts sending unicast triggers → Windows supplicant responds with EAPOL-Start → full re-authentication → ErrCode=10 (supplicant timeout) logoff → NAS-Error → loop.
3. Guest VLAN Reauth Period (30s)
mac-authentication guest-vlan auth-period 30 was configured. When a device disconnects or goes to sleep, its ghost entry remains in Guest VLAN 4090 for 1000 seconds. During this time MAB re-authentication is triggered every 30 seconds → ~32 phantom RADIUS requests per disconnected device → ClearPass overload.
4. Guest VLAN User Aging (1000s)
Ghost MAC entries from disconnected devices stayed in Guest VLAN for ~16 minutes, continuously generating phantom MAB requests.
5. Termination-Action = RADIUS-Request (1) (pending fix)
ClearPass sends Session-Timeout = 10800 with Termination-Action = 1. When 3-hour session expires, switch attempts mid-session RADIUS reauthentication → ClearPass overloaded → Authorization VLAN process failed → authentication failure loop.

-------------------------------------
Switch Port Configuration (Per Port):
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 1100 tagged
port hybrid vlan 4090 untagged
port hybrid pvid vlan 4090
undo voice-vlan mode auto
voice-vlan 1100 enable
stp edged-port
stp tc-restriction
poe enable
undo dot1x handshake
undo dot1x multicast-trigger
dot1x guest-vlan 4090
dot1x auth-fail vlan 4090
dot1x critical vlan 4090
dot1x re-authenticate server-unreachable keep-online
dot1x offline-detect enable
dot1x server-recovery online-user-sync
mac-authentication carry user-ip
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication guest-vlan 4090
mac-authentication guest-vlan auth-period 30  ← problem
mac-authentication critical vlan 4090
mac-authentication host-mode multi-vlan
port-security port-mode userlogin-secure-or-mac
-------------------

I open TAC support but still no help the case open now for couple of month.

any help i will be very Grateful. 
Thank you