Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

HPE 5500 - MAC does not age with port-security

rverchere
Occasional Visitor

HPE 5500 - MAC does not age with port-security

Hello,

I have the following configuration for my switch, using 802.1x authentication plus some mac-auth for specific devices.

It works almost fine, but sometimes when a user changes from port A to port B, mac address learnt on port B does not age, so the user cannot authenticates on port B. This happens rarely.

interface GigabitEthernet3/0/33
 port link-mode bridge
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 99 untagged
 port hybrid pvid vlan 99
 voice vlan 6 enable
 mac-vlan enable
 poe enable
 stp edged-port enable
 port-security port-mode mac-else-userlogin-secure-ext
 dot1x re-authenticate
 dot1x guest-vlan 99
 dot1x auth-fail vlan 99
 undo dot1x handshake
 undo dot1x multicast-trigger
 dot1x eapol untag
#
 port-security enable
 port-security trap addresslearned
#
 dot1x timer supp-timeout 10
 dot1x authentication-method eap

I have the following logs when it happens:

Feb 13 15:26:03 2017 SW-DISTRIB-1 %%10RDS/6/RDS_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/33-VlanId=100-MACAddr=AA:BB:CC:DD:EE:FF-IPAddr=N/A-IPv6Addr=N/A-UserName=xxxx@domain; User got online successfully.
Feb 13 15:26:03 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user passed 802.1X authentication and got online successfully.

Feb 13 16:27:40 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user failed the 802.1X authentication.
Feb 13 16:27:41 2017 SW-DISTRIB-1 %%10PORTSEC/5/PORTSEC_VIOLATION(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=-100-IfStatus=Up; Intrusion detected.
Feb 13 16:29:53 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=NULL; The user failed the 802.1X authentication.
Feb 13 16:31:11 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=NULL; The user failed the 802.1X authentication.
Feb 13 16:31:11 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_MACAUTH_LOGOFF(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=aa-bb-cc-dd-ee-ff-UserNameFormat=MAC address; Session of the MAC-AUTH user was terminated.
Feb 13 16:32:42 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=99-UserName=NULL; The user failed the 802.1X authentication.
Feb 13 16:32:54 2017 SW-DISTRIB-1 %%10RDS/6/RDS_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/42-VlanId=100-MACAddr=AA:BB:CC:DD:EE:FF-IPAddr=N/A-IPv6Addr=N/A-UserName=xxxx@domain; User got online successfully.
Feb 13 16:32:54 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_SUCC(l): -Slot=3-IfName=GigabitEthernet3/0/42-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user passed 802.1X authentication and got online successfully.

Any idea how to decrease autolearning mac for 802.1x ?

Thanks for your support.

3 REPLIES
16again
Respected Contributor

Re: HPE 5500 - MAC does not age with port-security

You mention a problem when user moves from A to B....but log already shows trouble on port A (line 3 and 4)


Feb 13 16:27:40 2017 SW-DISTRIB-1 %%10PORTSEC/6/PORTSEC_DOT1X_LOGIN_FAILURE(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=100-UserName=xxxx; The user failed the 802.1X authentication.
Feb 13 16:27:41 2017 SW-DISTRIB-1 %%10PORTSEC/5/PORTSEC_VIOLATION(l): -Slot=3-IfName=GigabitEthernet3/0/33-MACAddr=AA:BB:CC:DD:EE:FF-VlanId=-100-IfStatus=Up; Intrusion detected.

Seems like this MAC address is 1st being blocked on Gi3/0/33,  and after move to Gi3/0/42 the MAC address is still black-listed for 5 minutes

rverchere
Occasional Visitor

Re: HPE 5500 - MAC does not age with port-security

Hi,

I can reproduce the problem. It occurs when the user was plugged behind a VoIP phone or a desktop switch.

A - the user connect to the port 3/0/33, behind a desktop switch, 802.1x authentication is OK
B - he disconnect and reconnect to port 3/0/42:
 B.1 - the MAC Address is still associatied to port 3/0/33 as the interface did not go down (due to the desktop switch)
 B.2 - the user cannot authenticate as MAC Address is not associated to the correct interface
C - After the 802.1x reauth period, information about the user connection on the switch goes away, and he can connect again on the port 3/0/42

If I do not install a desktop switch on port 3/0/33, no issues. If I shutdown the port 3/0/33, same behaviour (user can connect again).

I've tried some configuration, without success:

mac-address mac-roaming enable

And

port-security timer autolearn aging 2 (global level)

port-security mac-address dynamic (interface level)

port-security mac-address aging-type inactivity (interface level)

Still no success..

FabianoCh
Advisor

Re: HPE 5500 - MAC does not age with port-security

Hi, I have the same problem you have.  When you disconnect your computer from your voip phone, the hp switch does not now
that the dot1x client was disconnected.  So, that 802.1x client is still authenticated in that switch port. If you connect that same computer in the same switch, the device will report intrusion detection. That is correct. How is it possible one mac-address that is authenticated in a port,  request authentication in another port ?   It is your voip phone that should tell the switch  the 802.1x client was disconnected.  This feature is sometimes called PROXY LOGOFF.  When the computer is disconnected from the phone the phone sends an EAPOL Logoff message to the switch.  Not every phones have this implementation but they should have.  If you found anything different that works for you, please let me know.