topic 802.1x, Catalyst 3560, in Network Access Control

802.1x, Catalyst 3560,

rhub — Mon, 11 Mar 2019 02:06:21 GMT

Hi all,

we have rolled out 802.1x enterprise-wide. As RADIUS-servers, we have deployed ACS 1121 (5.3.0.40). Currently we are rolling-out Win7-clients

The access layer is built on switches of type Catalyst 3560G-48-PoE, running IOS 2.2(53)SE2.

On certain switches we have the problem (only Win 7 clients; XPs do not cause this problem) that client MAC addresses are registered in VLAN 4 (Data-VLAN) as well as in VLAN 996 (Quarantine-VLAN).

switch#sh mac- int gi0/27

Mac Address Table

-----------------------------------------------------------------------------------

Vlan Mac Address Type Ports

------ ------------------- ------- --------

4 2c27.d71d.6279 STATIC Drop

996 2c27.d71d.6279 DYNAMIC Gi0/27

Total Mac Addresses for this criterion: 2

Unfortunately the MAC addresses never will age-out, which means that they keep this status until the switch is rebooted, which is basically not an ideal solution.

We are not abel to connect another client to port showing tha above mentiones status.

Has anyone faced something similar to this ? What is causing this problem ? How can we get rid of these MAC addresses without rebooting the switch ?

Any hints are very much appreciated.

Best regards

RHUB

802.1x, Catalyst 3560,

shoaibkhan — Wed, 06 Jun 2012 12:44:41 GMT

A quick fix is to enable "IP device tracking".

BTW, how are this Change of VLAN performed, CoA ?? and if CoA then reauth or port-bounce?

Port-bounce should also resolve this multiple mac entires

Thanks

802.1x, Catalyst 3560,

rhub — Wed, 06 Jun 2012 16:21:17 GMT

good evening,

many thanks for your reply. "ip device tracking" would be the solution - thats exactly what I thought too but we have enabled it since we rolled-out the 3560's many month ago.

This status will happen after a clients is not able to authenticate successfully against ACS and therefore should be moved to the quarantine-VLAN. The majority of clients, not authenticating successfully are moved without any problems but some of them show the problem.

Thanks and best regards

Roman