topic MAB authentication and ARP request in Network Access Control

MAB authentication and ARP request

SysAdminPilot — Mon, 18 Mar 2024 10:45:49 GMT

Hi everyone, in my network i have an issues with MAB authentication and some "quiet" endpoint, now explain the details.

The endpoint is poe and is configured with static IP, not support dot1x. When the device boot up not make any ethernet traffic except multiple ARP request. I have already read this discussion but my problem is little different. The endpoint fail dot1x and MAB authentication not starting because the client not make any traffic. Actually i use a workaround: configure the device with dhcp and add "authentication timer restart 5" on the port configuration, but this isn't a clean solution because i want to use static IP on this device.

This is typical port configuration:

interface GigabitEthernet1/0/1
switchport access vlan 998
switchport mode access
authentication port-control auto
authentication timer restart 5
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

It's possible to trigger MAB authentication also with ARP request?

I think that the MAB authentication starting when mac-address table are populated. What are the rules that the switch use to populate the mac-address table, the arp request is insufficient?

Thanks to the community for replies!

Re: MAB authentication and ARP request

MHM Cisco World — Mon, 18 Mar 2024 10:53:41 GMT

Use DHCP with static IP-MAC or IP-ClientID
this make endpoint use DHCP and trigger MAB

MHM

Re: MAB authentication and ARP request

SysAdminPilot — Mon, 18 Mar 2024 10:57:28 GMT

I would like use static ip... I need to find alternative....

Re: MAB authentication and ARP request

MHM Cisco World — Mon, 18 Mar 2024 10:59:39 GMT

DHCP with static IP is same as you assing static IP to endpoint directly except with DHCP the endpoint send DHCP request and SW detect this request use MAC in this frame DHCP request for MAB

MHM

Re: MAB authentication and ARP request

SysAdminPilot — Mon, 18 Mar 2024 11:21:52 GMT

In production enviroment don't have dhcp server on this network

Re: MAB authentication and ARP request

Charlie Moreton — Mon, 18 Mar 2024 13:27:47 GMT

ISE cannot do anything without traffic and does not submit ARP requests.

Use your switch as a DHCP server: IP Addressing Services Configuration Guide, Cisco IOS XE 17.13.x (Catalyst 9300 Switches)

You can even reserve IP Addresses: how to reserve a specific MAC address in the existing Cisco DHCP server switch

Re: MAB authentication and ARP request

SysAdminPilot — Mon, 18 Mar 2024 13:35:40 GMT

Unfortunately DHCP server isn't solution for my network design. My device send continuous ARP request after power up on the network, because it isn't good for start MAB authentication?

Re: MAB authentication and ARP request

thomas — Mon, 18 Mar 2024 18:14:37 GMT

See the previous community thread Wired 802.1x: MAB for Silent Endpoint for possible solutions.