topic Re: MAB on Cisco 9300 Stack in Network Access Control

MAB on Cisco 9300 Stack

swelsch — Mon, 13 Apr 2026 08:41:33 GMT

Hi,

i have configured dot1x/mab on a cisco 9300 stack ( 5 member )

it works for the client, but i get not only authentication session from the mac of the client, also from physical interface and base mac of the first switch member.

Gi5/0/1 080f.e575.d500 mab DATA Auth 334263640000009476CE4404 Client MAC
Gi5/0/1 080f.e575.d501 N/A UNKNOWN Unauth 33426364000000B376F8E409 MAC of Gi5/0/1
Gi5/0/1 40f4.9f29.1e80 N/A UNKNOWN Unauth 334263640000009376CE3D9C base MAC of switch 1

so i get 3 authentication to my ISE, the client is OK, the other are unknown mac on ise, so they get a fail

thanks for any response

Re: MAB on Cisco 9300 Stack

swelsch — Mon, 13 Apr 2026 08:49:23 GMT

Cisco IOS XE Software, Version 17.15.05

Re: MAB on Cisco 9300 Stack

balaji.bandi — Mon, 13 Apr 2026 11:57:23 GMT

How does your configuration look on Port 5/0/1? along with show access-session interface Gi5/0/1 details

If your port is currently in multi-auth or multi-sessions mode, it will try to authenticate every MAC address it sees.

There are different ways to resolve this - let's get the config and output what was requested above.

Re: MAB on Cisco 9300 Stack

swelsch — Mon, 13 Apr 2026 12:09:00 GMT

RT-5OG-01#sh run int g5/0/1
Building configuration...

Current configuration : 868 bytes
!
interface GigabitEthernet5/0/1
switchport access vlan 2999
switchport mode access
switchport voice vlan 2010
device-tracking attach-policy IPDT_POLICY
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 2005
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 28800
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
auto qos trust dscp
spanning-tree portfast
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
end

RT-5OG-01#sh access-session int g5/0/1
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi5/0/1 080f.e575.d500 mab DATA Auth 334263640000009476CE4404
Gi5/0/1 080f.e575.d501 N/A UNKNOWN Unauth 33426364000000B376F8E409
Gi5/0/1 40f4.9f29.1e80 N/A UNKNOWN Unauth 334263640000009376CE3D9C

Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
11 5 dot1xSup
10 5 dot1x
14 10 webauth
12 15 mab

RT-5OG-01#

there is only one host connected to the port

Re: MAB on Cisco 9300 Stack

aleabrahao — Mon, 13 Apr 2026 13:16:02 GMT

IP Device Tracking (IPDT) actively generates and learns MAC addresses from the local infrastructure on access ports.
When MAB + multi-factor authentication is enabled, each learned MAC address equates to one authentication attempt.

Try disabling the interface tracking.

no device-tracking attach-policy IPDT_POLICY
no ip device tracking

Re: MAB on Cisco 9300 Stack

swelsch — Mon, 13 Apr 2026 14:57:32 GMT

thanks, but without device tracking i had an issue with cached authenticated session

access-session control-direction in will fix the problem with the physical mac, but not the base mac of the stack member

Re: MAB on Cisco 9300 Stack

aleabrahao — Mon, 13 Apr 2026 15:45:25 GMT

The MAC address on the stack isn't a bug; it can simply reach the authentication state machine.

I see two options:

1. Configure multi-domain host mode (best practice)

authentication host-mode multi-domain

2. Keep multi-auth, so you need a local reject, not an ISE one.

authentication mab infrastructure-mac ignore (I don't know if this command is available in your version)

I would leave your configuration like this:

interface Gi5/0/1
switchport mode access
switchport access vlan 2999
switchport voice vlan 2010

authentication control-direction in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict

mab
dot1x pae authenticator

no device-tracking attach-policy IPDT_POLICY

spanning-tree portfast

Re: MAB on Cisco 9300 Stack

swelsch — Mon, 13 Apr 2026 15:47:08 GMT

thanks,

but multi-domain is no option, because our IP phones ( alcatel ) will boot in the data domain and get then the voice vlan and join into the voice domain. So in the first moment, i will have 2 host in the data domain, which will not work in multi-domain.

and to get rid off the "first" auth session from the phone, i need device-tracking

Re: MAB on Cisco 9300 Stack

aleabrahao — Mon, 13 Apr 2026 15:58:22 GMT

I use it this way and have never had any problems.

Well, I tried to help you, but it seems you already know everything. Good luck.

Re: MAB on Cisco 9300 Stack

aleabrahao — Mon, 13 Apr 2026 16:04:10 GMT

Maybe this will help you.

https://community.cisco.com/t5/security-knowledge-base/verify-ip-device-tracking-post-mab-configuration-on-switch/ta-p/5148985

Re: MAB on Cisco 9300 Stack

balaji.bandi — Mon, 13 Apr 2026 16:12:43 GMT

By default, an 802.1X-enabled switch port accepts only one MAC address. Since the idea of open mode is to ensure that there is no disruption, enabling multi-auth host mode is recommended, which allows for one IP Phone an unlimited number of workstations/data_endpoints to authenticate on the interface.
```
c9300-Sw(config-if)#authentication host-mode multi-auth
```

Host modes–Four host modes can be configured on a port.

Host Mode	Number of Endpoints	Interface Command
Single Host (default in IBNS 1.0)	1 Voice/Data device	access-session host-mode single-host
Multi-Domain Authentication (MDA)	1 Voice and 1 Data device	access-session host-mode multi-domain
Multi-Host Mode	1 Voice and Unlimited Data (At least one MAC address must authenticate successfully)	access-session host-mode multi-host
Multi-Auth Mode	1 Voice and Unlimited Data (Each MAC address must authenticate)	access-session host-mode multi-auth

Multi-Auth (Current): Authenticates every MAC. This is why you see the client, the interface MAC, and the base MAC all trying to log in.

Multi-Domain (Recommended): Optimized for "IP Phone + PC." It allows one device per domain. Once your client (080f.e575.d500) hits the DATA domain, the switch stops trying to authenticate other "data" MACs on that port.

Let's try below :

conf t
interface GigabitEthernet5/0/1
 no authentication host-mode multi-auth
 authentication host-mode multi-domain

If single host, you can also try :

interface Gi5/0/1
 authentication host-mode single-host

Is this the only port with this issue, or is this configuration the same across all ports? Are any of them working as expected?

17.15.5 is the latest code; I have only tested 17.12.6 so far.

check wire and wireless deployment guide :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: MAB on Cisco 9300 Stack

swelsch — Tue, 14 Apr 2026 06:25:57 GMT

thanks to all

hers is the official statement from TAC

This is not a bug, but rather a known behavioral side-effect of how MAB interacts with internal switch functions

so i think i have to live with this cosmetic display error in ISE