Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
0
Helpful
4
Replies

multiple MAB on a switch port connecting to an AP

Go to solution
harrzhan
Cisco Employee
Cisco Employee

‎11-08-2018 09:23 AM

We have seen a strange issue:

 

On a switch port (3850) we have put dot1x and MAB on, and the device is an Cisco AP. We have seen 10+ MAB authentication on this port for the wireless end devices MAB, all failing because of the policy.

 

Why is the port trying to authenticate the wireless endpoints?

 

the port is configured as multi-host, and it is an access port. The AP is in LOCAL mode. someone suggest to put it on multi-domain to solve it, but this does not make sense in the first place

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dustin Anderson
VIP
VIP
In response to Surendra

‎11-08-2018 03:25 PM

APs usually drop a radio if there is not enough power. It almost sounds like the AP is acting like it's in FlexConnect where it does the routing and only tunnels command info back to the WLC. A normal AP should capwap tunnel everything back to the WLC and the switch should not see any of the traffic.

 

May be a TAC call.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-08-2018 10:19 AM

I believe the packets are being centrally switched in which case all the traffic from the wireless endpoints be tunnelled to the WLC for them to be switched. Ideally all of those mac addresses should not be seen on the switch port. Would suggest to take a SPAN capture on the port to see what those mac addresses are.
0 Helpful

Go to solution
harrzhan
Cisco Employee
Cisco Employee
In response to Surendra

‎11-08-2018 10:36 AM

We can see the MAC addresses, and they are the wireless MACs from the wireless devices.

We are using 16.6.4 code on 3850. We do not see this behavior on 3750.
0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to harrzhan

‎11-08-2018 12:04 PM

I did not find any known issues related to such an issue (Data Traffic leak) in my research barring the fact you are on a code which has service impacting defects like memory leaks etc. the closest to the problem or defect on this case that I could see is insufficient power being grated to the APs over PoE. Not sure if that would affect the APs capability to tunnel traffic.
0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Surendra

‎11-08-2018 03:25 PM

APs usually drop a radio if there is not enough power. It almost sounds like the AP is acting like it's in FlexConnect where it does the routing and only tunnels command info back to the WLC. A normal AP should capwap tunnel everything back to the WLC and the switch should not see any of the traffic.

 

May be a TAC call.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents