Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
2
Replies

802.1x, Catalyst 3560,

rhub
Level 1
Level 1

‎05-21-2012 02:06 AM - edited ‎03-10-2019 07:06 PM

Hi all,

we have rolled out 802.1x enterprise-wide. As RADIUS-servers, we have deployed ACS 1121 (5.3.0.40). Currently we are rolling-out  Win7-clients

The access layer is built on switches of type Catalyst 3560G-48-PoE, running IOS 2.2(53)SE2.

On certain switches we have the problem (only Win 7 clients; XPs do not cause this problem) that client MAC addresses are registered in VLAN 4 (Data-VLAN) as well as in VLAN 996 (Quarantine-VLAN).

switch#sh mac- int gi0/27

               Mac Address Table

-----------------------------------------------------------------------------------

Vlan         Mac Address                     Type             Ports

------          -------------------                     -------             -------- 

     4         2c27.d71d.6279                 STATIC         Drop     

996          2c27.d71d.6279                 DYNAMIC     Gi0/27

Total Mac Addresses for this criterion: 2

Unfortunately the MAC addresses never will age-out, which means that they keep this status until the switch is rebooted, which is basically not an ideal solution.

We are not abel to connect another client to port showing tha above mentiones status.

Has anyone faced something similar to this ? What is causing this problem ? How can we get rid of these MAC addresses without rebooting the switch ?

Any hints are very much appreciated.

Best regards

RHUB

Labels:
0 Helpful
2 Replies 2

shoaibkhan
Level 1
Level 1

‎06-06-2012 05:44 AM

A quick fix is to enable "IP device tracking".

BTW, how are this Change of VLAN performed, CoA ?? and if CoA then reauth or port-bounce?

Port-bounce should also resolve this multiple mac entires

Thanks

0 Helpful

rhub
Level 1
Level 1
In response to shoaibkhan

‎06-06-2012 09:21 AM

good evening,

many thanks for your reply. "ip device tracking" would be the solution - thats exactly what I thought too but we have enabled it since we rolled-out the 3560's many month ago.

This status will happen after a clients is not able to authenticate successfully against ACS and therefore should be moved to the quarantine-VLAN. The majority of clients, not authenticating successfully are moved without any problems but some of them show the problem.

Thanks and best regards

Roman 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents