03-26-2016 06:28 AM - last edited on 03-25-2019 05:34 PM by ciscomoderator
Implementing NAC via cisco 4507 switch as NAD.
Laptops are connected via 3rd Party IP phones ( Avaya ) . Phones are in MAB authentication & laptops are in dot1x authentication.
After laptop logoff after business hours, still laptop is connected to IP phone , NAC server is getting same laptop mac address via MAC auth and when they login in next day, first request is MAB authentication..
can you help to block those MAC auth request from Domain laptop when they are in standby state connected to IP phones.
Let me know for more information.
03-27-2016 08:37 PM
Hi Sathish-
I have a few questions:
1. What is your NAC solution? Is it ACS, ISE, Legacy NAC?
2. Can you post your RADIUS and port configurations
3. What type of operating system is running on the affected laptops?
4. Can you post screenshots of the laptops' supplicant configurations?
Thank you for rating helpful posts!
05-27-2016 02:47 AM
1. What is your NAC solution? Is it ACS, ISE, Legacy NAC?
Aruba ClearPass
2. Can you post your RADIUS and port configurations
switchport access vlan 102
switchport mode access
switchport voice vlan 121
ip access-group auth-default-acl in
authentication event server dead action reinitialize vlan 102
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x max-req 3
dot1x max-reauth-req 3
storm-control broadcast level 1.00
storm-control action trap
spanning-tree portfast
end
!
aaa server radius dynamic-author
client XXX server-key 7 XXXXX
client XXX server-key 7 0XXX
port 3799
auth-type all
!
dot1x system-auth-control
!
radius-server attribute 8 include-in-access-req
radius-server host XXXXX auth-port 1812 acct-port 1813
radius-server timeout 5
radius-server key XXXXX
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
ip device tracking
radius-server deadtime 5
radius-server attribute 44 extend-with-addr
radius-server dead-criteria time 5 tries 5
authentication mac-move permit
3. What type of operating system is running on the affected laptops?
windows 8.1
4. Can you post screenshots of the laptops' supplicant configurations?
05-27-2016 10:18 PM
I have found other thing, though laptop is not connected to the switch port, switch port holds MAC address in authentication sessions as UNKNOWN & Unauth and sending periodic MAC authentication .
09-25-2019 01:54 AM
Hi Sathis,
Though it's now 3 years late, did you actually find a solution to this? We are having same probem with ISE, LWAP and Wireless Users.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide