Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
0
Helpful
4
Replies

802.1x client sending MAB request after laptop standby mode , connected via 3rd party IP Phone

Sathish Kumar
Level 1
Level 1

‎03-26-2016 06:28 AM - last edited on ‎03-25-2019 05:34 PM by Community Manager

Implementing NAC via cisco 4507 switch as NAD.

Laptops are connected via 3rd Party IP phones ( Avaya ) . Phones are in MAB authentication & laptops are in dot1x authentication.

After laptop logoff after business hours, still laptop is connected to IP phone , NAC server is getting same laptop mac address via MAC auth  and when they login in next day, first request is MAB authentication..

can you help to block those MAC auth request from  Domain laptop when they are in standby state connected to IP phones.

Let me know for more information.

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎03-27-2016 08:37 PM

Hi Sathish-

I have a few questions:

1. What is your NAC solution? Is it ACS, ISE, Legacy NAC?

2. Can you post your RADIUS and port configurations

3. What type of operating system is running on the affected laptops?

4. Can you post screenshots of the laptops' supplicant configurations?

Thank you for rating helpful posts!

0 Helpful

Sathish Kumar
Level 1
Level 1
In response to nspasov

‎05-27-2016 02:47 AM

1. What is your NAC solution? Is it ACS, ISE, Legacy NAC?

Aruba ClearPass

2. Can you post your RADIUS and port configurations

switchport access vlan 102

switchport mode access
switchport voice vlan 121
ip access-group auth-default-acl in
authentication event server dead action reinitialize vlan 102
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x max-req 3
dot1x max-reauth-req 3
storm-control broadcast level 1.00
storm-control action trap
spanning-tree portfast
end

!

aaa server radius dynamic-author
client XXX server-key 7 XXXXX
client XXX server-key 7 0XXX
port 3799
auth-type all

!

dot1x system-auth-control

!

radius-server attribute 8 include-in-access-req
radius-server host XXXXX  auth-port 1812 acct-port 1813
radius-server timeout 5
radius-server key XXXXX
radius-server vsa send accounting
radius-server vsa send authentication
dot1x system-auth-control
ip device tracking
radius-server deadtime 5
radius-server attribute 44 extend-with-addr
radius-server dead-criteria time 5 tries 5
authentication mac-move permit

3. What type of operating system is running on the affected laptops?

windows 8.1

4. Can you post screenshots of the laptops' supplicant configurations?

0 Helpful

Sathish Kumar
Level 1
Level 1
In response to Sathish Kumar

‎05-27-2016 10:18 PM

I have found other thing, though laptop is not connected to the switch port, switch port holds MAC address in authentication sessions as UNKNOWN & Unauth and sending periodic MAC authentication .

0 Helpful

biswajit.pradhan
Level 1
Level 1
In response to Sathish Kumar

‎09-25-2019 01:54 AM

Hi Sathis,

 

Though it's now 3 years late, did you actually find a solution to this? We are having same probem with ISE, LWAP and Wireless Users.

0 Helpful
Customers Also Viewed These Support Documents