cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

535
Views
10
Helpful
4
Replies
robert.riggle
Contributor

ACS authentication question

I have a Cisco Secure ACS giving port access to approved MACs.  I am wondering how the process works.  We recently replaced all the PCs in our organinzation.  After the new PCs were deployed, we removed all the MACs from the ACS.  I noticed today that the old MACs are listed on the switch as a static entry (as are the new ones).  I am wondering if it being on that static list, will they be allowed on the network?  Or will they try to authenticate each time they are plugged into the switch? 

The switch is a 2960 running 12.2(53r)SE, port configuration is:

interface GigabitEthernet1/0/xx

     sw access vlan 2

     sw mode access

     authentication control-direction in

     authentication host-mode multi-auth

     authentication port-control auto

     mab

     spanning-tree portfast

end

4 REPLIES 4
Tarik Admani
Advocate

Robert,

The static mac address entries is a normal entry when a client passes dot1x authentication. If you bounce the port and the host entry is not present in ACS then the attempt should fail and you will not see mac address at all.

If you remove "authentication port control auto" from the port (which disables dot1x) then you will see the dynamic entries like you did before.

This is a known feature of dot1x and the way it interfacts with the mac address table. Some other switches like 4500s in my experience still show dynamic entries which may be a little confusing.

hope that helps!

Tarik Admani
*Please rate helpful posts*

Bouncing the port worked.  I guess this is just what I will need to do as long as there are small hubs connected to the switch due to not having enough drops at the users desktop.

Hi,

You can also configure periodic reauthentication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1374080

Thanks,

Tarik Admani
*Please rate helpful posts*

That will work great.  Thanks...again.

Content for Community-Ad