Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
10
Helpful
4
Replies

ACS authentication question

robert.riggle
Level 5
Level 5

‎08-14-2012 08:21 AM - edited ‎03-10-2019 07:25 PM

I have a Cisco Secure ACS giving port access to approved MACs.  I am wondering how the process works.  We recently replaced all the PCs in our organinzation.  After the new PCs were deployed, we removed all the MACs from the ACS.  I noticed today that the old MACs are listed on the switch as a static entry (as are the new ones).  I am wondering if it being on that static list, will they be allowed on the network?  Or will they try to authenticate each time they are plugged into the switch? 

The switch is a 2960 running 12.2(53r)SE, port configuration is:

interface GigabitEthernet1/0/xx

     sw access vlan 2

     sw mode access

     authentication control-direction in

     authentication host-mode multi-auth

     authentication port-control auto

     mab

     spanning-tree portfast

end

Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎08-14-2012 08:24 AM

Robert,

The static mac address entries is a normal entry when a client passes dot1x authentication. If you bounce the port and the host entry is not present in ACS then the attempt should fail and you will not see mac address at all.

If you remove "authentication port control auto" from the port (which disables dot1x) then you will see the dynamic entries like you did before.

This is a known feature of dot1x and the way it interfacts with the mac address table. Some other switches like 4500s in my experience still show dynamic entries which may be a little confusing.

hope that helps!

Tarik Admani
*Please rate helpful posts*

robert.riggle
Level 5
Level 5
In response to Tarik Admani

‎08-14-2012 09:37 AM

Bouncing the port worked.  I guess this is just what I will need to do as long as there are small hubs connected to the switch due to not having enough drops at the users desktop.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to robert.riggle

‎08-14-2012 09:41 AM

Hi,

You can also configure periodic reauthentication:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1374080

Thanks,

Tarik Admani
*Please rate helpful posts*

robert.riggle
Level 5
Level 5
In response to Tarik Admani

‎08-14-2012 10:31 AM

That will work great.  Thanks...again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents