08-14-2012 08:21 AM - edited 03-10-2019 07:25 PM
I have a Cisco Secure ACS giving port access to approved MACs. I am wondering how the process works. We recently replaced all the PCs in our organinzation. After the new PCs were deployed, we removed all the MACs from the ACS. I noticed today that the old MACs are listed on the switch as a static entry (as are the new ones). I am wondering if it being on that static list, will they be allowed on the network? Or will they try to authenticate each time they are plugged into the switch?
The switch is a 2960 running 12.2(53r)SE, port configuration is:
interface GigabitEthernet1/0/xx
sw access vlan 2
sw mode access
authentication control-direction in
authentication host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
end
08-14-2012 08:24 AM
Robert,
The static mac address entries is a normal entry when a client passes dot1x authentication. If you bounce the port and the host entry is not present in ACS then the attempt should fail and you will not see mac address at all.
If you remove "authentication port control auto" from the port (which disables dot1x) then you will see the dynamic entries like you did before.
This is a known feature of dot1x and the way it interfacts with the mac address table. Some other switches like 4500s in my experience still show dynamic entries which may be a little confusing.
hope that helps!
Tarik Admani
*Please rate helpful posts*
08-14-2012 09:37 AM
Bouncing the port worked. I guess this is just what I will need to do as long as there are small hubs connected to the switch due to not having enough drops at the users desktop.
08-14-2012 09:41 AM
Hi,
You can also configure periodic reauthentication:
Thanks,
Tarik Admani
*Please rate helpful posts*
08-14-2012 10:31 AM
That will work great. Thanks...again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide