03-16-2020 05:40 AM
Hi,
I have problems with clients authenticated with ISE Dot1x MAB. The client MAC appears on two different switch and declared as static. There is no loop.
##### Client in port F0/32 309c.237b.97e6 ###
SW-1-P8-FRCN(config)#do show run interf fastEthernet 0/32
Building configuration...
Current configuration : 611 bytes
!
interface FastEthernet0/32
description LAN DE DATOS - TELEFONIA
switchport access vlan 227
switchport mode access
switchport voice vlan 21
authentication event fail action next-method
authentication event server dead action reinitialize vlan 227
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
SW-1-P8-FRCN#show mac address-table interface fastEthernet 0/32
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
227 0800.2774.d510 STATIC Fa0/32
227 0800.2774.d51d STATIC Fa0/32
227 309c.2374.d51d STATIC Fa0/32
227 309c.237b.97e6 STATIC Fa0/32
21 0080.9fed.635f STATIC Fa0/32
Total Mac Addresses for this criterion: 5
SW-1-P8-FRCN#
SW-1-P8-FRCN#
##### Switch without the client connected to the port ######
!
interface FastEthernet0/17
description LAN DE DATOS - TELEFONIA
switchport access vlan 227
switchport mode access
switchport voice vlan 21
authentication event fail action next-method
authentication event server dead action reinitialize vlan 227
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
SW-2-P8-FRCN#show mac address-table interface fastEthernet 0/17
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
227 0800.2777.4dd6 STATIC Fa0/17
227 309c.2377.4dd6 STATIC Fa0/17
227 309c.237b.97e6 STATIC Fa0/17
21 0080.9fe5.f023 STATIC Fa0/17
Total Mac Addresses for this criterion: 4
SW-2-P8-FRCN#
Solved! Go to Solution.
03-19-2020 05:29 AM
Thanks for your answers, these days all of them are teleworking, I will apply to change the served time for 300 seconds. Results may be delayed.
Regards.
03-16-2020 07:04 AM
Hi,
I see only this MAC address as showing up on both ports "227 309c.237b.97e6 STATIC", is it because you moved the endpoint to another port? Any MAC address which is "authenticated" via MAB/802.1x will show up as "static", or as it's called "secure", and for this reason is not allowed to "move" between ports of the same switch by default, to allow for even better security.
So what is the exact problem you're facing?
Regards,
Cristian Matei.
03-16-2020 02:00 PM
Hello Cristian,
Thanks for your answer. In this case, the client dont move to other port, the mac appear in other switch over the same uplink.
03-16-2020 05:08 PM
03-17-2020 08:14 AM
Hi,
Do you have any functional problems, in the end? Also, do you have a trunk between switches? When the client moves between switches, how does that MAC address show on both switches? You could use "authentication timer inactivity" set to 300 seconds, in order to age out a"static" MAC address, the same way you would age out a dynamic MAC address.
Regards,
Cristian Matei.
03-19-2020 05:29 AM
Thanks for your answers, these days all of them are teleworking, I will apply to change the served time for 300 seconds. Results may be delayed.
Regards.
09-27-2022 02:28 AM
Hello, any news on this topic? I have same problem with false mac-addresses sticking to ports and not clearing out. Did authentication timer inactivity 300 helped?
now I have "authentication timer inactivity server" command set on port, and going to change that setting to 300.
10-01-2022 03:03 PM
@mariya.telitsina , please submit your question in a new thread with your troubleshooting details so people can help your specific situation. See How to Ask The Community for Help for providing details that may help troubleshoot your problem. If this is a switch issue and not an ISE issue, consider posting to the Switching forum instead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide