Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3930
Views
25
Helpful
7
Replies

Duplicate MAC address Dot1x and MAB

Go to solution
cdiaz
Level 1
Level 1

‎03-16-2020 05:40 AM

Hi,

  I have problems with clients authenticated with ISE Dot1x MAB. The client MAC appears on two different switch and declared as static. There is no loop.

 

##### Client in port F0/32 309c.237b.97e6 ###

SW-1-P8-FRCN(config)#do show run interf fastEthernet 0/32
Building configuration...

Current configuration : 611 bytes
!
interface FastEthernet0/32
description LAN DE DATOS - TELEFONIA
switchport access vlan 227
switchport mode access
switchport voice vlan 21
authentication event fail action next-method
authentication event server dead action reinitialize vlan 227
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

SW-1-P8-FRCN#show mac address-table interface fastEthernet 0/32
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
227 0800.2774.d510 STATIC Fa0/32
227 0800.2774.d51d STATIC Fa0/32
227 309c.2374.d51d STATIC Fa0/32
227 309c.237b.97e6 STATIC Fa0/32
21 0080.9fed.635f STATIC Fa0/32
Total Mac Addresses for this criterion: 5
SW-1-P8-FRCN#
SW-1-P8-FRCN#

 

 

##### Switch without the client connected to the port ######

 

!
interface FastEthernet0/17
description LAN DE DATOS - TELEFONIA
switchport access vlan 227
switchport mode access
switchport voice vlan 21
authentication event fail action next-method
authentication event server dead action reinitialize vlan 227
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end

SW-2-P8-FRCN#show mac address-table interface fastEthernet 0/17
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
227 0800.2777.4dd6 STATIC Fa0/17
227 309c.2377.4dd6 STATIC Fa0/17
227 309c.237b.97e6 STATIC Fa0/17
21 0080.9fe5.f023 STATIC Fa0/17
Total Mac Addresses for this criterion: 4
SW-2-P8-FRCN#

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cdiaz
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 05:29 AM

Thanks for your answers, these days all of them are teleworking, I will apply to change the served time for 300 seconds. Results may be delayed.

 

Regards.

View solution in original post

7 Replies 7

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-16-2020 07:04 AM

Hi,

 

     I see only this MAC address as showing up on both ports "227 309c.237b.97e6 STATIC", is it because you moved the endpoint to another port? Any MAC address which is "authenticated" via MAB/802.1x will show up as "static", or as it's called "secure", and for this reason is not allowed to "move" between ports of the same switch by default, to allow for even better security.

    So what is the exact problem you're facing?

 

Regards,

Cristian Matei.

Go to solution
cdiaz
Level 1
Level 1
In response to Cristian Matei

‎03-16-2020 02:00 PM

Hello Cristian,

 

 Thanks for your answer. In this case, the client dont move to other port, the mac appear in other switch over the same uplink.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to cdiaz

‎03-16-2020 05:08 PM

What happens if you clear the authentication sessions on both ports? Do they return as shown?

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-17-2020 08:14 AM

Hi,

 

  Do you have any functional problems, in the end? Also, do you have a trunk between switches? When the client moves between switches, how does that MAC address show on both switches? You could use "authentication timer inactivity" set to 300 seconds, in order to age out a"static" MAC address, the same way you would age out a dynamic MAC address.

 

Regards,

Cristian Matei.

Go to solution
cdiaz
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 05:29 AM

Thanks for your answers, these days all of them are teleworking, I will apply to change the served time for 300 seconds. Results may be delayed.

 

Regards.

Go to solution
mariya.telitsina
Level 1
Level 1

‎09-27-2022 02:28 AM

Hello, any news on this topic? I have same problem with false mac-addresses sticking to ports and not clearing out. Did authentication timer inactivity 300 helped?

now I have "authentication timer inactivity server" command set on port, and going to change that setting to 300.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to mariya.telitsina

‎10-01-2022 03:03 PM

@mariya.telitsina , please submit your question in a new thread with your troubleshooting details so people can help your specific situation.   See How to Ask The Community for Help for providing details that may help troubleshoot your problem.  If this is a switch issue and not an ISE issue, consider posting to the Switching forum instead.

0 Helpful
Customers Also Viewed These Support Documents