Generated MAC address keep send authen packet to ISE

bakaholic39 · ‎04-29-2024

Hi all,

Does anyone have experience with this weird issue?
Some of my PCs that connected to Avaya IP phone keep generating their MAC addresses and sending authentication packets to ISE every second.

Generated MAC address only appear on show authentication sessions interface and show logging (result of failed authen).
show mac address-table can't see this MAC address.

When I hit the show authentication sessions interface command.

show authentication sessions interface gigabitEthernet 0/2
Interface: GigabitEthernet0/2
MAC Address: e073.0000.0000 <-------------- PC's generated MAC address.
IP Address: Unknown
User-Name: e07300000000
Status: Authz Failed
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0B349F000007B6DDB93700
Acct Session ID: 0x00000C47
Handle: 0x730007B7

Runnable methods list:
Method State
mab Failed over
dot1x Failed over

----------------------------------------
Interface: GigabitEthernet0/2
MAC Address: c81f.ea5b.3f54 <-------------- Avaya IP Phone.
IP Address: 10.11.188.225
User-Name: C8-1F-EA-5B-3F-54
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
ACS ACL: xACSACLx-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0B349F0000072DCA604295
Acct Session ID: 0x00000B77
Handle: 0xD200072E

Runnable methods list:
Method State
mab Authc Success
dot1x Not run

----------------------------------------
Interface: GigabitEthernet0/2
MAC Address: e073.e765.e47a <-------------- PC's real MAC address:
IP Address: 10.11.105.162
User-Name: Username
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3

Session timeout: 28800s (server), Remaining: 23697s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0A0B349F00000775DCA93CF7
Acct Session ID: 0x00000C02
Handle: 0x71000776

Runnable methods list:
Method State
mab Not run
dot1x Authc Success

When I hit the show mac address-table interface command. Only see the MAC address of Avaya IP phone and PC (the real one).

show mac address-table interface gigabitEthernet 0/2
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1152 e073.e765.e47a STATIC Gi0/2
1105 c81f.ea5b.3f54 STATIC Gi0/2
Total Mac Addresses for this criterion: 2

How can I troubleshoot this?

Thank you.

Arne Bier · ‎04-29-2024

I can't say I have seen this before.

Does the same issue persist with this workstation when you plug it directly into the switch, instead of in the back of the Avaya?

Is the PC connected via an Ethernet dock (e.g. USB C hub/dock) into the Avaya?

You could run a capture session on the switch - perhaps that sheds some light on the issue.

Does the phantom MAC address always look like this (e073.0000.0000) ? The third octet of the MAC OUI is different to the genuine HP MAC OUI.

If this happens even when directly connected to switch, then I would say it's a PC device driver issue.

If it only happens when on a dock, then perhaps check firmware on the dock and see if MAC passthrough is enabled.

Aref Alsouqi · ‎04-30-2024

Do you actually see the generated MAC anywhere on the PC itself? I agree with @Arne Bier, updating the dock firmware would be a very good shout if you use them.