Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
7
Replies

MAB authentication and ARP request

SysAdminPilot
Level 1
Level 1

‎03-18-2024 03:45 AM

Hi everyone, in my network i have an issues with MAB authentication and some "quiet" endpoint, now explain the details.

The endpoint is poe and is configured with static IP, not support dot1x. When the device boot up not make any ethernet traffic except multiple ARP request. I have already read this discussion but my problem is little different. The endpoint fail dot1x and MAB authentication not starting because the client not make any traffic. Actually i use a workaround: configure the device with dhcp and add "authentication timer restart 5" on the port configuration, but this isn't a clean solution because i want to use static IP on this device.

This is typical port configuration:

interface GigabitEthernet1/0/1
switchport access vlan 998
switchport mode access
authentication port-control auto
authentication timer restart 5
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

It's possible to trigger MAB authentication also with ARP request?

I think that the MAB authentication starting when mac-address table are populated. What are the rules that the switch use to populate the mac-address table, the arp request is insufficient?

Thanks to the community for replies!

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎03-18-2024 03:53 AM

Use DHCP with static IP-MAC or IP-ClientID 
this make endpoint  use DHCP and trigger MAB 

MHM

0 Helpful

SysAdminPilot
Level 1
Level 1

‎03-18-2024 03:57 AM

I would like use static ip... I need to find alternative....

0 Helpful

MHM Cisco World
VIP
VIP
In response to SysAdminPilot

‎03-18-2024 03:59 AM

DHCP with static IP is same as you assing static IP to endpoint directly except with DHCP the endpoint send DHCP request and SW detect this request use MAC in this frame DHCP request for MAB

MHM

0 Helpful

SysAdminPilot
Level 1
Level 1

‎03-18-2024 04:21 AM

In production enviroment don't have dhcp server on this network

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎03-18-2024 06:27 AM

ISE cannot do anything without traffic and does not submit ARP requests.

Use your switch as a DHCP server: IP Addressing Services Configuration Guide, Cisco IOS XE 17.13.x (Catalyst 9300 Switches) 

You can even reserve IP Addresses:  how to reserve a specific MAC address in the existing Cisco DHCP server switch

0 Helpful

SysAdminPilot
Level 1
Level 1
In response to Charlie Moreton

‎03-18-2024 06:35 AM

Unfortunately DHCP server isn't solution for my network design. My device send continuous ARP request after power up on the network, because it isn't good for start MAB authentication?

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎03-18-2024 11:14 AM

See the previous community thread Wired 802.1x: MAB for Silent Endpoint for possible solutions.

0 Helpful
Customers Also Viewed These Support Documents