cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
7
Replies

MAB authentication and ARP request

SysAdminPilot
Level 1
Level 1

Hi everyone, in my network i have an issues with MAB authentication and some "quiet" endpoint, now explain the details.

The endpoint is poe and is configured with static IP, not support dot1x. When the device boot up not make any ethernet traffic except multiple ARP request. I have already read this discussion but my problem is little different. The endpoint fail dot1x and MAB authentication not starting because the client not make any traffic. Actually i use a workaround: configure the device with dhcp and add "authentication timer restart 5" on the port configuration, but this isn't a clean solution because i want to use static IP on this device.

This is typical port configuration:

interface GigabitEthernet1/0/1
switchport access vlan 998
switchport mode access
authentication port-control auto
authentication timer restart 5
mab
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast

It's possible to trigger MAB authentication also with ARP request?

I think that the MAB authentication starting when mac-address table are populated. What are the rules that the switch use to populate the mac-address table, the arp request is insufficient?

Thanks to the community for replies!

7 Replies 7

Use DHCP with static IP-MAC or IP-ClientID 
this make endpoint  use DHCP and trigger MAB 

MHM

SysAdminPilot
Level 1
Level 1

I would like use static ip... I need to find alternative....

DHCP with static IP is same as you assing static IP to endpoint directly except with DHCP the endpoint send DHCP request and SW detect this request use MAC in this frame DHCP request for MAB

MHM

SysAdminPilot
Level 1
Level 1

In production enviroment don't have dhcp server on this network

Charlie Moreton
Cisco Employee
Cisco Employee

ISE cannot do anything without traffic and does not submit ARP requests.

Use your switch as a DHCP server: IP Addressing Services Configuration Guide, Cisco IOS XE 17.13.x (Catalyst 9300 Switches) 

You can even reserve IP Addresses:  how to reserve a specific MAC address in the existing Cisco DHCP server switch

Unfortunately DHCP server isn't solution for my network design. My device send continuous ARP request after power up on the network, because it isn't good for start MAB authentication?

thomas
Cisco Employee
Cisco Employee

See the previous community thread Wired 802.1x: MAB for Silent Endpoint for possible solutions.