Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
2
Replies

mac-address table not populated when access-session closed configured

Go to solution
Tony M
Level 1
Level 1

‎11-25-2019 11:30 AM

We're having some trouble with ports configured with access-session closed. The switch does not see the MAC address of some devices connected to such ports. We can take one of two actions to clear this condition:

1. Remove the access-session closed command or

2. Configure access-session port-control force-authorized

 

Once we configure one of these two commands, the switch sees the MAC, authenticates the device, and we are then able to set the port configuration back.

 

We are very concerned about what will happen after a switch-stack or device reload, however, and are afraid that we may have to perform this operation on every port where an affected device is connected in order to make the network operational.

 

My reading so far indicates that this is not normal behaviour. Has anybody else experienced this and is there a work-around or permanent fix?

 

Platforms: Catalyst 3800 and 9300.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-25-2019 04:54 PM

Both those commands effectively accomplish the same thing, they put the port in to open mode.

This is an issue I have seen with old PLC/IoT style devices that have poorly implemented their network stack. They try to reach out, can't get anywhere, then essentially blackhole themselves.

Any chance you could stay in open and leverage trustsec/restrictive dacls?

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-25-2019 04:54 PM

Both those commands effectively accomplish the same thing, they put the port in to open mode.

This is an issue I have seen with old PLC/IoT style devices that have poorly implemented their network stack. They try to reach out, can't get anywhere, then essentially blackhole themselves.

Any chance you could stay in open and leverage trustsec/restrictive dacls?
0 Helpful

Go to solution
Tony M
Level 1
Level 1
In response to Damien Miller

‎11-27-2019 08:08 AM

We'd prefer not to but, seeing as this is an issue with the client Ethernet implementation, this is likely the only way to make these clients stable.

 

Ultimately, the solution is to replace these devices with devices that work properly.

 

Damien, thanks for the response.

0 Helpful
Customers Also Viewed These Support Documents