This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am looking to configure MAC-Authentication in our switches. Do you have any interface config you can share that is used in the production environment? Below is what I have so far. Am I missing anything or needs to be removed? What about some sort of timeout settings we can use?
switchport mode access
switchport access vlan 20
switchport voice vlan 30
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication timer reauthenticate server
authentication timer restart 1
Solved! Go to Solution.
High level your configuration is ok.
but if this first-time deployment and testing, i will start with basic config and add more options as move one..since if it is not working you get hard time to what line causing the issue.
so start with below :
Agreeing with @balaji.bandi to start with less, test, and build from there. Are you planning on allowing both a data and voice device on same port? Here is a breakdown of the different host modes for a better understanding:
In single-host mode, only a single MAC or IP address can be authenticated by any method on a port. If a different MAC address is detected on the port after an endpoint has authenticated with 802.1X, MAB, or Web Authentication, a security violation is triggered on the port. This is the default behavior.
Multi-domain-authentication (MDA) host mode:
MDA was specifically designed to address the requirements of IP telephony in an 802.1X environment. When MDA is configured, two endpoints are allowed on the port: one in the voice VLAN, and one in the data VLAN. Additional MAC addresses trigger a security violation.
Multi-auth host mode:
If the port is configured for multi-auth mode, multiple endpoints can be authenticated in the data VLAN. Each new MAC address that appears on the port is separately authenticated. Multi-auth can be used for bridged virtual environments or to support hubs.
Unlike multi-auth host mode, which authenticates every MAC address, multi-host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Because of the security implications of multi-host, multi-auth is typically a better choice than multi-host.
The basic config was available the URL was posted before on other thread (look at the URL Botom of the page)
Main this as mentioned by @Mike.Cifelli what kind of deployment you have based on that config should go into interface config.
here is a good explanation of each one for your reference ( as mentioned go with the basic config build from there)
Thank you. I enjoyed reading the document and cleared many questions I had.
I want to follow up on "2.4.6 Inaccessible RADIUS Server". How can I configure the switch to detect if our RADIUS server goes down so we can take action to put clients on same vlans configured on the ports?
You have the ability to configure AAA dead-server detection. See here for more detail: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-aaa-dead-server.html#GUID-46F1AAA9-273A-4DAF-9A1D-4354D335848F. HTH!