Non existent MAC Address in MAC-Bypass Request, Cat2960-48TC, Cat2960Plus-48PST, IOS 15.0(2)SE5

Achim Junk · ‎10-17-2016

Hello,

we're currently noticing some strange behaviour with RADIUS MAC-Bypass authentication. This behaviour leads to a huge amount of false alarms at our customer sites.

Infrequently, at irregular intervals there are authentication sessions for MAC addresses that do not exist in reality. Because those MAC addresses are not known in RADIUS, network access is rejected and an alarm is communicated from RADIUS to our costumer. The authentication session for the non existent MAC address remains active, and after the authentication restart timer has elapsed, the switch sends a new access-request with the non existent MAC address to the RADIUS.

Looking at the mac address-table of the interface the request comes from, we can only see the MAC address of the device connected to that port.

Interestingly, the least 16 bits of the unknown MAC address match the least 16 bits of the MAC Address of the device connected to the port. We are experiencing this behaviour for ports where IP-Phones are connected, some of them are Cisco, others are Avaya.

Re-enabling the ports (shut/no shut) clears the auth-session, and the non-existent MAC address disappeared. LLDP/LLDP-MED and IP device tracking is enabled in the global switchconfig.

Interface configuration is identical for all access-switches and access-ports:

Cat2960-48TC_15.0(2)SE5#sh run int f0/4
Interface FastEthernet0/4
switchport access vlan 154
switchport mode access
switchport voice vlan 668
ip access-group Default in
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 1800
authentication timer reauthenticate 14400
authentication violation replace
mab
mls qos trust dscp
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x timeout supp-timeout 3
dot1x timeout start-period 5
no cdp enable
spanning-tree portfast
end

Authentication sessions for that interface

Cat2960-48TC_15.0(2)SE5#sh auth session int f0/4
Interface: FastEthernet0/4
MAC Address: b447.5eb3.269c
IP Address: 16.16.50.155
User-Name: B4475EB3269C
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: in
Authorized By: Authentication Server
Filter-Id: VOICE
Session timeout: 14400s (local), Remaining: 9500s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 101039100000D3E1B7E2071C
Acct Session ID: 0x0000DC21
Handle: 0x950005C0

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

----------------------------------------
Interface: FastEthernet0/4
MAC Address: 0024.14df.269c
IP Address: Unknown
User-Name: 002414df269c
Status: Authz Failed
Domain: DATA
Oper host mode: multi-domain
Oper control dir: in
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 101039100000D5EDE58A7DF5
Acct Session ID: 0x0000DF0B
Handle: 0x73000792

Runnable methods list:
Method State
dot1x Failed over
mab Failed over

MAC address table for that interface:

Cat2960-48TC_15.0(2)SE5#sh mac address-table int f0/4
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
668 b447.5eb3.269c STATIC Fa0/4
Total Mac Addresses for this criterion: 1
Cat2960-48TC_15.0(2)SE5#

Log entry for a Cat2960Plus-48PST running 15.0(2)SE5

13:47:51.939 : %AUTHMGR-5-START: Starting 'mab' for client (2893.fea3.6bd9) on Interface Fa0/48 AuditSessionID 053A130B0000049E70233D5B
13:47:51.947 : %MAB-5-FAIL: Authentication failed for client (2893.fea3.6bd9) on Interface Fa0/48 AuditSessionID 053A130B0000049E70233D5B
13:47:51.947 : %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (2893.fea3.6bd9) on Interface Fa0/48 AuditSessionID 053A130B0000049E70233D5B
13:47:51.947 : %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (2893.fea3.6bd9) on Interface Fa0/48 AuditSessionID 053A130B0000049E70233D5B
13:47:51.947 : %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (2893.fea3.6bd9) on Interface Fa0/48 AuditSessionID 053A130B0000049E70233D5B
13:47:51.947 : %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (2893.fea3.6bd9) on Interface Fa0/48 AuditSessionID 053A130B0000049E70233D5B
13:48:06.284 : %LINK-5-CHANGED: Interface FastEthernet0/48, changed state to administratively down
13:48:07.290 : %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/48, changed state to down
13:48:08.205 : %SYS-5-CONFIG_I: Configured from console by XXXXXXXX on vty0 (abc.def.ghi.jkl)
13:48:08.809 : %LINK-3-UPDOWN: Interface FastEthernet0/48, changed state to down
13:48:09.245 : %AUTHMGR-5-START: Starting 'mab' for client (1c17.d337.6bd9) on Interface Fa0/48 AuditSessionID 053A130B000004AA752981F9
13:48:09.253 : %MAB-5-SUCCESS: Authentication successful for client (1c17.d337.6bd9) on Interface Fa0/48 AuditSessionID 053A130B000004AA752981F9
13:48:09.262 : %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (1c17.d337.6bd9) on Interface Fa0/48 AuditSessionID 053A130B000004AA752981F9
13:48:10.293 : %AUTHMGR-5-SUCCESS: Authorization succeeded for client (1c17.d337.6bd9) on Interface Fa0/48 AuditSessionID 053A130B000004AA752981F9
13:48:11.208 : %LINK-3-UPDOWN: Interface FastEthernet0/48, changed state to up
13:48:12.214 : %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/48, changed state to up

What is the reason for the authentication sessions with the wrong, non existent MAC address and how can we stop this behaviour?

Thanks and kind regards

Achim