Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
230
Views
1
Helpful
4
Replies

PC sends its MAC instead of host/hostname in EAPOL frame

kz-support
Level 1
Level 1

‎04-03-2025 07:39 AM

We encountered a problem:

When connecting a workstation via a telephone, network access is limited by NAC, because instead of username = host/U_..... the client sends its MAC address to the RADIUS request

kzsupport_0-1743685153918.png

When connecting a workstation without a telephone, the client sends the correct request to RADIUS - User-Name = host/U_.....

The telephone model is cisco7821, and the workstation has been connected via this telephone for over a year and there have been no problems. But a month ago the problems described above began

We replaced the telephone with another device (also cisco 7821) - everything works correctly, the supplicant sends host/username to the authentication server

This is not the first time we have encountered a problem with NAC when connecting via a telephone.

Symptoms: Network access suddenly becomes unavailable on the computer, the computer is not accessible via RDP

Also, having taken a dump from the PSN node, I found that in this case, in the eapol frame, instead of username host/<FQDN of hostname>, the MAC address of the PC comes to ISE and, accordingly, the session falls into the default policy with limited access to the network.

When connecting the PC directly (without the Cisco 7821 IP phone) or changing the phone to the same model, everything goes as normal.

Additional information:

- Cables were checked and changed
- The problem occurs on different models of telephones,
- Resetting the phone to factory settings did not solve the problem
- We checked only on a Windows supplicant, there are no hosts with other OSs on the network

We checked on different switches - first we found out that
1. The workstation connected via the problematic phone does not work correctly when connecting the workstation via the phone to different ports of different switches in the office;
2. The workstation connected to the switch port without a phone is authenticated correctly,
3. Then we checked the operation via another phone (connection in the same office to the same switch port) - it works correctly;
4. Then the problematic phone was moved to another office and the “correct” workstation was connected through it – the result is that the supplicant sends INCORRECT data (mac instead of host/<hostname>)
5. We connect through another phone – correct registration

And the most interesting thing is that while I was writing a letter with the test results, it turned out that now the workstation is registered correctly through the problematic phone!

The switch models are different C9200L-48T-4G, C9200L-24P-4G, WS-C3850-48P (one of them for example model WS-C3850-48P-E, software ver. 16.12.08)

Cold you help me to solve this problem?

Thank you in advance!

 

 

 

0 Helpful
4 Replies 4

ahollifield
VIP
VIP

‎04-03-2025 06:17 PM

Upgrade the firmware on the phone.

klnnnnng
Level 1
Level 1

‎04-03-2025 09:43 PM

Hi,

could you please share your access point configuration?

Regards

0 Helpful

Arne Bier
VIP
VIP
In response to klnnnnng

‎04-03-2025 11:10 PM

The issue lies with the supplicant (i.e. the phone) and resolving the issue means, getting the phone to do the right thing- none of the other components have anything to do with this issue. @ahollifield  is spot on.

0 Helpful

MHM Cisco World
VIP
VIP

‎04-04-2025 12:31 AM

The PC send this or SW do that?

Are you sure you use 802.1x not MAB?

MHM

0 Helpful
Customers Also Viewed These Support Documents