10-10-2012 05:34 AM - edited 03-10-2019 07:39 PM
Hi,
We have an issue with our deployment of mab...
We use the global and interface specific configuration below.
3.1. Global commands
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa authorization exec default local if-authenticated
aaa authorization commands 1 default local if-authenticated
aaa authorization commands 15 default local if-authenticated
dot1x system-auth-control
dot1x guest-vlan supplicant
dot1x critical eapol
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key xxxxx
radius-server vsa send accounting
radius-server vsa send authentication
3.2. Interface-specific commands
switchport mode access
switchport nonegotiate
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
authentication event fail action authorize vlan 20
authentication event server dead action authorize vlan 11
authentication event no-response action authorize vlan 20
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 3
dot1x max-req 1
storm-control broadcast level 1.00
storm-control multicast level 1.00
storm-control action shutdown
storm-control action trap
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast
Everything worked fine on our pilot switch a 3750x (12.2(55)SE3)switch. No problems at all.
Next we moved on in deploying our mab on 3560 switches (12.2(55)SE).
After configuring the mab, we saw that pc's were behaving correctly. But some printer had a strange behaviour. They don't get authorized and the ports goes in vlan 1 (not connected). The NAC guest server, puts printers in vlan 10, according on the mac address it receives. pc's are put in vlan 11.
After we disable the mab configuration and just configure "switchport access vlan 10" on the ports connected to a printer, they work fine after a reboot.
This is the result we get on the switch...
switch#sh auth sessions int fa 0/7
Interface: FastEthernet0/7
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1045E40000F0501D6334EF
Acct Session ID: 0x0000F084
Handle: 0x6900005E
Runnable methods list:
Method State
mab Running
dot1x Not run
switch#ping 10.1.7.222 (ip printer)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.7.222, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
switch#sh mac address-table int fa 0/7
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
After configuring the port back to switchport access vlan 10
switch#sh mac address-table int fa 0/7
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 8887.174e.8557 DYNAMIC Fa0/7
Total Mac Addresses for this criterion: 1
sibhq-la-b0-ra2#
switch#ping 10.1.7.222
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.5.109, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
We have this issue on several switches. I tried removing the port-security and storm control... But without result.
Can anyone help me?
I've been cracking my head for weeks, but still no solution...
Thanks,
Best Regards,
Joris
10-10-2012 06:24 AM
Joris,
Looks like this issue was resolved in the later version of IOS code.
CSCtt37202
If a client switch is authorized using MAC Authentication Bypass (MAB), and then by using the 802.1x standard and dynamic VLAN assignment, the MAC address of the switch is not updated in the MAC address table of slave switches.
The workaround is to not use both the 802.1x and dynamic VLAN assignment configurations for the client switch.
For more information here is the release notes, looks like you will have to upgrade the code:
Thanks,
Tarik Admani
*Please rate helpful posts*
10-10-2012 06:34 AM
Hello Tarik,
Thanks for your reply.
I forgot to mention that we already did an IOS upgrade on one of the 3560 switches to IOS 12.2(55)SE6. But without result.
The switch has the same behaviour.
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C3560-24PS 12.2(55)SE6 C3560-IPBASEK9-M
Best Regards,
Joris
09-04-2013 07:43 AM
Did you find the answer to this problem?
09-04-2013 09:13 AM
I had similar problem. It seesm that the printer is sat in a dormant state, not sending any kind of traffic, no ARP, no gratuitous ARP, nothing. So I'm guessing the switch has nothing to base the authorization on.
Initially I changed the switchport setting to:
authentication control-direction in
With this line applied, if I browse to the printer, then presumably the outbound traffic looking for the IP address of the printer, results in a ARP response from the printer, the switch gets to see the MAC address on the port and is able to authorize.
All works well.
I'd rather not have that line in there though, and would be neater if the printer automatically comes up.
This is going to be a printer specific thing, but on my particular printer there was a line:
ARP Broadcast Interval (mins): (0 presumably being off)
which I set to 1, and the printer now authorizes without any other intervention.
Now I'm guessing that after 10 months you've probably fixed your problem :-) but I thought I'd post in case anybody can add to this, or suggest similar issues with other more common printers. I've not seen any other problems yet.
11-30-2017 04:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide