Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2806
Views
0
Helpful
2
Replies

(Unknown MAC) on switchport

remco.gussen
Level 1
Level 1

‎11-04-2009 04:49 AM - last edited on ‎03-25-2019 05:26 PM by Community Manager

We configured 802.1x for the wired network. Some pc's and printers do not work. This is the message on the switch:

DOT1X-5-FAIL: Authentication failed for client (Unknown MAC)on interface fa0/1

All pc's work with digital certificates and EAP-TLS on the switches.

I don't understand why the switch doesn't see the real MAC address of the connected host.

Any idea's ?

Regards

Remco

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎11-04-2009 06:04 AM

Hi Remco,

Are those PC's and printer's are dot1x compatible?

If not then there should be MAB configured on the switch and on the radius server we should have device mac address added as a username and password.

"When the MAC authentication bypass feature is enabled on an IEEE 802.1x

port, the switch uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address."

The database should be configured in such a way that you can have following

entries for MAC authentication,

Username :

Password :

MAC address should be in a format, 004096a98dee

HTH

JK

Plz rate helpful posts-

~Jatin
0 Helpful

remco.gussen
Level 1
Level 1
In response to Jatin Katyal

‎11-04-2009 06:42 AM

They are dot1x compatible. Even if it was not, the switch must see the mac address. Even with MAB the switch shows that he is trying to authenticate a host with address (aabbccddeeff) by MAB. For some host, the switch doesn't see the MAC address, so he cannot do a MAB authentication.

0 Helpful
Customers Also Viewed These Support Documents