11-04-2009 04:49 AM - last edited on 03-25-2019 05:26 PM by ciscomoderator
We configured 802.1x for the wired network. Some pc's and printers do not work. This is the message on the switch:
DOT1X-5-FAIL: Authentication failed for client (Unknown MAC)on interface fa0/1
All pc's work with digital certificates and EAP-TLS on the switches.
I don't understand why the switch doesn't see the real MAC address of the connected host.
Any idea's ?
Regards
Remco
11-04-2009 06:04 AM
Hi Remco,
Are those PC's and printer's are dot1x compatible?
If not then there should be MAB configured on the switch and on the radius server we should have device mac address added as a username and password.
"When the MAC authentication bypass feature is enabled on an IEEE 802.1x
port, the switch uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address."
The database should be configured in such a way that you can have following
entries for MAC authentication,
Username :
Password :
MAC address should be in a format, 004096a98dee
HTH
JK
Plz rate helpful posts-
11-04-2009 06:42 AM
They are dot1x compatible. Even if it was not, the switch must see the mac address. Even with MAB the switch shows that he is trying to authenticate a host with address (aabbccddeeff) by MAB. For some host, the switch doesn't see the MAC address, so he cannot do a MAB authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide