Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8671
Views
0
Helpful
5
Replies

MAB on switch Authenticates but drops traffic

aevans
Level 1
Level 1

‎03-21-2014 03:37 AM - edited ‎02-21-2020 05:08 AM

I am implmenting Cisco ASC 5.3 and have configured MAB for non 802.1x devices. When I connect my host I see that on the ACS it passes authentication, the switch shows that it is auhtorised but when I show mac address on the port it says drop. When I look at the console logs I can see it is unable to add address (see below)

 

switch(config)#int f4/0/30
switch(config-if)#shut
switch(config-if)#no shut
switch(config-if)#
Mar 21 10:09:40 GMT: %LINK-5-CHANGED: Interface FastEthernet4/0/30, changed state to administratively down
switch(config-if)#
Mar 21 10:09:43 GMT: %LINK-3-UPDOWN: Interface FastEthernet4/0/30, changed state to down
switch(config-if)#
Mar 21 10:16:27 GMT: %AUTHMGR-5-START: Starting 'mab' for client (0024.8c1e.36ee) on Interface Fa4/0/30 AuditSessionID AC1FFF11000000957F482268
Mar 21 10:16:27 GMT: %MAB-5-SUCCESS: Authentication successful for client (0024.8c1e.36ee) on Interface Fa4/0/30 AuditSessionID AC1FFF11000000957F482268
Mar 21 10:16:27 GMT: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0024.8c1e.36ee) on Interface Fa4/0/30 AuditSessionID AC1FFF11000000957F482268
switch(config-if)#
Mar 21 10:16:27 GMT: %DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address 0024.8c1e.36ee on Fa4/0/30 AuditSessionID AC1FFF11000000957F482268
Mar 21 10:16:27 GMT: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface Fa4/0/30, new MAC address (0024.8c1e.36ee) is seen.AuditSessionID  AC1FFF11000000957F482268
Mar 21 10:16:28 GMT: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0024.8c1e.36ee) on Interface Fa4/0/30 AuditSessionID AC1FFF11000000957F482268
switch(config-if)#
Mar 21 10:16:29 GMT: %LINK-3-UPDOWN: Interface FastEthernet4/0/30, changed state to up
Mar 21 10:16:30 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/0/30, changed state to up

 

sh mac address int f4/0/30

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 214    0024.8c1e.36ee    DYNAMIC     Drop

my port configuration si

 

interface FastEthernet4/0/30
 description -==User Ports==-
 switchport access vlan 214
 switchport mode access
 switchport nonegotiate
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

Has anybody encountered an issue similar to this? I am connecting a laptop which has its mac address added to the internal hosts on the ACS

 

Thanks

 

Anthony

 

1 person had this problem
0 Helpful
5 Replies 5

edelgado
Level 1
Level 1

‎03-31-2014 07:46 PM

Hello,

 

Please see the following post it migh help.

 

https://supportforums.cisco.com/document/26336/dot1xswitch-5-erraddingaddress-error-message-appears-cisco-catalyst-3550-or-3750

 

If not please provide the IOS version, the kind of device you trying to authenticate, if a phone what OS is behind the phone. I used to work for TAC and in fact these cases are not easy solve.

 

Regards,

 

Erick Delgado

 

 

0 Helpful

maverick-lamont
Level 1
Level 1

‎05-22-2014 02:47 AM

Did you find the solution?   I am having the same issue.

0 Helpful

aevans
Level 1
Level 1
In response to maverick-lamont

‎01-14-2015 06:43 AM

I left it with the customer to try on a different switch and still awaiting confirmation. I will post outcome when I hear back from them.

0 Helpful

Saurav Lodh
Level 7
Level 7

‎06-26-2014 11:56 PM 

Error Message    DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address [enet] on 
[chars] AuditSessionID [chars]

Explanation    The client MAC address could not be added to the MAC address table because the hardware memory is full or the address is a secure address on another port. This message might appear if 802.1x is enabled. [enet] is the client MAC address, the first [chars] is the interface, and the second [chars] is the session ID.

Recommended Action    If hardware memory is full, remove some of the dynamic MAC addresses. If the client address is on another port, remove it from that port.

0 Helpful

Amukta Ginni
Level 1
Level 1

‎10-17-2019 01:39 PM - edited ‎10-17-2019 01:45 PM

Hi Anthony,

 

Please check

Auth Sessions, auth or not:

sh authentication sessions interface <>

 

if the mac entries are static or dynamic.

sh mac address-table static interface <>

sh mac address-table dynamic interface <>

 

Add static entry to MAC table and check the status.

mac address-table static <mac address> vlan <ID> interface <type number>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card