Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
5
Replies

4500 Series Switches and 802.1x MAB

williamsilva7
Level 1
Level 1

‎05-01-2014 07:52 AM - edited ‎03-03-2019 07:22 AM

My organization has multiple 4500 series switches experiencing the same problem when attempting to authenticate devices via MAB.  The issue is that the "show mab interface fax/x details" shows the Client MAC in a waiting status.  The device is never sending the switch it's MAC in order to proceed with MAB authentication, so of course the port never forwards traffic.  However, if we remove authentication port-control auto the port starts forwarding and the device gains connectivity.  Below is the interface configuration command and the MAB details.  The IOS version of this current switch is 15.0(2)SG8.  Are we missing something special for a 4500 as far as configuration is concerned.

interface FastEthernet8/16
 description USER 
 switchport access vlan 600
 switchport mode access
 switchport nonegotiate
 duplex full
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 5
end

 

SWITCH-4510R#sh mab interface fa8/16 details
MAB details for FastEthernet8/16
-------------------------------------
Mac-Auth-Bypass           = Enabled

MAB Client List
---------------
Client MAC                = Waiting
Session ID                = 841AF6D100002931AF99B827
MAB SM state              = ACQUIRING
Auth Status               = UNAUTHORIZED

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Lee Valentin
Level 1
Level 1

‎05-02-2014 03:53 PM

What's the order of authentication?

 

authentication order <mab | dot1x | webauth>

 

Good luck

0 Helpful

Miles Simpson
Level 1
Level 1
In response to Lee Valentin

‎01-28-2015 08:19 AM

I've tried with authentication order mab or the default which I believe is dot1x still get he same results.

0 Helpful

Lee Valentin
Level 1
Level 1
In response to Miles Simpson

‎01-28-2015 09:35 AM

Post your configs.

0 Helpful

aaronhighfill
Level 1
Level 1

‎01-28-2015 11:53 AM

You might look into "authentication control-direction in".

 

I've had good luck with it in this type of scenario. If I'm understanding correctly.

0 Helpful

Tiago Marques
Level 1
Level 1

‎02-02-2015 08:35 AM

hello,

 

in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.

 

the interfaces have the following config:

 

 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer restart 120
 authentication timer reauthenticate server
 authentication timer inactivity 600
 mab
 dot1x pae authenticator

 

 

Good luck
 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card