Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
4
Replies

Multiple dot1x authentication request single port

NetAdmin305
Level 1
Level 1

‎03-29-2023 01:07 PM

Good Afternoon Community,
A couple of months ago we experienced an issue where one of our 2960x switches began sending over 1000 dot1x request with random mac addresses from a single port.  Even after shutting the port we were still seeing the over 1000 request when running command sh authentication session | i port number.  After some investigative work and teaming up with our Cyber and Physical Security Team, we narrowed it down to a possible end user docking station.  Since we replaced the users docking station we have not had an occurrence.  Today, another one of our sites began showing the same behavior.  What i find weird is that even after shutting the port, the authentication request on the 2960x kept incrementing even though i was no longer seeing the rejects on our Radius server.  So my questions are; Has anyone seen this before? Or could this be a possible bug.

Thanks for your time and comments.

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎03-29-2023 02:14 PM

If this single device you having issues, easy to identify where this MAC originating from?

Also what is the Code running on Switch, suggest limiting the MAC address on the port security settings, so if the port generates more than X  the port will be going shutdown due to violation.

post-show run ./ show version ( example of MAC address ?)

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-29-2023 05:11 PM

@NetAdmin305 wrote:
Or could this be a possible bug.

A faulty docking station spamming random MAC address is definitely a "bug" with the docking station. 

Port security (Dynamic ARP Inspection), particularly with the command "ip arp inspection limit rate 100" might help.  

0 Helpful

NetAdmin305
Level 1
Level 1

‎03-29-2023 07:43 PM

Good to hear the faulty docking station theory is possible.  I just find it strange that the first time it happened it was exactly 1000 radius request to my radius server. Ill test out both recommendations. 

Thanks

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to NetAdmin305

‎03-30-2023 04:47 AM

Sure you can Limit the ARP or security config  - rather than flooded switch which can cause crashes also.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card