cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
0
Helpful
4
Replies

Multiple dot1x authentication request single port

NetAdmin305
Level 1
Level 1

Good Afternoon Community,
A couple of months ago we experienced an issue where one of our 2960x switches began sending over 1000 dot1x request with random mac addresses from a single port.  Even after shutting the port we were still seeing the over 1000 request when running command sh authentication session | i port number.  After some investigative work and teaming up with our Cyber and Physical Security Team, we narrowed it down to a possible end user docking station.  Since we replaced the users docking station we have not had an occurrence.  Today, another one of our sites began showing the same behavior.  What i find weird is that even after shutting the port, the authentication request on the 2960x kept incrementing even though i was no longer seeing the rejects on our Radius server.  So my questions are; Has anyone seen this before? Or could this be a possible bug.

Thanks for your time and comments.

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

If this single device you having issues, easy to identify where this MAC originating from?

Also what is the Code running on Switch, suggest limiting the MAC address on the port security settings, so if the port generates more than X  the port will be going shutdown due to violation.

post-show run ./ show version ( example of MAC address ?)

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo
Hall of Fame
Hall of Fame

@NetAdmin305 wrote:
Or could this be a possible bug.

A faulty docking station spamming random MAC address is definitely a "bug" with the docking station. 

Port security (Dynamic ARP Inspection), particularly with the command "ip arp inspection limit rate 100" might help.  

NetAdmin305
Level 1
Level 1

Good to hear the faulty docking station theory is possible.  I just find it strange that the first time it happened it was exactly 1000 radius request to my radius server. Ill test out both recommendations. 

Thanks

Sure you can Limit the ARP or security config  - rather than flooded switch which can cause crashes also.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card