Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
1
Replies

EARL and MAB

Gregory Jones
Level 1
Level 1

‎01-23-2015 01:15 PM - edited ‎03-10-2019 10:22 PM

We are currently running a Cisco 4500 (with limited L1 access to the switch via CNA only) we have MAB configured on it for Vlan 1.  Occasionally we get a client who complains they were disconnected, only to see the port shutdown because of what looks like a MAC address change.  Device is a Wyse Zero Module client for VDI.  Mac address does not change on the switch, yet the syslog claims it does.  Because of this the MAB shuts the port down (see below):

 

RADIUS is located in Europe, switchmgt.local is located in the US, 3Mb MPLS connection with L3 Encryption on the wire.  

Any ideas as to why this is happening?

Jan 22 21:07:54 switchmgt.local 5513351: Jan 22 15:07:38.485:
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(0080.64c0.c772) on Interface Gi10/7 AuditSessionID
000000000000026CBADD8C91
Jan 22 21:07:54 switchmgt.local 5513352: Jan 22 15:07:38.905:
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0080.64c0.c772) on
Interface Gi10/7 AuditSessionID 000000000000026CBADD8C91
Jan 22 23:38:55 switchmgt.local 5517688: Jan 22 17:38:31.285:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface
GigabitEthernet10/7, new MAC address (2ac0.0400.8f1a) is
seen.AuditSessionID  Unassigned
Jan 22 23:38:55 switchmgt.local 5517689: Jan 22 17:38:31.285:
%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface
GigabitEthernet10/7, new MAC address (2ac0.0400.8f1a) is
seen.AuditSessionID  Unassigned
Jan 22 23:38:55 switchmgt.local 5517690: Jan 22 17:38:31.285:
%PM-4-ERR_DISABLE: security-violation error detected on Gi10/7, putting
Gi10/7 in err-disable state
Jan 22 23:38:55 switchmgt.local 5517691: .Jan 22 17:38:31.285:
%PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi10/7,
putting Gi10/7 in err-disable state
Labels:
0 Helpful
1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

‎01-25-2015 10:13 AM

Provide the below listed information please:

1. Show running-configuration and version from switch.

2. show run interface <interface-id>   ----> where wyse client connected.

3. Is the WYSE ZERO client running in virtual machine?

4. Did this ever work before? Are you aware of any changes being made recently?

 

Regards,

Jatin

 

 

 

 

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents