cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
258
Views
0
Helpful
4
Replies
Participant

MAB & Dot1x with NPS - new mac address is seen?

I've got a really strange issue going on with MAB & dot1x with ports going into security violation every now and again claiming a new mac address is seen. Problem is, I know for sure that the clients aren't being changed on the ports so I'm not sure where the new mac address is coming from?

 

The ports are using:

MAB for Cisco phones
Dot1x for clients behind the phones.

 

A typical error is:

%AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (90b1.1c68.3e5e) is seen.AuditSessionID 0A011CE300000DDBB3DEFE36

 

Interface config:

interface GigabitEthernet0/8
 description PORT 916
 switchport mode access
 switchport voice vlan 250
 authentication control-direction in
 authentication event fail retry 0 action authorize vlan 100
 authentication event server dead action authorize vlan 200
 authentication event no-response action authorize vlan 100
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable

 

There are no timeouts on the aaa servers and NPS is configured to use in following order:

1. Dot1x for windows group domain computers
2. MAB for Cisco phones for windows group Cisco Phones (not member of domain computers)

We're testing with a 3560 (old but with 15.2) and a 2960s-psl (using 15.2) and we're getting the same issue so I'm convinced it's some sort of mis config rather than the switches/firmware

I'm a little lost to what's occurring here so any pointers would be appreciated.

4 REPLIES 4
Participant

Re: MAB & Dot1x with NPS - new mac address is seen?

Even more strange is over the last 24 hours I've seen the new mac address seen as:

90b1.1c64.cdb5
90b1.1c64.3e5e

90b1.1c64.935d

and the client hasn't been changed. the first 2 are jumping between g0/8 & G0/9?

 

VIP Advisor

Re: MAB & Dot1x with NPS - new mac address is seen?

what is the device connected to this port - interface GigabitEthernet0/8 ? 

 

BB
*** Rate All Helpful Responses ***
Highlighted
Participant

Re: MAB & Dot1x with NPS - new mac address is seen?

All port have Cisco 6921 phones with Dell Pc's behind them.

I think I may have found the culprit.......SCCM wake up proxy.

 

I was seeing mac addresses of different pc's switching to different ports even though those pc's were not physically doing it. So I started to think "mac flap" which finally lead me to this post:

https://community.cisco.com/t5/switching/mac-address-flapping-and-sccm-wake-up-proxy/td-p/2240432

So, into SCCM and disabled M$ version of wake on lan called "Wake up proxy" and since that, all appears ok.

Early days yet but it's looking promising. Microsoft strikes again!!!

 

VIP Advisor

Re: MAB & Dot1x with NPS - new mac address is seen?

Glad you found the issue, i was guessing some VM in the PC, like hyper-visor.

 

BB
*** Rate All Helpful Responses ***