cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
10
Helpful
3
Replies

(802.1x) MAC-Auth not working behind 8 Port Switch

NBs
Level 1
Level 1

Hey there,

I've got a small problem and hope to get some advice.

We are using a self programmed Switcher Tool which disables Cert-Auth and forces the Laptops to Auth via MAC Address to get into another VLAN than default. This is working just fine when the Laptop is directly connected to the 3650 or if it is behind a Cisco IP Phone.

If there is a 8-Port Switch in between, Mac-Auth stops working.

Same Setup works with our Brocade/Ruckus Switches.

 

Info: IPs, MACs and VLAN IDs are not the original ones.


Affected Switches: WS-C3650 (SW: 16.12.3a)

Here is an example of our interface config:

 

interface GigabitEthernet1/0/24
 network-policy 1
 switchport access vlan 501
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 10
 switchport port-security violation restrict
 switchport port-security aging time 3
 switchport port-security aging type inactivity
 switchport port-security
 no cdp enable
 authentication event fail action next-method
 authentication event no-response action authorize vlan 504
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 3600
 authentication violation restrict
 mab
 trust device cisco-phone
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 dot1x timeout supp-timeout 5
 storm-control broadcast level pps 1k
 storm-control multicast level pps 2k
 storm-control action trap
 auto qos voip cisco-phone 
 spanning-tree portfast
 spanning-tree guard root
 service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
 service-policy output AutoQos-4.0-Output-Policy
 ip verify source
end

I Already tried with

no switchport port-security aging time 3
no switchport port-security aging type inactivity

And setting this to the interface did not help either

ip arp inspection trust 
ip dhcp snooping trust 

And here is an example of the log while trying to auth via MAC through the Switch:

Aug 3 2021 07:34:11.802 UTC: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (xxxx.yyyy.zzzz) with reason (No Response from Client) on Interface Gi1/0/36 AuditSessionID B002020A000022AF0AF111F3
Aug 3 2021 07:34:11.803 UTC: %SESSION_MGR-5-START: Switch 1 R0/0: sessmgrd: Starting 'mab' for client (xxxx.yyyy.zzzz) on Interface GigabitEthernet1/0/36 AuditSessionID B002020A000022AF0AF111F3
Aug 3 2021 07:34:11.851 UTC: %SESSION_MGR-5-SUCCESS: Switch 1 R0/0: sessmgrd: Authorization succeeded for client (xxxx.yyyy.zzzz) on Interface GigabitEthernet1/0/36 AuditSessionID B002020A000022AF0AF111F3
Aug 3 2021 07:34:17.344 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/36, vlan 504.([xxxx.yyyy.zzzz/192.168.1.100/0000.0000.0000/192.168.1.1/09:34:13 CET Tue Aug 3 2021])
ip dhcp snooping vlan 501,504
no ip dhcp snooping information option
ip dhcp snooping database tftp://192.168.99.200/dhcp-snooping-db
ip dhcp snooping database write-delay 21600
ip dhcp snooping
ip arp inspection vlan 501,504
ip arp inspection log-buffer entries 128
ip arp inspection log-buffer logs 5 interval 60

For me it seems that the "table" switch gets no info to drop the MAC out if its MAC Table and thats why DHCP Snooping comes into play.

 

So, any guesses beside disabling the snooping Option?

3 Replies 3

pieterh
VIP
VIP

just to be sure: did you authorize the MAC of the 8-port switch itself?

second:

Aug 3 2021 07:34:17.344 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/36, vlan 504.([xxxx.yyyy.zzzz/192.168.1.100/0000.0000.0000/192.168.1.1/09:34:13 CET Tue Aug 3 2021])

is vlan 504 dynamically assigned to this mac ? multiple vlans will not work on an access port! 

switchport access vlan 501
 switchport mode access

-> change the port Gi1/0/36 to trunk

 

There is no need for Auth the switch MAC. Its unmanaged and therefore there is no MAC to be authenticated.

 

is vlan 504 dynamically assigned to this mac ? this will not work on an access port! 

 

504 is dynamically assigned - If the MAC is associated with this VLAN (Clearpath sends appropriate answer) the switch will offer VLAN 504 to the access port. It works flawlessly without the unmanaged switch, currently we only have one typ of desk switch (HP1420) to work with.

 

-> change the port Gi1/0/36 to trunk

 

Its a normal access port, isn't trunk mode the wrong option here?
I disabled

network-policy 1

And set the mode to trunk: no change in behavior

>>> There is no need for Auth the switch MAC. Its unmanaged and therefore there is no MAC to be authenticated. <<<
this statement is wrong!  even a dumb switch needs a MAC address to send BPDU packets for spanning-tree detection!

 

>>>isn't trunk mode the wrong option here?<<<
as I said on an access port there cannot be vlan 501 and 504 active at the same time
(exception is if one of them is the voice vlan)
so if the switch's MAC is unauthenticated in vlan-A than the PC's mac cannot be authenticated in vlan-B

Review Cisco Networking for a $25 gift card