A few MAC @ are hidden on the Cisco C3750 Version 15.0(2)SE6

pascalmarti · ‎11-06-2015

Hello,

I want to apply the 802.1x on my switch. Some PC are authenticated with certificat the printers with MAC @ (mab ) => not problem.

But I check some port to find the equipment on the DHCP server but some port are without MAC @ :

when I remove the 802.1x configuration on the port, the MAC @Do not appear nevertheless. In the sh log after a shut no shut the MAC @ do not appear.

Who know a tip for force the MAC @ to appear on the switch ?

With 802.1x on the port : (The authentification is success because I permit the user vlan with 802.1x guest in the same vlan.)

SWITCH#sh authentication sessions

Interface MAC Address     Method   Domain   Status         Session ID
Fa1/0/16   (unknown)       N/A      DATA     Authz Success 0A060AFC000000060002A5CE
Fa1/0/13   (unknown)       N/A      DATA     Authz Success 0A060AFC00003CC14A1DABFB
Fa1/0/5    (unknown)       N/A      DATA     Authz Success 0A060AFC00003CCA4A419274
Fa1/0/2    (unknown)       N/A      DATA     Authz Success 0A060AFC00003CE34A907735
Fa1/0/15   (unknown)       N/A      DATA     Authz Success 0A060AFC00003D0E4DACE43A

It is empty :

SWITCH#sh mac address-table interface fa 1/0/5
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

Thanks,

Pascool :-)

roor · ‎11-06-2015

Can you please paste the output of "show auth sess int fa1/0/5 detail"?

Regards,

Roopa

pascalmarti · ‎11-08-2015

Hello Roor,

You can find it :

sh authentication sessions interface fa 1/0/5
            Interface: FastEthernet1/0/5
          MAC Address: Unknown
           IP Address: Unknown
            User-Name: UNRESPONSIVE
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-host
     Oper control dir: both
        Authorized By: Guest Vlan
          Vlan Policy: 100
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A060AFC00003CCA4A419274
      Acct Session ID: 0x00003CE9
               Handle: 0xD0000D2E

Runnable methods list:
Method State
dot1x Failed over

And the sh run :

interface FastEthernet1/0/5
switchport access vlan 100
switchport mode access
authentication event fail action authorize vlan 100
authentication event server dead action authorize vlan 100
authentication event no-response action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation restrict
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 4
dot1x max-reauth-req 3
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 50
end

Pascool :-)

roor · ‎11-10-2015

Hi,

From the outputs shared, looks like the device has failed dot1x authentication and the authentication is configured in the closed mode. Hence the switch does not learn it's MAC address, which is expected.

HTH,

Roopa

pascalmarti · ‎11-11-2015

Hi, But without 802.1x applied on the port, the MAC @ does not appear too.

And so, with 802.1 x applied on all ports, i can see some mac @. Only a few are not visible and the configuration is the same on all the switch

Thanks, Pascool ;-)

roor · ‎11-16-2015

When you say without dot1x enabled, can you share the config on that interface. Also can you share the config of the interface where you see the MAC addresses learned and the "show auth sess" also?

Thanks,

Roopa

pascalmarti · ‎11-16-2015

Hello :

I do not apply the dot1x ont the int fa 1/0/34 :

interface FastEthernet1/0/34
switchport access vlan 100
switchport mode access
authentication periodic
no snmp trap link-status
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 50
end

SUB-GRA-SW03#sh mac address-table interface fa 1/0/34
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

SUB-GRA-SW03#sh authentication sessions interface fa 1/0/34
No Auth Manager contexts match supplied criteria

=> normal.

SUB-GRA-SW03#sh authentication sessions

Interface MAC Address     Method   Domain   Status         Session ID
Fa1/0/22   (unknown)       N/A      DATA     Authz Success 0A060AFB0005BD7CAF6A3201
Fa1/0/29   (unknown)       N/A      DATA     Authz Success 0A060AFB0005BE5ABDD2D5E0
Fa1/0/15   6c62.6d87.6a6a dot1x    DATA     Authz Success 0A060AFB000445E1CC3D0C4D
Fa1/0/7    000b.ab21.3828 mab      DATA     Authz Success 0A060AFB0005BC7AA41F0092
Fa1/0/17   d4be.d94f.a0b3 dot1x    DATA     Authz Success 0A060AFB0005BE55BD7FE119
Fa1/0/10   28d2.444c.ad81 dot1x    DATA     Authz Success 0A060AFB0005BE39BCFCCE1C
Fa1/0/43   28d2.445e.86ab dot1x    DATA     Authz Success 0A060AFB0005BE4EBD6A9385
Fa1/0/46   28d2.4451.4371 dot1x    DATA     Authz Success 0A060AFB0005BE5FBE11F4DB
Fa1/0/47   38ea.a708.1d29 mab      DATA     Authz Success 0A060AFB0005BC0E9F886DCE
Fa1/0/25   f8b1.56aa.186d dot1x    DATA     Authz Success 0A060AFB0005BE27BCDF0257
Fa1/0/39   0020.6b7a.502d mab      DATA     Authz Success 0A060AFB0005BE59BDCFF340
Fa1/0/11   8851.fb4d.13b2 dot1x    DATA     Authz Success 0A060AFB0005BE2DBCF8F987
Fa1/0/21   28d2.444c.ac17 dot1x    DATA     Authz Success 0A060AFB0005BE2ABCF538C5
Fa1/0/16   f8b1.56aa.c11c dot1x    DATA     Authz Success 0A060AFB0005BE36BCFBCDB3
Fa1/0/18   0000.aaa6.5fb5 mab      DATA     Authz Success 0A060AFB0005B7F59F6AD983
Fa1/0/23   0000.74ca.6691 mab      DATA     Authz Success 0A060AFB0005BB1F9F7939C0

* The conf on an interface with dot1x and where MAC @ is learn.

SUB-GRA-SW03#sh authentication sessions interface fa 1/0/15
            Interface: FastEthernet1/0/15
          MAC Address: 6c62.6d87.6a6a
           IP Address: 10.6.100.27
            User-Name: host/GRATH-SEC01.eu.edfencorp.net
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
      Session timeout: 3600s (local), Remaining: 1572s
       Timeout action: Reauthenticate
         Idle timeout: N/A
    Common Session ID: 0A060AFB000445E1CC3D0C4D
      Acct Session ID: 0x000445EF
               Handle: 0x9000080A

Runnable methods list:
       Method   State
       dot1x    Authc Success

* The conf on the interface with dot1x but with the MAC @ empty :

SUB-GRA-SW03#sh authentication sessions interface fa 1/0/22
            Interface: FastEthernet1/0/22
          MAC Address: Unknown
           IP Address: Unknown
            User-Name: UNRESPONSIVE
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-host
     Oper control dir: both
        Authorized By: Guest Vlan
          Vlan Policy: 100
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A060AFB0005BD7CAF6A3201
      Acct Session ID: 0x0005BDA3
               Handle: 0x11000339

Runnable methods list:
       Method   State
       dot1x    Failed over