Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
1
Helpful
8
Replies

Cisco 9300 tries to authenticate client MAC and not AP MAC

dgn-tr.infrastructureteam
Level 1
Level 1

‎05-24-2023 07:39 AM

We have a stack of 2 9300L, running ISE port config.

Wireless APs on site are authenticated via MAC Auth, when authenticated applies a Macro with applicable config

The AP will work fine for a short while, authenticated etc but then the switchport will see a client MAC address and then marks the port as Unauthenticated and causing the AP to drop from the controller.

This only seems to be happening on these 2 9300L, rest of the site is on 3850 running the same setup with no issues

Port config once macro applied:

interface GigabitEthernet2/0/9
description ***** Aerohive Access Point *****
switchport access vlan xxx
switchport trunk native vlan xxx
switchport trunk allowed vlan xxxxxxxxxxxxxxxxxx
switchport trunk allowed vlan add xxxxxxxxxxxxx
switchport mode trunk
switchport nonegotiate
ip flow monitor PrimeNFMon input
no logging event link-status
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 3
macro description AEROHIVE_ACCESS_POINT
spanning-tree portfast trunk

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎05-24-2023 07:41 AM

do you have WLC ?

0 Helpful

dgn-tr.infrastructureteam
Level 1
Level 1
In response to MHM Cisco World

‎05-24-2023 07:44 AM

Yes, but not Cisco its Extreme

MHM Cisco World
VIP
VIP
In response to dgn-tr.infrastructureteam

‎05-24-2023 07:53 AM - edited ‎05-24-2023 08:00 AM

then auth via WLC not via SW 
it hard what you try here with SW

0 Helpful

dgn-tr.infrastructureteam
Level 1
Level 1
In response to MHM Cisco World

‎05-25-2023 06:45 AM

The clients are supposed to go via the wlc but for some reason they are all getting sent to ISE.

The APs are meant to authenticate via ISE which works fine on other switch models

0 Helpful

MHM Cisco World
VIP
VIP
In response to dgn-tr.infrastructureteam

‎05-25-2023 06:47 AM

share the config of other SW 

0 Helpful

dgn-tr.infrastructureteam
Level 1
Level 1
In response to MHM Cisco World

‎05-25-2023 06:52 AM

Port config from a 3850:

interface GigabitEthernet1/0/23
description ***** Aerohive Access Point *****
switchport access vlan 106
switchport trunk native vlan 910
switchport trunk allowed vlan 150-152,203,207,550-553,805,809,810,815,816,818
switchport trunk allowed vlan add 899,910-918,991-994
switchport mode trunk
switchport nonegotiate
ip flow monitor PrimeNFMon input
no logging event link-status
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-host
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 3
macro description AEROHIVE_ACCESS_POINT
spanning-tree portfast trunk
end

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
910 c413.e255.d480 STATIC Gi1/0/23
911 c413.e255.d480 DYNAMIC Gi1/0/23

With clients connected, only shows the 2 MACs of the AP - 1 in the native and 1 in the mgmt vlan

9300 port config:

interface GigabitEthernet1/0/10
description ***** Aerohive Access Point *****
switchport access vlan 109
switchport trunk native vlan 910
switchport trunk allowed vlan 150-152,203,207,550-553,805,809,810,815,816,818
switchport trunk allowed vlan add 899,910-918,991-994
switchport mode trunk
switchport nonegotiate
ip flow monitor PrimeNFMon input
no logging event link-status
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate 1800
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 3
macro description AEROHIVE_ACCESS_POINT
spanning-tree portfast trunk
end

0 Helpful

Flavio Miranda
VIP
VIP

‎05-24-2023 07:54 AM

Hi

 Take a look on this guide. It describe a very similar setup. You may find something missing. 

The command  "authentication host-mode multi-host" is there to allow clients mac address to pass through the interface without causing problem but you may be missing something else. 

 I assume you have the command "aaa authorization network" right? 

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

 

0 Helpful

dgn-tr.infrastructureteam
Level 1
Level 1
In response to Flavio Miranda

‎05-25-2023 06:47 AM

I enabled command authentication host-mode multi-host on one of the switchports, what its doing now is authenticating the MAC of the AP for the native vlan but dropping all else. I am unsure why it is sending all clients to ISE

Vlan Mac Address Type Ports
---- ----------- -------- -----
551 1002.b595.0277 DYNAMIC Drop
551 b89a.2aaa.9ee8 DYNAMIC Drop
910 c413.e25a.8d40 STATIC Gi1/0/10
911 c413.e25a.8d40 DYNAMIC Drop
991 6204.e7eb.b5ac DYNAMIC Drop
991 6634.a264.555f DYNAMIC Drop
991 e0d0.8329.e9e5 DYNAMIC Drop

0 Helpful
Customers Also Viewed These Support Documents