Re: MAB Auth issue with multiple MAC on the same interface

Emmanuel Alexandre · ‎06-19-2020

Hello,

I'm trying to connect an intercom with 2 MAC addresses (one for the voice and the other for the video) to a switch 2960X with 802.1X and MAB enabled.

This is the configuration on the port where the device is connected to:

interface GigabitEthernet1/0/21
description User/VoIP-Port <LS:C>
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 116
ip flow monitor FLOWMON-IN sampler FLOWSAMPLER input
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout server-timeout 10
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-req 3
storm-control broadcast level 1.00
storm-control multicast level 5.00
storm-control action shutdown
storm-control action trap
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 20

This device is properly authenticated with MAB :

sh authentication sessions interface g1/0/21

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/21 0007.d81a.1020 mab DATA Auth 0AC03008000013C089606CD1
Gi1/0/21 000c.ab41.05f4 mab DATA Auth 0AC03008000013C189606D48

But after a period of time (around 4min), both MAC are de-authenticated and then authenticated again which causes reachibilty issues for a while:

sh authentication sessions interface g1/0/21

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/21 0007.d81a.1020 mab DATA Auth 0AC03008000013C089606CD1
Gi1/0/21 000c.ab41.05f4 mab DATA Auth 0AC03008000013C189606D48

Jun 16 14:13:20.368 MEST: %DOT1X-5-FAIL: Authentication failed for client (0007.d81a.1020) on Interface Gi1/0/21 AuditSessionID 0AC03008000013BA895CBB7C
Jun 16 14:13:20.368 MEST: %DOT1X-5-FAIL: Authentication failed for client (000c.ab41.05f4) on Interface Gi1/0/21 AuditSessionID 0AC03008000013BB895CBD5B
Jun 16 14:17:22.367 MEST: %DOT1X-5-FAIL: Authentication failed for client (0007.d81a.1020) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C089606CD1
Jun 16 14:17:22.367 MEST: %DOT1X-5-FAIL: Authentication failed for client (000c.ab41.05f4) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C189606D48
Jun 16 14:21:23.055 MEST: %DOT1X-5-FAIL: Authentication failed for client (0007.d81a.1020) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C8896418F8
Jun 16 14:21:24.079 MEST: %DOT1X-5-FAIL: Authentication failed for client (000c.ab41.05f4) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C989641D0A

What is the cause of this behavior and how to fix it?

Thank you for your support.

Emmanuel

TerryBjorke1391 · ‎06-19-2020

I believe the command you are looking for is the switchport port-security.

You need to put the max # of macs you wish to connect here.

int gig 2/0/1

description ### Userport ***

switchport access-vlan 100

switchport port-security maximum 2

julianparkin · ‎03-02-2022

Hi,

I know this is an old thread but the answer that's just worked for me is:

interface GigabitEthernet1/0/21
 authentication host-mode multi-auth

Julian

Hevin27 · ‎05-23-2023

Hi Emmanuel Alexandre,

Did you find the reason? I also have this problem.