06-19-2020 05:25 AM
Hello,
I'm trying to connect an intercom with 2 MAC addresses (one for the voice and the other for the video) to a switch 2960X with 802.1X and MAB enabled.
This is the configuration on the port where the device is connected to:
interface GigabitEthernet1/0/21
description User/VoIP-Port <LS:C>
switchport access vlan 100
switchport mode access
switchport nonegotiate
switchport voice vlan 116
ip flow monitor FLOWMON-IN sampler FLOWSAMPLER input
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 100
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout server-timeout 10
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x max-req 3
storm-control broadcast level 1.00
storm-control multicast level 5.00
storm-control action shutdown
storm-control action trap
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 20
This device is properly authenticated with MAB :
sh authentication sessions interface g1/0/21
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/21 0007.d81a.1020 mab DATA Auth 0AC03008000013C089606CD1
Gi1/0/21 000c.ab41.05f4 mab DATA Auth 0AC03008000013C189606D48
But after a period of time (around 4min), both MAC are de-authenticated and then authenticated again which causes reachibilty issues for a while:
sh authentication sessions interface g1/0/21
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/21 0007.d81a.1020 mab DATA Auth 0AC03008000013C089606CD1
Gi1/0/21 000c.ab41.05f4 mab DATA Auth 0AC03008000013C189606D48
Jun 16 14:13:20.368 MEST: %DOT1X-5-FAIL: Authentication failed for client (0007.d81a.1020) on Interface Gi1/0/21 AuditSessionID 0AC03008000013BA895CBB7C
Jun 16 14:13:20.368 MEST: %DOT1X-5-FAIL: Authentication failed for client (000c.ab41.05f4) on Interface Gi1/0/21 AuditSessionID 0AC03008000013BB895CBD5B
Jun 16 14:17:22.367 MEST: %DOT1X-5-FAIL: Authentication failed for client (0007.d81a.1020) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C089606CD1
Jun 16 14:17:22.367 MEST: %DOT1X-5-FAIL: Authentication failed for client (000c.ab41.05f4) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C189606D48
Jun 16 14:21:23.055 MEST: %DOT1X-5-FAIL: Authentication failed for client (0007.d81a.1020) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C8896418F8
Jun 16 14:21:24.079 MEST: %DOT1X-5-FAIL: Authentication failed for client (000c.ab41.05f4) on Interface Gi1/0/21 AuditSessionID 0AC03008000013C989641D0A
What is the cause of this behavior and how to fix it?
Thank you for your support.
Emmanuel
06-19-2020 06:51 AM
I believe the command you are looking for is the switchport port-security.
You need to put the max # of macs you wish to connect here.
int gig 2/0/1
description ### Userport ***
switchport access-vlan 100
switchport port-security maximum 2
03-02-2022 04:49 AM
Hi,
I know this is an old thread but the answer that's just worked for me is:
interface GigabitEthernet1/0/21
authentication host-mode multi-auth
Julian
05-23-2023 11:04 PM
Hi Emmanuel Alexandre,
Did you find the reason? I also have this problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide