Re: MAC DROP SWITCH 2960

eperezb · ‎10-14-2019

Currently I have dot1x to authenticate by cable, at the time of placing an avaya esete phone if it authenticates but fails to receive an IP from the dhcp. the port get in Drops state will have some reason, I use ISE

#sh mac address-table interface fastEthernet 0/7
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

150 ccf9.52a1.8ad2 DYNAMIC Drop

balaji.bandi · ‎10-14-2019

Can you post the interface config and version of 2960.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

eperezb · ‎10-15-2019

The port configuration is

interface FastEthernet0/7
description Prueba ISE
switchport access vlan x
switchport mode access
switchport voice vlan x
authentication event fail action next-method
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable

authentication is successful, however it does not receive ip

*Mar 4 00:58:31.330: %MAB-5-SUCCESS: Authentication successful for client (ccf9.54a7.8a90) on Interface Fa0/7 AuditSessionID 000000000000006E0FA83CD1
*Mar 4 00:58:31.330: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (ccf9.54a7.8a90) on Interface Fa0/7 AuditSessionID 000000000000006E0FA83CD1
*Mar 4 00:58:32.211: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (ccf9.54a7.8a90) on Interface Fa0/7 AuditSessionID 000000000000006E0FA83CD1

Vlan Mac Address Type Ports
---- ----------- -------- -----
150 MACxxx... DYNAMIC Drop

balaji.bandi · ‎10-15-2019

once question what is the verion of code running on this device

can you post below outout :

show platform mac-address-table

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

eperezb · ‎10-15-2019

#sh platform mac-address-table mac-address ccf9.54a7.8a90 vlan 150
hmac: 033DF014 hash_q.flink: 02033E14 hash_q.blink: 02033E14
key: 3745 age_q.flink: 02B301EC age_q.blink: 0202C8B4
mac_addr: ccf9.54a7.8a90 vlan_id: 0150 hmvid: 0009
vlan_handle: 00004404 mat_instance: 02D3059C mat_vlan_addr: 02D369B0
bg_handle: -0000001 bg_instance: 00000000 mat_bg_addr: 00000000
di: F007 gpn: 007 sdi: 00000318
mad_sd_hanlde:033E3184 owned_sw_num: 0000 flags: 01

IOS
c2960-lanlitek9-mz.152-4.E8

JunaidM · ‎10-15-2019

Hi,

1- Check the port where the IP Phone is connected is its goes to error-disabled state because of Port Security settings issue on interface also can check "mab" if its working, if YES then do a shut/no shut on that port and check.

2- If it has no issue from there just check from the authentication server if it shows a reason of not authenticating.

3- You can also check this MAC, if its old phone, and just to verify that its not blocked.

Please rate helpful.

Thanks.

eperezb · ‎10-28-2019

I still have the same problem, at the time of authenticating it does it correctly in the ise but for some reason the state of the mac in the interface changes

at the moment it appears like this and then it changes to static

SW_CEDIS_2#sh mac address-table interface fastEthernet 0/7
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
150 x.x.x DYNAMIC Drop

sh mac address-table interface fastEthernet 0/7
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
50 x.x.x STATIC Fa0/7
Total Mac Addresses for this criterion: 1

I have a case with cisco but they still don't give me feedback

this happens to me with MAB authentication on avaya phones