Re: Cisco WS-C2960X-48FPD-L -- No Mac Address on Switchport

jmins · ‎09-07-2023

Hi, we are currently rolling out a NAC product in our production environment and are running into a lot of devices that after configuring the switchport don't attempt to do any kind of communication on their own. Therefore, the NAC is unable to see which kind of device is on this port and can't assign a Mac-based account to it.

So far we only work with Mac-based accounts that assign them in the correct VLAN group. For the switch type, we are using Cisco WS-C2960X-48FPD-L.

For deployment, we have the following switch and port config:

aaa new-model

!

radius server XXXXX

address ipv4 XXXXX auth-port XXX acct-port XXXX

key 7 ****************************************************************

!

radius server XXXX

address ipv4 XXXX auth-port XXX acct-port XXXX

key 7 ****************************************************************

!

aaa group server radius XXXX

server name XXXX

!

aaa authentication dot1x default group XXX

aaa authorization network default group XXX

aaa accounting send stop-record always

aaa accounting update newinfo

aaa accounting dot1x default start-stop group XXX

!

authentication mac-move permit

!

dot1x system-auth-control

default int range gi1/0/1

int range gi1/0/1

shut

switchport access vlan 1

switchport mode access

switchport voice vlan 2

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication violation replace

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 8

spanning-tree portfast edge

spanning-tree bpduguard enable

no shut

balaji.bandi · ‎09-07-2023

So you mean to say the device connected, but you not able to see MAC on that port ?

what kind of devices is this any Medical ?

what kind of NAC ( ISE ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jmins · ‎09-07-2023

It depends if DHCP is active on the device or not. If it is it connects when removing the portcontrol, for the static devices we need to remove portcontrol + put it in it's vlan again before it shows up/ does any kind of communication towards the switch. When the switch port has "authentication port control" set to any value these devices seem to stop any form of communication. Meaning, no visible MAC on switch and no device shows up on the switch in the NAC on that port.

The devices are a few IP cameras, Lantronix ethernet to serial converter and MOXA equipment.

Yes, ISE, but currently testing.

Leo Laohoo · ‎09-07-2023

@jmins wrote:
MOXA equipment

Talk to the vendor. We did.

We started with these MOXA not talking at all. We had to hard-reset the MOXA before they started presenting their respective MAC addresses.

And that is the usual cases with CCTV as well. When they crash, they stop talking MAC addresses and the interface counters will show one-way-traffic (output from the interface and NIL input traffic).

Going back to the MOXA, the vendor kept blaming the network because they only sell the infernal machines and they have no idea what "MAC address" nor "IP address" means. So we dragged them to the site and made them "witness" to their gear.

jmins · ‎09-08-2023

Thank you. What about the config itself? Does it look correct? The same behavior happens with other devices as well.