(Unknown MAC) on switchport

Unanswered Question
Nov 4th, 2009

We configured 802.1x for the wired network. Some pc's and printers do not work. This is the message on the switch:

DOT1X-5-FAIL: Authentication failed for client (Unknown MAC)on interface fa0/1

All pc's work with digital certificates and EAP-TLS on the switches.

I don't understand why the switch doesn't see the real MAC address of the connected host.

Any idea's ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Wed, 11/04/2009 - 06:04

Hi Remco,

Are those PC's and printer's are dot1x compatible?

If not then there should be MAB configured on the switch and on the radius server we should have device mac address added as a username and password.

"When the MAC authentication bypass feature is enabled on an IEEE 802.1x

port, the switch uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address."

The database should be configured in such a way that you can have following

entries for MAC authentication,

Username :

Password :

MAC address should be in a format, 004096a98dee



Plz rate helpful posts-

remco.gussen Wed, 11/04/2009 - 06:42

They are dot1x compatible. Even if it was not, the switch must see the mac address. Even with MAB the switch shows that he is trying to authenticate a host with address (aabbccddeeff) by MAB. For some host, the switch doesn't see the MAC address, so he cannot do a MAB authentication.


This Discussion