Mac-auth-bypass fails MAC: 0000.0000.0000

Answered Question
May 5th, 2010

I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.

aaa authentication dot1x default group radius
aaa authorization network default group radius

radius-server host 192.168.x.x auth-port 1645 acct-port 1646

interface FastEthernet2/0/31
description A002 White
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x pae authenticator

dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable

012729: May  5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012730: May  5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
012731: May  5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
012732: May  5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
012733: May  5 14:51:33.727:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
012734: May  5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
012735: May  5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
012736: May  5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: May  5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
012738: May  5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
012739: May  5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
012740: May  5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
012741: May  5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
012742: May  5 14:51:33.727: EAPOL pak dump Tx
012743: May  5 14:51:33.727: EAPOL Version: 0x2  type: 0x0  length: 0x0005
012744: May  5 14:51:33.727: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
012745: May  5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012746: May  5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: May  5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
012748: May  5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
012749: May  5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
012750: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
012751: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
012752: May  5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
012753: May  5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
012754: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: May  5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
012756: May  5 14:51:35.791:     dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
012757: May  5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
012758: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
012759: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
012760: May  5 14:51:35.791:     dot1x_auth_mab : initial state mab_initialize has enter
012761: May  5 14:51:35.791:     dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
012762: May  5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
012763: May  5 14:53:08.831:     dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)

HQ_1stFlr_3750#sh dot1x int fa2/0/31 det

Dot1x Info for FastEthernet2/0/31
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = MULTI_DOMAIN
Violation Mode            = RESTRICT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 10
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 2
RateLimitPeriod           = 0
Mac-Auth-Bypass           = Enabled (EAP)
    Inactivity Timeout    = None

Dot1x Authenticator Client List Empty

Port Status               = UNAUTHORIZED

I have this problem too.
0 votes
Correct Answer by DAVID SCOTT about 6 years 8 months ago

Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
DAVID SCOTT Mon, 05/10/2010 - 08:23

Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.

rtjensen4 Mon, 05/10/2010 - 08:25

Hello,

TAC resolved this for me. Your thoughts are exactly what they told me. I changed control-direction to inbound "dot1x control-direction in", that let the MAB work.

Actions

This Discussion