08-09-2012 07:25 AM - edited 03-10-2019 07:24 PM
I am having some confustion currently while looking into devices that fail authentication through the ACS. When looking at the reporting tool for the ACS I see a device (Dell laptop) show up on the same switch port with around 900 failed authentication attempts per day. I follow that up with a check on the MAC address table for that switch. I see devices connected (through a hub), but not the one that is failing. On the switch port there is the hub, 2 Dell laptops (but not the one getting logged in the ACS) and a VTC unit.
To add to the confusion, only the VTC unit shows a IP on the ARP table of the firewall. Not sure where to go from here.
Solved! Go to Solution.
08-10-2012 11:05 PM
Robert,
I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.
So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.
Tarik Admani
*Please rate helpful posts*
08-09-2012 07:37 AM
Robert,
Can you post the port configuration? If you are running newer code you may be running authentication host mode single. Try running the command "authentication host mode multi-auth"
Here is some reference material when it comes to the different host modes:
Thanks,
Tarik Admani
*Please rate helpful posts*
08-09-2012 07:41 AM
Port configuration:
interface GigabitEthernet1/0/12
switchport access vlan 2
switchport mode access
authentication control-direction in
authentication host-mode multi-auth
authentication port-control auto
mab
Will look at the refrence material also, thanks.
08-09-2012 07:48 AM
Robert,
What is the failure reason? also are you using dynamic vlan assignment?
can you post the "show authentication sessions interface gig 1/0/12"
thanks,
Tarik Admani
*Please rate helpful posts*
08-09-2012 08:08 AM
08-09-2012 08:34 AM
Robert,
Are you on vlan 2 or vlan 200? Are you using dynamic vlan assignment?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-09-2012 08:39 AM
The ports are set up in vlan 2, on passing authenticaiton they get moved over to vlan 200.
08-09-2012 02:03 PM
Robert,
What version of code and model of switch are you running?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-10-2012 04:04 AM
It's a 2960S switch running 12.2(55)SE5.
08-10-2012 11:05 PM
Robert,
I missed your question before, the answer is yes when authentication fails the client is not entered on the mac address table since that will allow traffic to be forwarded. Dot1x (mab) is a l2 authentication framework which doesnt allow the mac address to be learned till we see the access-accept from the radius server.
So if the client authentication is expected to fail then everything is ok as far as your deployment goes and the behavior of the switch.
Tarik Admani
*Please rate helpful posts*
08-13-2012 07:53 AM
Thats what I needed to know, thanks. Its disapointing though...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: