Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Mac-auth-bypass fails MAC: 0000.0000.0000

I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.

aaa authentication dot1x default group radius
aaa authorization network default group radius

radius-server host 192.168.x.x auth-port 1645 acct-port 1646

interface FastEthernet2/0/31
description A002 White
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x pae authenticator

dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable

012729: May  5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012730: May  5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
012731: May  5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
012732: May  5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
012733: May  5 14:51:33.727:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
012734: May  5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
012735: May  5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
012736: May  5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: May  5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
012738: May  5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
012739: May  5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
012740: May  5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
012741: May  5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
012742: May  5 14:51:33.727: EAPOL pak dump Tx
012743: May  5 14:51:33.727: EAPOL Version: 0x2  type: 0x0  length: 0x0005
012744: May  5 14:51:33.727: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
012745: May  5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012746: May  5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: May  5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
012748: May  5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
012749: May  5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
012750: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
012751: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
012752: May  5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
012753: May  5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
012754: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: May  5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
012756: May  5 14:51:35.791:     dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
012757: May  5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
012758: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
012759: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
012760: May  5 14:51:35.791:     dot1x_auth_mab : initial state mab_initialize has enter
012761: May  5 14:51:35.791:     dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
012762: May  5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
012763: May  5 14:53:08.831:     dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)

HQ_1stFlr_3750#sh dot1x int fa2/0/31 det

Dot1x Info for FastEthernet2/0/31
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = MULTI_DOMAIN
Violation Mode            = RESTRICT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 10
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 2
RateLimitPeriod           = 0
Mac-Auth-Bypass           = Enabled (EAP)
    Inactivity Timeout    = None

Dot1x Authenticator Client List Empty

Port Status               = UNAUTHORIZED

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Mac-auth-bypass fails MAC: 0000.0000.0000

Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.

2 REPLIES
New Member

Re: Mac-auth-bypass fails MAC: 0000.0000.0000

Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.

Bronze

Re: Mac-auth-bypass fails MAC: 0000.0000.0000

Hello,

TAC resolved this for me. Your thoughts are exactly what they told me. I changed control-direction to inbound "dot1x control-direction in", that let the MAB work.

2115
Views
0
Helpful
2
Replies
CreatePlease to create content