Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

4500 Series Switches and 802.1x MAB

My organization has multiple 4500 series switches experiencing the same problem when attempting to authenticate devices via MAB.  The issue is that the "show mab interface fax/x details" shows the Client MAC in a waiting status.  The device is never sending the switch it's MAC in order to proceed with MAB authentication, so of course the port never forwards traffic.  However, if we remove authentication port-control auto the port starts forwarding and the device gains connectivity.  Below is the interface configuration command and the MAB details.  The IOS version of this current switch is 15.0(2)SG8.  Are we missing something special for a 4500 as far as configuration is concerned.

interface FastEthernet8/16
 description USER 
 switchport access vlan 600
 switchport mode access
 switchport nonegotiate
 duplex full
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 dot1x pae authenticator
 dot1x timeout tx-period 5


SWITCH-4510R#sh mab interface fa8/16 details
MAB details for FastEthernet8/16
Mac-Auth-Bypass           = Enabled

MAB Client List
Client MAC                = Waiting
Session ID                = 841AF6D100002931AF99B827
MAB SM state              = ACQUIRING
Auth Status               = UNAUTHORIZED


Community Member

What's the order of

What's the order of authentication?


authentication order <mab | dot1x | webauth>


Good luck

Community Member

I've tried with

I've tried with authentication order mab or the default which I believe is dot1x still get he same results.

Community Member

Post your configs.

Post your configs.

Community Member

You might look into

You might look into "authentication control-direction in".


I've had good luck with it in this type of scenario. If I'm understanding correctly.

Community Member

hello, in my organization we



in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.


the interfaces have the following config:


 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority mab dot1x
 authentication port-control auto
 authentication periodic
 authentication timer restart 120
 authentication timer reauthenticate server
 authentication timer inactivity 600
 dot1x pae authenticator



Good luck

CreatePlease to create content