Welcome, Guest. Please login or register.

Author Topic: 802.1x mac address-table entries  (Read 5439 times)

rufer

  • Guest
802.1x mac address-table entries
« on: September 28, 2010, 06:40:33 PM »
Hello all

we are beginning to deploy 802.1x. Unfortunately the hosts behind an 802.1x protected port are no longer detected by Nedi. The reason is simple: Cisco decided to use "static" mac address-table entries for 802.1x hosts and not dynamic. Switches are Cisco Catalyst 3560 IOS.

Well, that's a bit of a problem. I want the 802.1x entries in nedi, but not all garbage static mac address-table entries.

Example mac address-table entries:

c3560#sh mac address-table inter gi 0/9
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 184    0001.e32e.57f2    STATIC      Gi0/9
Total Mac Addresses for this criterion: 1

c3560#sh authentication sessions

Interface  MAC Address     Method   Domain   Status         Session ID
Gi0/9      0001.e32e.57f2  dot1x    VOICE    Authz Success  827D5B7400000363804D4224

c3560#sh mac address-table static
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0180.c200.0000    STATIC      CPU
 All    0180.c200.0001    STATIC      CPU
 All    0180.c200.0002    STATIC      CPU
 All    0180.c200.0003    STATIC      CPU
 All    0180.c200.0004    STATIC      CPU
 All    0180.c200.0005    STATIC      CPU
 All    0180.c200.0006    STATIC      CPU
 All    0180.c200.0007    STATIC      CPU
 All    0180.c200.0008    STATIC      CPU
 All    0180.c200.0009    STATIC      CPU
 All    0180.c200.000a    STATIC      CPU
 All    0180.c200.000b    STATIC      CPU
 All    0180.c200.000c    STATIC      CPU
 All    0180.c200.000d    STATIC      CPU
 All    0180.c200.000e    STATIC      CPU
 All    0180.c200.000f    STATIC      CPU
 All    0180.c200.0010    STATIC      CPU
 All    ffff.ffff.ffff    STATIC      CPU
 184    0001.e32e.57f2    STATIC      Gi0/9


And for the port config:

mailtsw-1# sh run int gi 0/9
interface GigabitEthernet0/9
 switchport access vlan 97
 switchport mode access
 switchport voice vlan 184
 no logging event link-status
 no logging event power-inline-status
 srr-queue bandwidth share 1 70 25 5
 srr-queue bandwidth shape 3 0 0 0
 priority-queue out
 authentication control-direction in
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 20
 no lldp med-tlv-select inventory-management
 no cdp enable
 spanning-tree portfast
 service-policy input VOIP
 ip dhcp snooping limit rate 100


Of course there's also room for improvement, because we can see a lot more info in the auth-session that could be useful to Nedi. Ex. Username and IP address.

c3560#sh authentication sessions inter gi 0/9
            Interface:  GigabitEthernet0/9
          MAC Address:  0001.e32e.57f2
           IP Address:  10.15.184.247
            User-Name:  myusername
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
      Session timeout:  43200s (server), Remaining: 42675s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  827D5B7400000363804D4224
      Acct Session ID:  0x0000B977
               Handle:  0x47000363

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run


Thoughts on fixing the first issue, thus having the static mac address-table entries back in nedi??

Greetings
Rufer

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2785
    • View Profile
    • NeDi
Re: 802.1x mac address-table entries
« Reply #1 on: September 28, 2010, 07:19:39 PM »
I thought they are (at least with getting them via CLI) :)
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo