rejected mac addresses are not placed in vlan comments

Hi all

I'm kind of new to the switches and learned a lot by reading the documentation sites. My job is to activate authentication aaa on our Cisco switches, we have a 3750stack, a few 3560 s and some 3550 s. I test on one of the 3560, a WS-C3560G-48PS 12.2 (53) SE1-IP-BASE running. Next week I'll update of firmware for 12.2 (55), but with this version, everything should already work.

Basically, the only thing I asked to do at the moment is Mac-Auth Bypass configuration. If the Mac address is accepted, RADIUS returns the VLAN, the device should be placed in, for the most part VLAN 4.

If the radius (freeradius v 2.1.10) server sends a rejection (see below), the port is not set to the vlan comments, because I expected.

  1. 19 12/21/10
    4:23:19.000 PM     
    Dec 21 16:23:19 10.1.1.207 37473: 2204830: .Dec 21 16:20:31.950 CET: %AUTHMGR-5-FAIL: Authorization failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

    • Host=10.1.1.207
    • SourceType=syslog
    • source=udp:514
    • client_mac=((f0de.f119.9870))
    • client_action=FAIL
    • LINEPROTO_LINK=AUTHMGR-5
  2. 20 12/21/10
    4:23:19.000 PM     
    Dec 21 16:23:19 10.1.1.207 37472: 2204808: .Dec 21 16:20:31.950 CET: %MAB-5-FAIL: Authentication failed for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B
  3. 21 12/21/10
    4:23:18.000 PM     
    Dec 21 16:23:18 10.1.1.207 37471: 2204776: .Dec 21 16:20:30.935 CET: %AUTHMGR-5-START: Starting 'mab' for client (f0de.f119.9870) on Interface Gi0/29 AuditSessionID 0A0101CF0000086CF832980B

Can someone tell me where I'm wrong?

Thank you

Chris

Relevant parts of the running-config:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!
AAA - the id of the joint session

!
control-dot1x system-auth
!
interface GigabitEthernet0/29
235 a description
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
authentication event failure action allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface Vlan1
IP 10.1.1.207 255.255.255.0
!
interface Vlan2
IP 10.1.10.207 255.255.255.0
!
default IP gateway - 10.1.1.201
IP classless
!
activate the IP sla response alerts
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS timeout 10 Server
Server RADIUS # 7 button wouldn't you know
RADIUS vsa server send accounting
RADIUS vsa server send authentication
!
end

Information of VLAN:

Ports of status for the name of VLAN
---- -------------------------------- --------- ------------------------------
1 default active Gi0/6, Gi0/8, Gi0/14, Gi0/15
Gi0/18, Gi0/21, Gi0/29, Gi0/30
Gi0/34, Gi0/36, Gi0/37, Gi0/49
Gi0/50, Gi0/51
2 voice active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
Gi0/25, Gi0/26, Gi0/27, Gi0/28
Gi0/29, Gi0/30, Gi0/31, Gi0/32
Gi0/33, Gi0/34, Gi0/35, Gi0/36
Gi0/37, Gi0/38, Gi0/39, Gi0/40
Gi0/42, Gi0/43, Gi0/44, Gi0/45
Gi0/46, Gi0/47, Gi0/49
3 active video
4 active DHCP Gi0/1 and Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/7, Gi0/9, Gi0/10
Gi0/11, Gi0/12, Gi0/13, Gi0/16
Gi0/17, Gi0/19, Gi0/20, Gi0/22
Gi0/23, Gi0/24, Gi0/25, Gi0/26
Gi0/27, Gi0/28, Gi0/31, Gi0/32
Gi0/33, Gi0/35, Gi0/38, Gi0/39
Gi0/40, Gi0/41, Gi0/42, Gi0/43
Gi0/44, Gi0/45, Gi0/46, Gi0/48
5 active transfer
6 active Test ESX
7 COMMENTS-VLAN active
999 native active
1002 fddi-default law/unsup
default trcrf 1003 act/unsup
1004 default fddinet law/unsup
1005 trbrf default law/unsup

Network type VLAN SAID MTU Parent RingNo BridgeNo Men BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 100001 1500 enet - 0 0
2 enet 100002 1500 - 0 0
3 100003 1500 enet - 0 0
4 100004 1500 enet - 0 0
5 enet 100005 1500 - 0 0
6 100006 1500 enet - 0 0
7 100007 1500 enet - 0 0
999 100999 1500 enet - 0 0
1002 101002 1500 fddi - 0 0
1003 trcrf 101003 4472 1005 3276 - srb 0 0
1004 etnbdf 101004 1500 - ieee - 0 0
1005 trbrf 101005 4472 - 15 ibm - 0 0

VLAN AREHops STEHops backup RTC
---- ------- ------- ----------
1003 7 7 off

VLAN SPAN remote
------------------------------------------------------------------------------

Ports of secondary primary Type
------- --------- ----------------- ------------------------------------------

Hello

Just to the user the correct names, what you want is a vlan auth failure (that you configured correctly). VLAN comments is for PCs that do not have capacity dot1x (do not respond to dot1x packages) but for the avoidance of the mac, the event of "no-response" will never happen.

Now that we have explained, your config seems therefore quite ok actually. I'd go with debugs to check what the problem is.

Debug RADIUS

debug all EMP

debugging authentication feature mab all
debugging authentication feature mda all

Nicolas

===

Remember responses of the rate that you find useful

Tags: Cisco Security

Similar Questions

  • How can I create a separate address book? I'm not on a mailing list but an address book where addresses are not mixed with my usual address b

    How can I create a separate address book? I'm not on a mailing list but an address book where addresses are not mixed with my address book regularly. I already have three created for me by Thunderbird address books. Add all new addresses to one of those, I'm not afraid to remove the other address books, because some of their addresses are not repeated in my address book "main". So if I delete all the names in one of the existing books, I need to create a blank book that will not mix the addresses with those of an another address book. HOW CAN I CREATE AN ADDRESS BOOK EMPTY? I want to be able to create multiple mailing LISTS using the addresses in this new book, I will eventually have an address book special with a variety of mailing lists, that I can use as I want to.

    In the address book, file | New | Address book.

    No menu showing "file"? F10 or ALT.

  • Access point WAP54G whose MAC addresses are the same

    I have 3-point WAP54G access that are connected together using wireless bridge settings found under the "AP Mode" in the menu.

    I would add a fourth unit, but as I am doing so I discovered that the 4th unit network MAC address is the same as that of the three already existing in my lan bridge WAP54Gs.   How can this be?  All units, aren't supposed to have unique MAC address of the factory.  I have triple checked to make sure that I am indeed two different units WAP54G.  Yes there is indeed to disting WAP54G units in my possession to what appears to be duplicate MAC addresses.  Then two units with double MAC addresees exsist on the same bridge LAN?  If this is not the case, is it possible to change one of the units, itg is not possible to return a device?  Thanks in advance for your help in this matter.

    David Desesquelle

    Tech Mgr.  HE

    Capricorn productions

    New Orleans, Louisiana

    (Mod Note: deleted non-public information.) (Thank you.)

    What is the common MAC address?

    Concerning

    Fred

  • Static MAC address starting not not by 00:50:56?

    Hello

    I have a quick question before I go to bed (so I have no time for some tests).

    I just found this article on the static of MAC addresses: VMware KB: defining a MAC address of a NETWORK card virtual

    The article says that "VMware uses a different YES to manually generated addresses: 00:50:56.»  But can I use the autogenerated, MAC address that starts with 00: 0c: 29 (and of course ensure that ESXi uses the same MAC address for an another VM)?

    Thank you

    Hello..

    Both are actually automatically generated... 00: 00c: 29 is generated by the host ESXi itself when not associated with an instance of vCenter. 00:50:56 is generated by vCenter if the ESXi host is attached to the phone.

    But can I use the autogenerated, MAC address that starts with 00: 0c: 29 (and of course ensure that ESXi uses the same MAC address for an another VM)?

    Yes...

    / Rubeck

  • E1200 cloning MAC address but not the PC

    My ISP requires MAC authentication on the router for internet access. They provide the router and register for this router to their access list.

    I'm not very happy with the router, that they provided, so I intend to buy an E1200 and clone the MAC address of my current router. But when I checked the router interface, of cloning mac page has a button saying 'Clone MAC from my PC'. And in the FAQ of E1200 page it says that the router can automatically capture the PC's MAC address. Which is not what I want to do.

    I want to manually enter the MAC address of my older router in this router to be cloned. Is this possible?

    Yes it is possible. Once you enable Clone Mac address of the router, click DO NOT Clone My PC Mac. Enter the mac address manually, then click on save settings. In this way the router will save the mac address you want to enter.

  • Get the iPad or Android device MAC address does not work (works in AIR Desktop)

    I try to get the MAC address of the device to the user in Adobe AIR. This is the code that I use.

    public function getDeviceMac (): String {}

    Return NetworkInfo.networkInfo.findInterfaces () [0].hardwareAddress.toString ();

    }

    That works well in the PC (or during the test in the PC with ADL Mobile).

    but in the iPad 2, or in a device Android (Acer Iconia A500) I get an error

    on the property There is not. I guess it is not implemented in mobile

    versions of AIR. It would be nice if it was applied in future versions.

    There is no work around for this?

    I'm looking for just a way to uniquely identify a device, is there

    a unique identifier that I can get the AIR by programming

    (maybe the UDID?), if it is not possible to obtain the MAC?

    Thanks for your help!

    Hello

    You will need to iterate through all available interfaces and find the hardwareAddress.

    NetworkInfo.networkInfo.findInterfaces () [1].hardwareAddress.toString ();

    In addition, for Android, you will also need to specify the permissions ACCESS_NETWORK_STATE and ACCESS_WIFI_STATE in the following application descriptor.

    ]]>

    -Pahup

  • When sending of e-mails from group, those who are 'xtra' addresses are not delivered.

    I send newsletters to many different people and have just discovered that all those whose 'xtra' e-mail addresses do not receive their newsletters, although everyone in the group.

    They do not receive the newsletter at all, as in not on either their primary address?
    Or they receive the newsletter on the main address, but not the additional address?

  • Get books from iOS to mac: some are not included

    My iBooks iPad contains a bunch of books and PDF documents that I can very well read on the ipad. I want to assure you that they are also on my mac, so I read them and have a backup, but it turns out that some books will not be moved to the mac everything I try. Among those who are PDF files and ebooks. I think at least for the files pdf, somewhere sideloaded (downloaded somewhere and then added to ibooks on the ipad).

    How can I make sure that everythings gets synchronized with the mac?

    -Mark

    -oh btw, what I've tried so far:

    Synchronize with iTunes, use the iBooks app, use 'direct readers' such as iExplorer, check my iCloud drive...

    I'm puzzled.

  • In writing e-mail, addresses are not sorted for easy selection and often appear in red when found (V31.3).

    A small 'feature '...
    Using Thunderbird 31.3.0 on WIndows 7 and Windows 8 (2 different machines).
    In the "Write" e-mail window when you try to select addresses from the address book, the address list is not sorted. Type the first letter of the address, the unsorted list is presented, on the typing of the second letter, 2 letters are disaplayed in red. If you scroll the list to find the desired address, it can be selected and the email is sent ok (it shows just the address in red).
    Thank you.

    Keep typing. Search now uses 'contains' while in the past he has used "begins by".

    Red is a bug and no real consequence as long as you are careful to accept such address offered.

    More concern with the current version is that it would have been is not always check the address you have chosen. I don't know what triggers what I was not able to replicate.

  • After updating, my forward and back arrows don't work, as well as web addresses are not displayed on the address bar

    I am on Windows 7 eternity / I've updated to Firefox 6, since then I couldn't use the front and rear, that it is not not a page Web address appears on the bar, these two problems are on the navigation bar, and both worked fine before the update. I've since updated to Firefox 6.0.2, but problems remain. It's very frustrating, I tried to find an answer to this, but nothing helped. I tried uninstalling and reinstalling, but no change, I tried to go back to an earlier version, but no change, right now with Firefox 6.0.2 but no change. I also have a computer with Windows XP, with the same version of Firefox, but it works OK

    Start Firefox in Firefox to solve the issues in Safe Mode to check if one of the extensions of the origin of the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > appearance/themes).

  • New E-mail address / are not "sent".

    Whenever I have 'send', rejects the Postmaster and there is always an "attatchment" on my email that I didn't put there.  And it is empty.  Or the message itself is sent as an attatchment.  That's happened.  This is a new address.  Thank you.

    Whenever I have 'send', rejects the Postmaster and there is always an "attatchment" on my email that I didn't put there.  And it is empty.  Or the message itself is sent as an attatchment.  That's happened.  This is a new address.  Thank you.

    Are to guess the e-mail yo program do we use? Are we to guess what said the rejection message?

    Thanks for posting your question in the Microsoft Community forums!

    I understand from the description you posted, you need set up e-mail rules in the Mail application.

    Outlook is a Microsoft messaging client that has an option to set up e-mail rules.

    Check out these links for more information about the Mail application:

    http://Windows.Microsoft.com/en-us/Windows-8/mail-app-FAQ

    http://Windows.Microsoft.com/en-us/Windows-8/mail-calendar-app#1TC=T1

    I hope that the information has been useful! If you have additional questions, feel free to post. We are here to help you.

    Thank you very much

    Francis

  • Why the Mac drives are not partitioned?

    I've owned Macs since the 80s, 90s, 2000s and 10s ' and not is that I now realize, is not partitioned hard drive inside a Mac (currently on an old Macbook Pro).

    I can't find an answer to this question anywhere, probably because each search result estimated that I wonder about external drives.

    My MBP 2007 hard drive is about to fail (so says utility disk), and I am saved, cloned and prepared for this possibility better I can be. I want to buy a new drive hard internal and wonder if I should partition when I get it.

    I always share my external drives.

    Because most people don't partition their drive, and those who can execute the procedure themselves. It is actually necessary if you want to use several operating systems on the same drive; Whether or not you should in other cases depends on what you use your computer for.

    (144608)

  • When forwarding mail TO: all my addresses are not in alphabetical order?

    All names are blurred

    Hello

    You use an e-mail client (Windows Live Mail) or a webmail (Hotmail)?

    Webmail:

    a. sign in to your email account
    b. click on your "contacts" list and wait for them to show.
    c. press "email" or "screen name" once classified in alphabetical order, twice to sort in reverse alphabetical order. Some Web e-mail providers can have a drop down menu asking how you want to sort the email addresses. Simply to click the menu drop-down and click on "alphabetically."

    Program e-mail:

    a. open your e-mail program on your computer
    b. click on 'contacts' or 'address book '.
    c. hit the e-mail once category to sort alphabetically addresses e-mail and twice to sort in reverse alphabetical order. Otherwise, you may need to use a drop down under a 'sort' category and click on 'send '.


    I also suggest that you post your question on the Forums of Windows Live for a better answer to this question. This is a dedicated forum for issues related to Windows live: http://www.windowslivehelp.com/product.aspx?productid=20

    Hope the information is useful.

  • Thread of discussion forum responses are not placed in removal of the original message.

    I'm a recent migrant from Outlook Express 6 for Windows Live Mail (XP flavor)

    I find some of my favorite damaged or missing features.

    Of particular irritation is the fact that focus group discussions are no longer indented to show who replied to whom.  Just a sea of RE:

    I liked the box small plus sign in OE.

    Am I missing something, or this wonderful feature is no longer available?

    Thanks RH

    Ask your questons Windows Live Mail in Windows Live Mail Portalsolutions Center.

    For me, WLM presents newsgroups is a way very similar to OE, withdrawal of the sons of the same way.

  • MAC address purging do not ISE MAC Authentication Bypass database

    I'm having a problem where my client's MAC addresses are not be purged automatically from the ISE.  It is a simple amp construction, where users are offered a cover page and must hit 'accept' to access the internet.  When the user does this, their MAC address is added to LSE, and then they can visit his profile.

    I need clients who will be presented to the splash page at least once a day.  Because the MAC address is added when they hit accept, they never get again presented start page, unless I have manually delete the MAC of Administration > identities > endpoints.

    I put the frequency of bleeding under Administration > identity mgmt > settings to 1 day and under settings Portal comments for "purge endpoints of this identity group every day 1", but the MAC stay in this group even after several days.

    I have also set the reauthentication is very short (30 min) in the thinking authorization profiles that might help, but the customer never receives the page again after hitting accept because the MAC is still listed in the endpoint group.  The only way to get the start page to reappear for customers is to manually remove the ISE MAC...

    Is there something else I am missing to make this feature work?

    Attached are a few screenshots of the parameters.

    Thank you!

    It looks like a bug, seems to me that you do it right, I got it working for a client in point 1.3 of the ISE, just with a much longer period before the purge (3 months). ISE what version are you on?

Maybe you are looking for