802.1x and wired dynamic vlans on MAC addresses

Hi All,
I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
I've done some reading but am really struggling to find the information I need.
We have a Windows domain and brand new 3850 Cisco switches.
Can anyone steer me in the right direction (or tell me how to do it!) please?
Thanks for reading.

Hi,
So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned.
Tunnel-Type. Select Virtual LANs (VLAN).
You can find more information here:
Configure a Network Policy for VLANs
VLAN Attributes Used in Network Policy
802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
HTH.

Similar Messages

802.1x authetication with dynamic Vlan assignment by a radius server

Hi
At school I want to start using 802.1x authentication with dynamic Vlan assignment by a Windows Server 2012R2 Radius server.
When a student logs in, I want it to be placed in the "Students" Vlan, when a Administrative employee logs in, I want it to be placed in the "Administative" vlan and when the client is unknown I want to place it in the "Guest" Vlan.
I have several SG200 switches and I configured everything as mentioned in the administrative guide but I cannot get it to work as desired.
What does work:
- If the client is permitted, the switch changes to "authorized" state. (before anyone logs on to the domain with that client)
- When a User logs on that is part of the Administrative employees, the switch changes to "authorized" and when a student logs on, it changes to "unauthorized".
So far so good.
But what doesn't work:
- it does not put the administrative employee in the Vlan "Administrative", it just enables the port on the switch but leaves it in the default vlan 1.
- I can not find the Guest VLAN.
Any help would be appriciated.

Hi Wouter,
Can you see in the packet capture Radius accept message VLAN attribute? Also please ensure you have the latest firmware and boot code:
http://www.cisco.com/c/en/us/support/switches/sg200-26-26-port-gigabit-smart-switch/model.html#~rdtab1
I would recommend you to open ticket with Small Business team so they can go with you through packet capture and configuration steps:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Regards,
Aleksandra

Restrict vlan for mac address

Hello sirs, I bought a sf300 48 and made 4 vlans.
How can I restrict the mac address of device can be connect each vlan ? I just want allow the macs for vlan, dont need join the pc to a vlan.
Thanks so much!

Sorry for my bad eng, but I will try explain to you.
I have 5 pcs on one vlan, this vlan is a security vlan for develop. I just want this computer can connect on this vlan. In the switch sf300 the 5 ports of sw is marked for this vlan. I want keep safe this ports for just the 5 mac address can connect on this.
Understand?
This is the translate of googole :
I have a vlan that would have only 5 computers can connect them. Vlan This was made from a 5-point networks directly connected to the switch. I would like to prevent just these 5 computers can connect the network cable that vlan through the mac.
thanks!!!!

Ping problem in the neighborhood and Msan can see the mac address of router

Hi everyone
i have a router 1941/K9 with card EHWIC-4SHDSL-EA ,i have configure this card in my router , the problem is I can not ping the ip @ Neighbourhood and the MSAN can't also see the mac-address of the router do you notice that the interface in the MSAN and in the router is UP / UP
anybody help me

Hi,
An ethernet interface will be always up/up and it goes down only if there is problem between the given port and the connected one. The issue can be anywhere else in the middle.

LAN and WAN share the same MAC address -- could this be a security issue?

When I bought the AEBS(n), I was a bit surprised to see only one ethernet MAC address listed (on bottom of unit, or was it in config utility?), in addition to wireless MAC. My main router has two ethernet MACs.
So last nite, I investigated. I confirmed my suspicion that both the WAN port and the LAN ports share the same MAC address! My setup has the AEBS WAN port plugged into my home LAN's main router, and a Linux machine plugged into a LAN port of the AEBS.
View of AEBS WAN side (from main router at 192.168.1.1)
ii# arp
Seconds IP Address MAC Address
734 66.130.224.1 001120A87AF5 -- ISP router
789 192.168.1.21 0016CBC430A6 -- AEBS WAN port
28 192.168.1.33 0010DC47DC53 -- home PC
824 192.168.1.73 00065BB2F295 -- work PC
View of AEBS LAN side (from a Linux box at 10.0.1.41)
root@LKG7CAE25 # cat /proc/net/arp
IP address HW type Flags HW address Mask Device
10.0.1.1 0x1 0x2 00:16:CB:C4:30:A6 * eth0
10.0.1.1 on the LAN side of AEBS and 192.168.1.21 on the WAN side of the AEBS both use the same MAC address, 00:16:CB:C4:30:A6.
I tried to provoke some leakage between the two sides (for example with broadcast packets), but haven't been able to do it so yet. Perhaps the switch in front of the eth MAC has enough smarts to keep the two subnets separate? Still it sort of worries me, if I used the AEBS as my only router, that both WAN and LAN go thru the same ethernet MAC (same h/w). I browsed here but found no discussion on this.
Comments anyone?

.... This is why there are separate MAC addresses
for ethernet and wireless, they are physically
different networks. In the case of the WAN/LAN, both
are ethernet-type networks but are physically
distinct (this is the purpose of a router like the
AEBS), so having the same MAC address on both sides
won't cause any sort of collision nor should it be
possible to leak across networks. MAC addresses can't
be used for routing beyond the physical network.
If it is indeed two different NICs sharing a single MAC, then indeed it is not an issue as you would never want to connect these two NICs together. But is it really two NICs?
My worry is that these two subnets are on the same physical network, with some magic going on to keep them separate anyway. Do we have some picture of AEBS internals? Maybe that would answer the question...

802.1X and per user vlan

hi all,
I would like to know if i can assign one user in a vlan with 802.1X in a wireless environment ?
if yes,Do i need a particular radius server or is this feature "basic" on ias,acs,meetinghouse funk..
Can i have a vlan authentication policy (i.e vlan 2 no authen, vlan 3 eap-md5 )
Can i authenticate user1 on domain1 and user2 on domain2 on the same AP with a radius ias,acs or other?.
Thanks

I take a stab at some of this...
I have per user VLANS setup on my 1220 AP's and am using 2003 server IAS for the radius server. I also had it working on 2000 server.
I have one VLAN with no authentication and others for my users that do authenticate. They are authenticating using MS PEAP and UN/PW combo.
Here is a link on VLANS for the VXWORKS series of AP's
http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html
This one is for IOS (looks new I haven't read it yet..)
http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
Finally another link -
http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
I am not sure about the different user/domain combos since I only have one domain here. There are also some good posts in this forum, do a search for per user vlan, etc.
Good Luck.
Don

LWAPP's losing names and showing up as default MAC address's

I have been having random LWAPP's that have been configured previously showing up as the original names as if they were just installed (APxxx:xxxx:xxxx). I know this becasue the location field is the location of where they are, and AP group name is also set to the location they are. What would cause this?
WLC = 7.0.98.0
AP = 1142n 12.4(23c)JA
This problem is here and there...it is happening to about 5 percent of my overall AP's.

AP event log from controller:
AP event log download completed.
======================= AP Event log Contents =====================
*Mar 1 00:15:54.702: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C4506-E (5475.d01d.8052)
*Mar 1 00:16:02.966: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Aug 30 19:37:23.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 30 19:37:23.001: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.200.1.10 peer_port: 5246
*Aug 30 19:37:23.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Aug 30 19:37:23.734: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.200.1.10 peer_port: 5246
*Aug 30 19:37:23.734: %CAPWAP-5-SENDJOIN: sending Join Request to 10.200.1.10
*Aug 30 19:37:23.734: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Aug 30 19:37:23.751: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE
*Aug 30 19:38:04.730: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C4506-E (5475.d01d.8052)
*Aug 30 19:38:12.291: *** Access point reloading. Reason: NEW IMAGE DOWNLOAD ***
*Aug 30 19:38:12.292: %SYS-4-PUPDATECLOCK: Periodic Clock update with ROMMON failed, because size left in ROMMON (4294967295),
*Mar 1 00:15:54.161: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:15:54.184: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:15:54.191: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:15:55.155: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
--More-- or (q)uit
*Mar 1 00:15:55.176: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:16:02.982: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Aug 30 19:39:56.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 30 19:39:56.001: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.200.1.10 peer_port: 5246
*Aug 30 19:39:56.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Aug 30 19:39:56.744: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.200.1.10 peer_port: 5246
*Aug 30 19:39:56.744: %CAPWAP-5-SENDJOIN: sending Join Request to 10.200.1.10
*Aug 30 19:39:56.744: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Aug 30 19:39:56.940: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Aug 30 19:39:57.047: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 30 19:39:57.051: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Aug 30 19:39:57.052: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 30 19:39:57.252: %LWAPP-3-CLIENTEVENTLOG: Received AP Syslog IP Address(255.255.255.255) configuration.
*Aug 30 19:39:57.258: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller Wism-Slot1Proc1
*Aug 30 19:39:57.263: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 30 19:39:57.263: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[0]
*Aug 30 19:39:57.264: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[0]
*Aug 30 19:39:57.264: %LWAPP-3-CLIENTEVENTLOG: SSID ILOVEDOGS added to the slot[0]
*Aug 30 19:39:57.265: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[1]
*Aug 30 19:39:57.284: %DOT11-4-NO_HT: Interface Dot11Radio1, Mcs rates disabled on vlan 2 due to not using AES encryption or en
*Aug 30 19:39:57.287: %DOT11-4-NO_HT: Interface Dot11Radio0, Mcs rates disabled on vlan 2 due to not using AES encryption or en
*Aug 30 19:39:57.287: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 30 19:39:57.287: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
--More-- or (q)uit
*Aug 30 19:39:57.287: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[1]
*Aug 30 19:39:57.287: %LWAPP-3-CLIENTEVENTLOG: SSID ILOVEDOGS added to the slot[1]
*Aug 30 19:39:57.297: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 31 02:29:15.271: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 31 02:29:15.324: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 31 02:29:15.327: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 31 02:29:15.411: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 31 03:34:40.892: *** Access point reloading. Reason: Recvd RESET req from Controller ***
*Mar 1 00:15:55.598: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:15:55.622: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:15:55.630: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:15:56.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:15:56.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:16:02.969: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Aug 31 03:33:11.001: %CAPWAP-3-ERRORLOG: Selected MWAR 'RPS-5508-2'(index 0).
*Aug 31 03:33:11.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 31 03:33:11.001: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.200.1.21 peer_port: 5246
*Aug 31 03:33:11.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Aug 31 03:33:11.842: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.200.1.21 peer_port: 5246
*Aug 31 03:33:11.842: %CAPWAP-5-SENDJOIN: sending Join Request to 10.200.1.21
*Aug 31 03:33:11.842: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Aug 31 03:33:11.975: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Aug 31 03:33:12.100: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
--More-- or (q)uit
*Aug 31 03:33:12.104: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Aug 31 03:33:12.105: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 31 03:33:12.312: %LWAPP-3-CLIENTEVENTLOG: Received AP Syslog IP Address(255.255.255.255) configuration.
*Aug 31 03:33:12.318: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller RPS-5508-2
*Aug 31 03:33:12.322: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 31 03:33:12.322: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[0]
*Aug 31 03:33:12.324: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[0]
*Aug 31 03:33:12.324: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[1]
*Aug 31 03:33:12.324: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[1]
*Aug 31 03:33:12.342: %DOT11-4-NO_HT: Interface Dot11Radio1, Mcs rates disabled on vlan 1 due to not using AES encryption or en
*Aug 31 03:33:12.346: %DOT11-4-NO_HT: Interface Dot11Radio0, Mcs rates disabled on vlan 1 due to not using AES encryption or en
*Aug 31 03:33:12.346: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 31 03:33:12.346: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 31 03:33:12.354: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 31 03:36:11.493: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 31 03:36:11.503: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 31 03:51:52.242: %CAPWAP-5-CHANGED: CAPWAP changed state to DOWN
*Aug 31 03:51:52.336: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Aug 31 03:51:52.342: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Aug 31 03:51:52.345: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Aug 31 03:51:52.346: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 31 03:51:52.346: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 31 03:51:52.346: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[0]
--More-- or (q)uit
*Aug 31 03:51:52.346: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[1]
*Aug 31 03:51:52.347: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Aug 31 03:51:52.347: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[0]
*Aug 31 03:51:52.347: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[1]
*Aug 31 03:51:52.370: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Aug 31 03:51:52.370: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 31 03:51:52.379: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Aug 31 03:52:02.470: *** Access point reloading. Reason: Recvd RESET req from Controller ***
*Mar 1 00:15:52.829: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:15:52.853: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:15:52.860: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:15:52.960: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:15:52.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:16:02.966: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Apr 20 11:02:16.001: %CAPWAP-3-ERRORLOG: Selected MWAR 'RPS-5508-2'(index 0).
*Apr 20 11:02:16.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 20 11:02:16.001: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.200.1.21 peer_port: 5246
*Apr 20 11:02:16.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 20 11:02:16.991: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.200.1.21 peer_port: 5246
*Apr 20 11:02:16.991: %CAPWAP-5-SENDJOIN: sending Join Request to 10.200.1.21
*Apr 20 11:02:16.991: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Apr 20 11:02:17.279: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Apr 20 11:02:17.459: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
--More-- or (q)uit
*Apr 20 11:02:17.463: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Apr 20 11:02:17.463: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 20 11:02:17.549: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller RPS-5508-2
*Apr 20 11:02:17.556: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 20 11:02:17.556: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[0]
*Apr 20 11:02:17.582: %DOT11-4-NO_HT: Interface Dot11Radio0, Mcs rates disabled on vlan 1 due to not using AES encryption or en
*Apr 20 11:02:17.583: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 20 11:02:17.583: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 20 11:02:17.583: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[0]
*Apr 20 11:02:17.583: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[1]
*Apr 20 11:02:17.583: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[1]
*Apr 20 11:02:17.591: %DOT11-4-NO_HT: Interface Dot11Radio1, Mcs rates disabled on vlan 1 due to not using AES encryption or en
*Apr 20 11:02:17.591: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 20 13:10:23.885: *** Access point reloading. Reason: Recvd RESET req from Controller ***
*Mar 1 00:15:54.051: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:15:54.075: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:15:54.082: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:15:55.045: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:15:55.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:16:02.971: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Apr 20 13:11:59.001: %CAPWAP-3-ERRORLOG: Selected MWAR 'RPS-5508-2'(index 0).
*Apr 20 13:11:59.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 20 13:11:59.001: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.200.1.21 peer_port: 5246
--More-- or (q)uit
*Apr 20 13:11:59.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Apr 20 13:11:59.836: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.200.1.21 peer_port: 5246
*Apr 20 13:11:59.836: %CAPWAP-5-SENDJOIN: sending Join Request to 10.200.1.21
*Apr 20 13:11:59.836: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Apr 20 13:11:59.965: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
*Apr 20 13:12:00.090: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 20 13:12:00.095: %CAPWAP-5-CHANGED: CAPWAP changed state to UP
*Apr 20 13:12:00.095: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 20 13:12:00.183: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller RPS-5508-2
*Apr 20 13:12:00.196: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 20 13:12:00.196: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[0]
*Apr 20 13:12:00.196: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[0]
*Apr 20 13:12:00.196: %LWAPP-3-CLIENTEVENTLOG: SSID RPS added to the slot[1]
*Apr 20 13:12:00.196: %LWAPP-3-CLIENTEVENTLOG: SSID RPS-GUEST added to the slot[1]
*Apr 20 13:12:00.217: %DOT11-4-NO_HT: Interface Dot11Radio1, Mcs rates disabled on vlan 1 due to not using AES encryption or en
*Apr 20 13:12:00.223: %DOT11-4-NO_HT: Interface Dot11Radio0, Mcs rates disabled on vlan 1 due to not using AES encryption or en
*Apr 20 13:12:00.223: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 20 13:12:00.223: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 20 13:12:00.229: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 20 14:20:10.592: %CAPWAP-3-ERRORLOG: Received a upload request from controller for event log buffer

802.1x and 7960's

Hello there,
I am having an issue with 7960/7940 phones and their connected pcs authenticating with 802.1x. I read a post that an individual had in 2009 but it doesn't quite describe the situation I'm having and cannot figure out. I know that the 7940 and 7960 phones have to be at version 8.1(1) in order to work with 802.1x; our phones are running at version 8.1(SR2) so, according to Cisco, they should work. The problem I'm having is that the port on the switch gets thrown into an err disabled state. Once I bounce the port, the phone will authenticate but the associated pc will not, even though both the phone and the pc are configured correctly in the NPS server and in AD. If I force the pc to authenticate to the user vlan, the pc will authenticate but the phone will not. Each device will authenticate independently if they are separated on the network.
The only way I can avoid this situation is if I put on the switch the following band-aid: errdisable recovery cause security-violation or I remove 802.x completely. I tried putting the errdisable recovery command on a bunch of switches and that caused the trunk ports and the ports that wanted to go into errdisable mode to start flapping and almost brought down the network soooo, I took it off.
The switches we use are 3750Gs or 3750V2s running ipservicesk9 images. I'm attaching the configurations we use.
I appreciate any insight into this maddening problem that just won't go away.
I should also note that it is not ALL of our 7940/7960 phones that do this.
Thanks,
Kiley
interface FastEthernetx/x/x
switchport access vlan 666
switchport mode access
switchport voice vlan 667
authentication event fail retry 1 action authorize vlan 666
authentication event server dead action authorize vlan 666
authentication event no-response action authorize vlan 666
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
end
show mac address-table int fax/x/x
          Mac Address Table
Vlan    Mac Address       Type        Ports
xx    xxxx.xxxx.e9f1    STATIC      Fax/x/x --> phone
666    xxxx.xxxx.2681    DYNAMIC     Drop --> pc

Leo,
the IOS is: 15.0(2)SE2. This particular user is on a 3750V2-48PS
#sho mac address-table int fax/x/x
Mac Address Table
Vlan      Mac Address                Type     Ports
90         xxxx.xxxx.a712             STATIC x/x/x
#sh authentication sessions int x/x/x
Interface: x/x/x
MAC Address: xxxx.xxxx.0727
IP Address: Unknown
User-Name: xxxxxxxx0727
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0000000000000C9E982BA216
Acct Session ID: 0x00005E48
Handle: 0x84000C9F
Runnable methods list:
Method State
mab Failed over
dot1x Running
Interface: x/x/x
MAC Address: xxxx.xxxx.a712
IP Address: Unknown
User-Name: xxxxxxxxa712
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 90
Session timeout: 3600s (local), Remaining: 3571s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0000000000000C9F982BB8FD
Acct Session ID: 0x00005E49
Handle: 0xD4000CA0
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
#show mac address-table int x/x/x
          Mac Address Table
Vlan    Mac Address       Type        Ports
90    xxxx.xxxx.a712    STATIC      x/x/x – phone; should be in different vlan
90    xxxx.xxxx.0727    DYNAMIC     Drop – pc; is in correct vlan
Total Mac Addresses for this criterion: 2

Windows 7-8.1 Can not change the MAC Address on wifi and cannot load login page in public HotSpot.

Windows 7-8.1 Can not change the MAC Address on wifi and cannot load login page in public HotSpot.
Adapter: Ralink RT3070 Chipset wifi adapter
Tested: os Windows 8.1 Professional
Hot Spot: 802.11b
The first problem windows 7-8.1 got IP adress and connect he public HotSpot but cannot load login page or any other page. It does not work with it.
The second problem Wifi canrd/configure/Advandes (No network adress change function).Tested with the default windows driver and the ralink rt 3070 driver the same problem.On windows XP the same function the same driver works perfectly.
multiple users to have expressed interest in the problem But Microsoft not corrected the problem window7-8.1 10?
lizardsystems.com/wiki/change_mac_address/faq/change_mac_address_in_windows_7
blog.technitium.com/2011/05/tmac-issue-with-wireless-network.html
superuser.com/questions/519189/how-to-change-the-mac-address-in-win-8-to-spoof-a-roku-player-through-a-wifi-spl
social.technet.microsoft.com/Forums/windows/en-US/59e07df3-471c-499e-ad5f-e7cb507595df/cannot-change-mac-address-in-windows-7-driver-has-option-doesnt-work-neither-does-regedit-ms?forum=w7itpronetworking
networksteve.com/windows/topic.php/CANNOT_CHANGE_WIRELESS_%28SPOOF%29_MAC_ADDRESS_ON_WINDOWS_7/?TopicId=16810&Posts=1
On windows XP or linux have a MAC adress Change function allow 00 mac adress and another normal mac adress range.On windows 8.1 all Mac changer program dont work.This 2,6,A,E on second adress are not vaild Mac adress. You simply can not use normal MAC
addresses on windows 8.1.When i connect the usb the Pc windows 8.1 recognizes the adapter but the default driver and the downloaded ralink driver the same problem.On windows xp the current driver works perfectly have (Local Mac Network Adress) funktion
and works with the 802.11b hot spot.I got the internet my PC and laptop too public HotSpots and another wifi HotSpots if wont work correctly i can not use neither the windows 7,8,8.1 or 10. Many users have expressed interest in the problem more forums.
The 3. problem im tested in virtualbox the windows 7 and 8.1 on 8.1 (on the blue wifi platform) not show correctly the signal strengh. On windows 7 show this correctly.The windows 7-8.1 Configure/advanced the advanced options on Ralink 3070 the default (windows
driver) somehow downgraded function is less than for Xp. Configure/advanced the advanced options (needs to be upgraded in the future) because it does not advance but rather regressed.
Today it is very common these wi-fi technology increasingly used (hotels,Public Hots Spots,Internet coffe,) growing free bublic wifi projects. The wifi funktions on windows need debugging and modernize.The quality of Wi-Fi is now the operating system
is now a thing order which is not good then the operating system is unusable.

Hi,
For changing the MAC address for Windows 7 is designed with some limitation, we cannot get over it. Thanks for your understanding.
Under Windows 7, the possible range of spoofed addresses for wireless adapters that can be set is limited. To be used by Windows 7, a spoofed MAC address should have 0 as a least significant bit (unicast) and 1 as a second least significant
bit (locally administered) in the second nibble. Thus possible values for the second nibble are limited to 2, 6, A and E.
In other words
MAC address: “XY-XX-XX-XX-XX-XX” “X” can be anything hexadecimal. The hexadecimal “Y”, written in binary format, is Y: “kmnp”, where “p” is the least significant bit;
p=0 --> unicast;
p=1 --> multicast;
n=0 --> globally assigned MAC;
n=1 --> locally administered;
So, actually MAC can be changed to any combination in which p=0 and n=1;
“Y” can be 2, 6, A or E.
So the possible MAC addresses in Windows 7 for wireless adapters:
X2-XX-XX-XX-XX-XX
X6-XX-XX-XX-XX-XX
XA-XX-XX-XX-XX-XX
XE-XX-XX-XX-XX-XX
For the wifi hotspot issue, please check this blog to see if it can be helpful.
Windows 7 Connectivity Problems in Public Hotspots
http://blogs.technet.com/b/patrickr/archive/2010/07/28/windows-7-connectivity-problems-in-public-hotspots.aspx
Kate Li
TechNet Community Support

ACS v4.1 PEAP and MAC Address Validation

I would like to authenticate to a ACS server via both 802.1x (PEAP) and to also validate the MAC Address of the user. Can both of these be done? I have 802.1x (PEAP) working to the ACS and Active Directory but now I would like to add the MAC Address of the laptops. Can I use Network Access Profiles and add the MAC-address under MAC-Authentication bypass?
Your assistance is appreciated.

I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
Appreciate your help.

A mac address for a Vlan

Could someone please tell me if a mac address is getting created as a result of creating a layer 2 Vlan?
Thanks..

Just tested this on a Cisco 3750 on my desk.
I had VLAN 1 Shutdown.
I did a show mac-address-table and there was no MAC for Vlan 1.
I unshut the VLAN 1 interface (no IP configured on it) and now there IS a mac-address entry in my table.
Understand that this is different than just adding say VLAN 10 to your vlan database or something like that.
If all you did was add a VLAN (re, not a virtual interface) to your vlan config then it will NOT create a mac-address entry.
However, if you create an interface, it will.
So the answer to your question is, it depends on what you are trying to do.
Hope that helps!
James

Cat 2960 shows mac address port as "Drop"

Hi all
I am configuring a Cat 2960 port for connecting a VOIP phone, authenticated by MAB. On connecting the phone, I get the port authenticated and assigned to the correct VLAN, with LLDP-MED advertising the correct voice vlan. However, I then see no traffic from the phone on the switch. I can see the MAC address of the phone is learned in the right VLANs, but the mac address is showing as "Drop", which normally means the address is statically configured to be blocked. There is no static mac address table blocking configured on the switch.   Can anyone suggest why this is happening?
Switch Version
Switch Ports Model              SW Version            SW Image
*    1 50    WS-C2960-48TC-L    15.0(1)SE3            C2960-LANBASEK9-M
Port configuration
interface FastEthernet0/1
description "Standard user port"
switchport access vlan 9
switchport mode access
network-policy 1
no logging event link-status
srr-queue bandwidth share 5 10 40 55
priority-queue out
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
mab eap
mls qos trust dscp
no snmp trap link-status
macro description vanilla_port
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 3
spanning-tree portfast
end
LLDP-MED network-policy
network-policy profile 1
voice vlan 835
Authentication (debug radius) result
Jul 30 11:42:19.600: %AUTHMGR-5-START: Starting 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:19.650: %MAB-5-SUCCESS: Authentication successful for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:19.650: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Jul 30 11:42:20.682: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0004.f297.6668) on Interface Fa0/1 AuditSessionID 0AF0042200000063616A0592
Resulting Switchport config - voice vlan is 835
CLBdg640Test-AS2960-0#show int fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 9 (NATIVE-DISCARD)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 835 (VOICE)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
LLDP neighbor info showing voice vlan 835
CLBdg640Test-AS2960-0#sh lldp neighbors fa0/1 detail
Chassis id: 0.0.0.0
Port id: 0004.f297.6668
Port Description - not advertised
System Name - not advertised
System Description - not advertised
Time remaining: 3558 seconds
System Capabilities: T
Enabled Capabilities: T
Management Addresses - not advertised
Auto Negotiation - supported, enabled
Physical media capabilities:
    100base-T2(HD)
    100base-TX(FD)
    100base-T4
    10base-T(FD)
Media Attachment Unit type - not advertised
Vlan ID: - not advertised
MED Information:
    MED Codes:
          (NP) Network Policy, (LI) Location Identification
          (PS) Power Source Entity, (PD) Power Device
          (IN) Inventory
    Inventory information - not advertised
    Capabilities: NP
    Device type: Endpoint Class III
    Network Policy(Voice): VLAN 835, tagged, Layer-2 priority: 5, DSCP: 46
    PD device, Power source: PSE, Power Priority: High, Wattage: 6.5
    Location - not advertised
Total entries displayed: 1
MAC address table showing "Drop" port for learned address in VLAN 835
CLBdg640Test-AS2960-0#sh mac address-table address 0004.f297.6668
          Mac Address Table
Vlan    Mac Address       Type        Ports
   9    0004.f297.6668    STATIC      Fa0/1
835    0004.f297.6668    DYNAMIC     Drop
Total Mac Addresses for this criterion: 2

Thanks for updating the problem raarons!

Hyper-V MAC addresses

Hi,
I understand that each Hyper-v node in a cluster will have its own dynamic pool of MAC addresses that should be different between them. When a VM is started on a node it gets a MAC from this pool, if it's moved to another node and restarted it will get a
new MAC from the pool on that node. This is a concern for me as I don't want MAC addresses to change when VM's are restarted on different nodes, besides statically assigning a MAC address to EVERY single VM (which could be a fair few with the amount you can
host these days) is there any easier way to ensure once a VM has a MAC then it will always retain that MAC regardless of which node it is restarted on?
I am running Server 2012 R2 as the hyper-v host if that makes any difference.
Many thanks
Steve

Hi,
With Hyper-V you can configure a virtual machine to use a dynamic or a static MAC address for any given network adapter.
The default option is to use a dynamic MAC address – which means that Hyper-V will generate an initial MAC address for the network adapter, and it will regenerate the MAC
address if it believes it is necessary.
If you use static MAC addresses you need to manually specify the MAC address to use, but Hyper-V will never change it.
More information:
Hyper-V and Dynamic MAC Address Regeneration
http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/05/14/hyper-v-and-dynamic-mac-address-regeneration.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Maximum MAC address table size

Hello guys.
what is the maximum MAC address table for the Cisco 3750X series switches?

Scalability Numbers
MAC, routing, security, and QoS scalability numbers depend on the type template used in the switch. Routing template is not supported in the LAN Base feature set. Table 10 shows Cisco Catalyst 3750-X and 3560-X Series Switch scalability numbers.
Cisco Catalyst 3750-X and 3560-X Series Switch Scalability Numbers
Access
Default
Routing
VLAN
Unicast MAC addresses
4K
6K
3K
12K
IGMP groups and multicast routes
1K
1K
1K
1K
Unicast routes
6K
8K
11K
0
Directly connected hosts
4K
6K
3K
0
Indirect routes
2K
2K
8K
0
Policy-based routing ACEs
0.5K
0
0.5K
0
QoS classification ACEs
0.5K
0.5K
0.5K
0.5K
Security ACEs
2K
1K
1K
1K
VLANs
1K
1K
1K
1K

Need to see MAC addresses connected directly to AirpOrt Extreme

I need to see my MagicJack MAC address so I can reserve it an I.P. address or something.
Anyone know how to see what mac addresses are connected? I know how to see which wireless addresses are connected, but wired ones.
Thanks.
Dwaine

AirPort Utility in Lion does not display MAC address information for connected wired clients. The MAC address for the MagicJack should be on a label on the back or bottom of the device.
If you are still using Lion, you have the option to download and install AirPort Utility 5.6 for Mac OS X Lion
Open AirPort Utility, select the AirPort Extreme and click Manual Setup
Click directly on Wireless Clients near the bottom of the summary page to see Wireless Clients. Click DHCP Clients to see wired devices.

802.1x and wired dynamic vlans on MAC addresses

Similar Messages

Maybe you are looking for