802.1x sticky mac address

Similar Messages

• Sticky Mac Address

  Hey guys.
  I recently started working for a company that has sticky macs configured on their switches. I need to replace a computer so I need to delete old sticky and make a new one.
  Somehow I am stuck because when I try to search for the old MAC, it shows port Po1. How do I find what interface is Po1 connected to and delete the old sticky mac?
  Thank you

  Hello barina001
  By using the below command you can clear the sticky mac address:
  clear port-security sticky interface interface_name WORD
  Regards,
  Mukesh Kumar
  Network Engineer
  Spooster IT Services

• 802.1x authentication with mac address

  Hi guys,
  there is a strange requirement from one of our customer,
  they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
  for username, password and domain.
  is it possible??
  can i avoid popping up the username password with 802.1x and that too with mac address???
  Any help would be greatly appreciated
  Thanks
  Jvalin

  Hi,
  The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
  A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
  For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
  Regards,
  Kush

• Simple : Which src MAC address when WLC bridges 802.11to 802.3 ?

  When a WLC bridges 802.11 to 802.3, after extracting the original 802.11 frame from LWAPP, does it put the 802.11 senders
  MAC address as the source addr in the new 802.3 frame ?
  Or does it put the WLC's AP manager interface ? (Or the WLC's Management Interface) ?
  If you refer to :-
  http://www.cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html#wp1050985
  One of the bullet points reads :-
  After processing the 802.11 MAC header, the WLC extracts the payload (the IP packet from Host A), encapsulates it into an Ethernet frame, and then forwards the frame onto the appropriate wired network, typically adding an 802.1Q VLAN tag.
  Should it include :-
  and adds the MAC address of the Wireless client as the SOURCE MAC ADDRESS to the outgoing Ethernet Frame??
  Also, will an ARP for a wireless client yeild the mac address of the WLC or the AP ???
  Thanks

  It looks like the src address of the original 802.11 client goes to the 802.3 frame as the source.
  So am I correct in thinking that (in a flat topology, no L3 routing) the WLC will appear as to an attached switchport as trunk
  (not necessarly 802.1q, but usually) with  multiple mac address learned from it.
  Any host on the LAN will send a packet for DEST MAC, which will eventually be SWITCHED (via L2 switching), upto the WLC.
  The WLC will then send it over lwapp to the AP, and the AP will send it to the client.
  But as far as the mac-address-table is concerned of any switch directly attached to the WLC, it will see
  all client MAC address for ALL wireless stations for ALL AP's... Correct ?
  Thanks

• Windows 2012 r2 802.1X MAC Address bypass configuration

  I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.
  I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.
  I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).
  I have created a user account in AD for the device, using lowercase MAC Address for the username and password.  
  I have set the switchport to allow MAB
  I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).
  I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"
  Does anyone have advice or can direct me to a nice guide/checklist of all the areas that need to be set to allow this to happen?

  You've posted in the Print/Fax forum, but I can see you've also posted in the NAP forum. You'll likely get a better response over there, so maybe you should delete this question in here..
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• 802.1x and wired dynamic vlans on MAC addresses

  Hi All,
  I would like to setup our new offices with dynamic vlans determined by the MAC address of the device connecting. So I need a database of MAC addresses in groups for which vlan they will go in, with separate vlans for printers and servers and computers and BYOD. If this can work for wireless too then even better.
  I've done some reading but am really struggling to find the information I need.
  We have a Windows domain and brand new 3850 Cisco switches.
  Can anyone steer me in the right direction (or tell me how to do it!) please?
  Thanks for reading.

  Hi, 
  So you need to perform MAB authentication. As you mentioned, you will need to create a DB of MAC entries.
  In order to configure the Windows server (2003 or 2008?) to assign the dynamic VLAN you need to define the Remote Access Policies and create the custom attributes. For example:
  Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy. For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all 802 media plus Ethernet canonical format).
  Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will be assigned. 
  Tunnel-Type. Select Virtual LANs (VLAN).
  You can find more information here:
  Configure a Network Policy for VLANs
  VLAN Attributes Used in Network Policy
  802.1X Authentication Services Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
  HTH.

• 802.1x phone with two MAC address

  Hello,
  I have following scenario: Computers are connected behind phones, and phones are authenticating with MAB. The problem is with phones, because they have two mac addresses one is in voice vlan and another is in data vlan. Both phone and computer are authenticated successfully but when switch sees additional MAC address of phone in data vlan it shuts down port. Here is sample configuration:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 15
  authentication host-mode multi-domain
  authentication port-control auto
  dot1x pae authenticator
  authentication violation shutdown
  mab
  spanning-tree portfast

  Can you verify if the phone's mac address is being learned on the data vlan and the voice vlan? Because cisco phones use cdp to discover if a voice vlan is configured on the switchport before forwarding traffic.
  Please issue a show mac address table interface x/y after bouncing the port to see what is causing the port to error disable.
  Also what version of code is running on the switch and phone?
  Thanks

• WLC+LAP+ACS4.0 achieving 802.1x PEAP and MAC address authentication ?

  How to configure WLC + LAP + ACS4.0, achieving username and password authentication and MAC address at the same time

  This might help with the PEAP:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml
  MAC Authentication
  Add a MAC Address to ACS
  Complete these steps:
  1. From the ACS main menu, click on the User Setup button.
  2. In the User text box, enter the MAC address to add to the user database.
  Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
  3. On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
  Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
  4. Check the Separate (CHAP/MS-CHAP) box.
  5. Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
  6. Click Submit.

• Airport Express (Model with 802.11G +54MBPS Mac/PC and Set Up Issues

  Hi,
  We have a 4 Mac and 1 PC Household. Cable Internet Service by Roadrunner.Cable model (owned) connected to a D-Link 802.11G wi fi router (by ethernet from cable modem)in the family room , then out to a Imac (the half moon base and LCD screen with a airport card also in the family room and the closet computer to the D-Link
  router, (we did add a D-Link antenna to the router ? about 10 months ago (a D-Link ANT24-0700 (Version 1.2)and a HP 4 in 1 printer attached via USB to the Imac
  ,a eMac 1.25 ghz 1Gb ram with airpot card also connected wirelessly (no printer attached on the same floor but in a ajoinging room about 20 feet from the Router, and another eMac 1.0 Ghz 1Gb ram with airport card in the upstairs part of our house (a bedroom) and no issue with Internet connection (it has a Epson 3in 1 printer attached via USB, and a MacBook Pro with 802.11N wireless card in side , bought for a Christmas/Birthday Present and also for college.It to has no issues with the Internet where ever it may be in the house. Our sole PC a HP tower with a added D-Link WDA -2320 Range Booster Desktop Adapter (802.11G) and we added a D-Link Antenna same model as the other a ANT24-0700 to help with Internet access which it did as well as adding some ram to increase page loading time etc. It does not have a printer attached. I will get to the Topic Area now
  The Airport Express. I was not involved in the set-up as I was laid up due to a bad back and post major knee surgery , But I always (especially recently) wondered why the light was amber and blinking. I read through the manual and also
  Apple.com support and MacFixit.com (which is under construction and moved to part of Cnet.com)and then went to the Airport Express Discussion area (sorry for being so wordy) I need a Twitter account to post!) We have a network name for the D-Link and the computers all were added and it also supports a Xbox 360, a Sony PlayStation 3 and a Nintendo Wi (in online use without issue) but..
  A network was also as it appears to myself) for the Airport Express and under the half moon bars showing connection strenght (there is our D-Link network "phoenix" with security protection WPA2 I believe) as I have set up the router, We had a Apple Base station prior that was ? 802.11B (a half moon white unit) still have it in the box ) So for normal daily use, checking e-mail and internet use all of the computers use the "phoenix" or D-Link supported Router 802.11G
  and The other network calld Apple Network with numbers and letters after it (and hopefully security) password is unknown , The Airport Express is set up connected via USB to a HP B&W laser printer which has saved quite a bit of money on ink, To utilize that printer you must switch from "phoenix" The D-Link router network to the Apple Network (followed by letters and numbers) The Imac and the eMac in the family room and a ajoing room (after switching to the Apple Network
  can than print to the lasr printer. The eMac upstairs and the HP Windows XP Professional software can not print to the laser printer (yet the HP PC shows it as a individual network and a strong signal, equal to the Internet connection from the D-Link, and the eMac (after switching under the half moon (not the proper name I am sure) to get to the Apple Network to print , it will not print, yet it shows a 5 bar signal, same as the D-Link connection. I do believe we have two seperate networks (but do not understand why the two Mac's in the family room can print to the laser printer by simply switching networks and then file and print. ** One other 9probaly major item is that it states to set up the Airport Express with a Mac With OSX 10.4 or later (at the time of set up, we had the Imac and two eMac's all running Panther OSX 10.3.9 9which they continue to have installed) We obtained the HP Tower and Monitor and HP 4in 1 printer ust before Christmas in 2008 and the MacBook Pro in Mid December 2009 (current model and running Snow Leopard 10.6. The HP Tower runs Windows Xp Professional (Service Pack 3) so the MacBook Pro which is much more mobile , could be used to do the set-up, or the HP Tower coulf be moved temprarily, I do recall if Router changes (at least with The D-Link You need to be connected by Ethernet to the Mac
  that would be doing the set up/configuration of the router (and it runs OSX 10.3.9 and is a older Mac (with 80Gb Hard drive that is partioned for OS9 and OSX as well , it is under a Ghz processor wise and less than 1 Gb of ram as the last ram slot required a seal to be broken and 256mb of ram (?) could be added
  it has 768 mb of ram but knock on wood running well. We use Lacie external drives
  on the Imac and both eMac's and need to get external drives for the HP PC as well as the Mac Book Pro (15" screen)
  I apoogize if I repeated myself, and rambled but I wanted to (in one post) to explain our set up and network configuration
  Questions
  1) if indeed it is that the two networks is true and a set yp that is not correct
  can the Airport Express be configured without opening up the router (when ever that happens it seems one computer is unable to get online and each time its a differnt one a Mac or veen the PC
  The PC under My Computer and Networks clearly shows the wto distinct and seperate netwoks with strong signals and the distance is not far (it is through a floor as the other emac and the PC are upstairs and cabling by ethernet is not a option
  2) If I need to open the router would I add the Airport Express as a client as if it was one of the computers or gaming systems on the network? (adding the Mac adress or IP address (not sure how you find the Mac address) and its been while since the router was opened up for any additions or work on it.
  3) would it be on the same channel as the router or not ?
  4) Hopefully with proper configuration the light will stay on (and green) on the A/E and the eMac and HP PC will be able to print to the laser printer. Currentlt
  when anything needs printed from the PC its put on a Flasg Drive and plugged in tothe Imac and the the Apple Network is selected and data printed, The eMac upstairs has the option of using the attached Epson 3 in one or doing the Flash stick work around.
  I would be verya appreciative if some one took a look at the set up above and advised me of what is right, what is not right* and what to do to fix things up
  I would imagine after proper set up, delete the Apple Network from the PC and eMac upstairs and ? all of the computers as we should have one base station (the D-link and the spoke (the A/E connected by UBS to the A/E (it may be ethernet but the cable connection from the A/E to the HP laser printer is correct (the rest of the A/E set up ... Please , tell me where it is and where it should be
  and ? any idea why we can print to the laser printer down stairs and not up stairs ? it did mention printer set up with Panther as possible, page 43 of themanual we have un chaper 5 Tips and Troubleshooting (under whn your printer isn't responding) (we do not have the interfereance listed in the manual,
  our phones are land line, one 900 mghz and the others 5.8 ghz
  It is possible to move the A/E and laser printer if that would help the two computers (desktops) upstairs) bt the distance is way less than 150 but their is a floor and ? duct work (metal ) but I think here is a place to stop typing and let some of the experts on the discussion forums take a look.
  one lst note (as the lap top will be going off to college in the fall (runnning Snow Leopard, and the other 3 Mac's run Panther OSX 10.3.9 should the HP PC windows Xp Professional be the computer to set up the air port express and the Airport Utility proram installed & would this conflict with the current Router (set up by a Macc running OSX 10.3.9 (Panther) i.e (should both set ups be on the same computer?) but actually aThe D-Link is OSX10.3.9 compatible (and 802.11G) and set up requires ethernet connection to a Mac (You type in the numbers and . etc and password as administror and you are in, or should the admin be on the same cpmpuer for the router and A/E ?
  (and considering a Airport Extreme Base Station as well as dual frequency simulataneus and 802.11N (for the laptop now) and future, or wait. The 802.11
  in theory would broadcast farther..?? even if computers had 802.11b(our Mac Desk tops and the PC 802.11B card
  Thanks Again!!!
  Many, Many Thanks
  amnienttales

  William Boyd Jr.
  Hello again,
  D-Link Router is model DGL-4300 (along with a D-Link ANT24-0700 Omnidirectional
  7dbi Antenna . Our Cable Internet ISP (Roadrunner) provides consumers with dynamic ISP address's . All Mac's have Airport Cards and The Hp Tower XW4550 has a D-Link Rangebooster G Desktop Adapter WDA-2320 (also with a D-Link ANT24-0700 Omnidirectional 7 dbi Antenna (the PC OS is Win XP Pro Service Pack 3) The 3 desktop Mac's run OSX Panther 10.3.9 , The 15" MacBook Pro OS is OSX 10.6 Snow
  Leopard (not sure what is after the .6 (right now) D-Link's website is
  http://www.dlink.com , I have configured this router multiple times in the past.
  also added as clients on the network (Utilizing the D-Link Router) are a X-Box 360, Sony Play Station PS3, and a Nintendo Wii all of which have on line ability
  and enables online video game play with any one online.
  As mentioned prior the Airport Port Express is Model A1084 Part No. M9447OLL/A
  which is USB conected to a HP LaseJet B&W , model 1020 and some how the two computers near it can switch to the Airport Express Network from the D-Link Router based Network and print wirelessly to the A/E connected LaserJetPrinter
  I realize I will need to reconfigure the D-Link Router and add the A/E as a client. I will try first to use the Airport Utility and see if I can do anything
  Utilizing it (adding it to the D-Link network, I think its unlikely but worth a try but* the password is unknown but I have a few guess's as to what it may be.
  I do have the necessary admin and network paswwords to cconfigure the D-Link Router,
  1) * If the the A/E Utility experiment fails and I need to re-configure the router * do I need to (as per the Airport Express Set Up Guide (Use a Mac with OSX 10.4 or later or a PC with Win Xp Home or Professional (have a desk top PC that has the specs) and The Mac Book Pro meets the Mac Spec's)
  If I can not get a password to work on the A/E I would reset it using the reset button
  And before plugging in the A/E , connect the appropraite cables in our case a USB cable to the LaserJet Printer then plug in the A/E
  2) I would then connect by Ethernet from Either the Mac Laptop or The PC to the D-Link router (if not the router will not set-up correctly)
  3) The one question that puzzles me is that we are not using the A/E as a base
  but a client
  in two sections(Using Airport Express , connecting a Printer via USB
  and use Airprt Utility to create a new network or join a new newWireless computers using Mac OSX 10.2.7 (Tiger) or later or a PC with Windows XP and it then goes in to the steps of ising the printer for both a Mac and a PC (using Bonjour on the CD that came with the A/E (this appears to contradict needing to use Mac OSx 10.4 or a PC with Win Xp set the A/E up for use as a printer
  (joiing a new network or existig one)
  And in Chapter 5 Tips and Roubleshooting= Your Airport Express Status Light Flashes amber & Your Printer is not responding (it is flashing amber and the printer does not respond to the two computers upsstairs (one Mac running OSX 10.3.9 & One PC running WinXp and its states to make sure the printer is selected
  in the Printer list o client computers, to do this on a Mac using OSX 10.3 or later , open Printer Set Up Utility and follow steps and if a PC with Windows XP , Open Printers and faxes and then follow steps
  in Closing ? can I configure the A/E Utility with a Mac using 10.3.9 as above or
  ? Per Chapter 1 Getting Started use a Mac with OSX 10.4 or later or a PC with Windows Xp Home or Professional
  Perhaps I am taking the tips and trouble shooting and Printer Set up out of context or does the getting Started Computer specs contradict them or are they
  for use if the A/E was going to be a Base Station and not a client..
  Will keep at it,
  ambienttales

• Windows 7-8.1 Can not change the MAC Address on wifi and cannot load login page in public HotSpot.

  Windows 7-8.1 Can not change the MAC Address on wifi and cannot load login page in public HotSpot.
  Adapter: Ralink RT3070 Chipset wifi adapter
  Tested: os Windows 8.1 Professional
  Hot Spot: 802.11b
  The first problem windows 7-8.1 got IP adress and connect he public HotSpot  but  cannot load login page or any other page. It does not work with it.
  The second problem Wifi canrd/configure/Advandes (No network adress change function).Tested with the default windows driver and the ralink rt 3070 driver the same problem.On windows XP the same function the same driver works perfectly.
  multiple users to have expressed interest in the problem But Microsoft not corrected the problem window7-8.1 10?
  lizardsystems.com/wiki/change_mac_address/faq/change_mac_address_in_windows_7
  blog.technitium.com/2011/05/tmac-issue-with-wireless-network.html
  superuser.com/questions/519189/how-to-change-the-mac-address-in-win-8-to-spoof-a-roku-player-through-a-wifi-spl
  social.technet.microsoft.com/Forums/windows/en-US/59e07df3-471c-499e-ad5f-e7cb507595df/cannot-change-mac-address-in-windows-7-driver-has-option-doesnt-work-neither-does-regedit-ms?forum=w7itpronetworking
  networksteve.com/windows/topic.php/CANNOT_CHANGE_WIRELESS_%28SPOOF%29_MAC_ADDRESS_ON_WINDOWS_7/?TopicId=16810&Posts=1
  On windows XP or linux have a MAC adress Change function  allow 00 mac adress and another normal mac adress range.On windows 8.1 all Mac changer program dont work.This 2,6,A,E on second adress are not vaild Mac adress. You simply can not use normal MAC
  addresses on windows 8.1.When i connect the usb the Pc windows 8.1 recognizes the adapter but the default  driver and the downloaded ralink driver the same problem.On windows xp the current driver works perfectly have (Local Mac Network Adress) funktion
  and works with the 802.11b hot spot.I got the internet my PC and laptop too public HotSpots and another wifi HotSpots if wont work correctly i can not use neither the windows 7,8,8.1 or 10. Many users have expressed interest in the problem more forums.
  The 3. problem im tested in virtualbox the windows 7 and 8.1 on 8.1 (on the blue wifi platform) not show correctly the signal strengh. On windows 7 show this correctly.The windows 7-8.1 Configure/advanced the advanced options on Ralink 3070 the default (windows
  driver) somehow downgraded function is less than for Xp. Configure/advanced the advanced options (needs to be upgraded in the future) because it does not advance but rather regressed.
  Today it is very common these wi-fi technology increasingly used (hotels,Public Hots Spots,Internet coffe,) growing free bublic wifi projects. The wifi funktions on windows  need debugging and modernize.The quality of Wi-Fi is now the operating system
  is now a thing order which is not good then the operating system is unusable.

  Hi,
  For changing the MAC address for Windows 7 is designed with some limitation, we cannot get over it. Thanks for your understanding.
  Under Windows 7, the possible range of spoofed addresses for wireless adapters that can be set is limited.  To be used by Windows 7, a spoofed MAC address should have 0 as a least significant bit (unicast) and 1 as a second least significant
  bit (locally administered) in the second nibble.  Thus possible values for the second nibble are limited to 2, 6, A and E.
  In other words 
  MAC address:  “XY-XX-XX-XX-XX-XX” “X” can be anything hexadecimal.  The hexadecimal “Y”, written in binary format, is  Y:  “kmnp”,  where “p” is the least significant bit; 
  p=0 --> unicast;
  p=1 --> multicast;
  n=0 --> globally assigned MAC;
  n=1 --> locally administered;
  So, actually MAC can be changed  to any combination in which p=0 and n=1;
  “Y” can be 2, 6, A or E.
  So the possible MAC addresses in Windows 7 for wireless adapters:
  X2-XX-XX-XX-XX-XX
  X6-XX-XX-XX-XX-XX
  XA-XX-XX-XX-XX-XX
  XE-XX-XX-XX-XX-XX
  For the wifi hotspot issue, please check this blog to see if it can be helpful.
  Windows 7 Connectivity Problems in Public Hotspots
  http://blogs.technet.com/b/patrickr/archive/2010/07/28/windows-7-connectivity-problems-in-public-hotspots.aspx
  Kate Li
  TechNet Community Support

• ISE 1.2 disable endpoints with certain mac address

  Hi All,
  We have an AD to authenticate for wireless users. In AD, we have specified to block the user if the password is entered wrongly for more than 3 times. The problem is some of them are using other user ID and locking the accounts. I have gotten the MAC address of the user. Can anyone please advise how to block the request from this MAC from even reaching the AD.
  Thanks

  You have two options from ISE and one option from the WLC:
  The first option which is not very scalable is to modify your authentication policy to deny access to an specific MAC address(Radius:Calling station ID). But this is not very scalable as you can only specify one MAC address.
  Your second option is to enable the anomalous client suppression(under systems->settings->protocols->RADIUS). This will be your best option but it would require a bit of testing to identify what are the best values for your environment.
  From the controller you can enable the excessive 802.1x authentication failures. By default it won't even send the fourth authentication to ISE for a failing endpoint:

• Can i capture wireless mac addresses?

  I need to provide our security group the mac address of all devices with wireless capabilities. can this be done? the mac addresses I am able to easily report on is the ethernet nic rather than the wireless nic.

  mrhic wrote:
  > I need to provide our security group the mac address of all devices with
  > wireless capabilities. can this be done? the mac addresses I am able
  > to easily report on is the ethernet nic rather than the wireless nic.
  >
  >
  BTW, they ask for the impossible, as anyone can plug in a USB FiFi
  adapter - or tether their Blackberry - or ... so hopefflly they will not
  be overly picky.
  Sort of... there isn't a hardware category for wireless NICs. However
  most of the descriptions include the word "wireless" so you can create a
  custom report as follows:
  Reports-->Inventory Custom Reports-->Hardware Components-->New
  Then enter a Name for the report, select Type = Hardware Components,
  selecy Focus = LAN Adapter. Hit Continue.
  In the Criteria section [+] add a criteria
  [Product Name] [contains] wireless
  To be more specific, take a look at the descriptions returned without
  any critera, and add any oddballs using OR grouping, so if a specific
  model or the word "WiFi" appears - whatwever - you can catch it.
  Finally select the report columns as needed.
  Run.
  We notice that on machines where the WLAN can be disabled, the MAC
  address is absent ( because at the time of the inventory, there is no
  wireless NIC active, but the enumeration of HW show one. ) However, you
  will still "know" there is a wireless NIC.
  Report looks like:
  Atheros Communications Wireless LAN Adapter AR5212 802.11abg FOOUSER
  F00F00F00482 127.0.0.1 255.0.0.0 1
  Intel Corporation PRO/Wireless LAN 3945ABG FOO2USER F00F00F00D6C
  192.168.1.41 255.255.255.0 1
  Intel Corporation PRO/Wireless LAN 3945ABG ANOTHERFOO ( no MAC )
  ( Works, but I would certainly vote for a more easily to get at
  category, same for broadband interfaces. )
  -- Bob
  Bob Mahar | Work in education?
  Novell Knowledge Partner | http://novell.com/ttp
  - - - - - - - - - - | - - - - - - - -
  Programming is like teaching | http://twitter.com/BobMahar
  a jellyfish to build a house | http://vimeo.com/boborama

• 6509E with Sup720 - Show mac address

  I have seen very strange behavior. The following two commands show different outputs...
  core2#sho mac address-table dynamic | in cc04
       7  0009.0fbb.cc04   dynamic  Yes        150   Po10
  core2#sho mac address-table address 0009.0fbb.cc04
  Legend: * - primary entry
          age - seconds since last seen
          n/a - not available
    vlan   mac address     type    learn     age              ports
  ------+----------------+--------+-----+----------+--------------------------
  No entries present.
  Po10 is etherchannel to core1. The MAC address is on the core2 and should never be learned on core1. Core1 doesn't learn this MAC address at all.
  The commands are run at the same time. I repeated many times and it is the same... Any idea why?
  Thanks!
  Difan

  Hi Jon,
  Correct, I am not using VSS. However it is not standard set up. The vlan 7 is extended to many other switches. The root is actually not core1 or core2. It also passes some provider to different location as well. However like you said, all the correct ports are blocked. Please trust me on this.. If there is a loop, we will have much more serious problem... At least our CPU will hike and link will congested, right?
  I know your concern that the same packet could be somehow loopped back through core1, which makes core2 to learn the MAC on the port-channel interface to core1. However when this happens, core1 doesn't learn the MAC anywhere and on core2 some command show the MAC but not the other command...
  Also something interesting, even that MAC in the command will eventually disappear. Please note the aging time. The aging time configured on the vlan is 480 seconds. At last the MAC address is pointing to another interface like G1/1. That interface doesn't even have vlan 7 allowed on the trunk link.
  core2#sho mac address-table address 0009.0fbb.cc04
  Legend: * - primary entry
          age - seconds since last seen
          n/a - not available
    vlan   mac address     type    learn     age              ports
  ------+----------------+--------+-----+----------+--------------------------
  No entries present.
  core2#
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        285   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        290   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        300   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        305   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        315   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        320   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        320   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        330   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        335   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        340   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        375   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        405   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        425   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        465   Gi1/1
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1
  core2#show mac address-table | in 0009.0fbb.cc04
  core2#show mac address-table | in 0009.0fbb.cc04
  core2#sho mac address-table address 0009.0fbb.cc04
  Legend: * - primary entry
          age - seconds since last seen
          n/a - not available
    vlan   mac address     type    learn     age              ports
  ------+----------------+--------+-----+----------+--------------------------
  No entries present.
  core2#sh int g1/1 trunk
  Port                Mode         Encapsulation  Status        Native vlan
  Gi1/1               on           802.1q         trunking      1
  Port                Vlans allowed on trunk
  Gi1/1               64,72,156,214-216,300,600
  Port                Vlans allowed and active in management domain
  Gi1/1               64,72,156,214-216,300,600
  Port                Vlans in spanning tree forwarding state and not pruned
  Gi1/1               64,72,156,214-216,300,600
  Is it a bug?
  Thanks!

• How to Implementing ise 1.2 authentication user name against mac address

  Hi all,
  My organization wants to authenticate medical devices with certificate.
  What I'm trying to do is on the certificate the name of the user will be his mac address,
  And the ise policy will be if the user name equal to mac address than he authenticate.
  Until now I didn’t succeed.
  Is it possible?
  Lee.

  It sounds like you are trying to do two different things.
  The certificate can be done through 802.1x using peap   I dont know if your devices can handle dot1x so if not they can use MAB.  Far less secure but if its a low level device like a printer that has limited input capability then you are stuck with MAB.  
  What you could do with MAB is use the OUI and some other identifying information (if available) like device host names (This can be derived from DHCP i believe) and possibly av pairs (RADIUS) to help profile the devices.  These can be put into a custom endpoint profile that is given a specific authorization rule.
  The whole point is to try to isolate certain types of equipment so that only they get the custom authz rule 
  Does this make sense?  Im shooting a little blind here without more info.

• AP 2700 - 2 MAC addresses - problem with joining to the WLC

  Hi,
  I had a problem with joining my new AP 2700 to the controller. I've found workaround but I would like to ask you if you know if this behavior is a some kind of bug or maybe feature :)
  I have DHCP server which assigns IP address base on the binding MAC address with the IP address. Without binding, IP won't be assigned so I added MAC address from the AP sticker (MAC and SN number is on the sticker at the back of each AP) to the DHCP, connected AP to the switch port which was configured exactly the same way like other ports on this switch where older AP are working fine and.... nothing. IP address was not assigned. There was no DHCP request in the DHCP server logs.
  During the investigation I've found that AP present 2 MAC addresses on the switch interface:
  switch#sh mac address-table interface fa1/1
  Mac Address Table
  Vlan Mac Address Type Ports
  11 58f3.54c1.2cb3 DYNAMIC Fa1/1
  11 58f3.54c1.2cb4 DYNAMIC Fa1/1
  The first one (58f3.54c1.2cb3) is a "sticker" MAC address but the second one (58f3.54c1.2cb4) is something new. Looking in to the DHCP logs I've found log that this second MAC address (58f3.54c1.2cb4) tried to get IP address but it was not possible because this MAC was not binding with any IP address so DHCP server refuse. I added this second MAC (58f3.54c1.2cb4) to the DHCP server, AP get IP address, join to the WLC, download software, reboot and ... this MAC address disappear.
  switch#sh mac address-table interface fa1/1
  Mac Address Table
  Vlan Mac Address Type Ports
  11 58f3.54c1.2cb3 DYNAMIC Fa1/1
  Software I had on the AP before joining to the WLC was:
  Version :
  Cisco IOS Software, C2700 Software (AP3G2-RCVK9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)
  now I have (after downloaded from the WLC)
  Version :
  Cisco IOS Software, C2700 Software (AP3G2-K9W8-M), Version 15.2(4)JB6, RELEASE SOFTWARE (fc1)
  Do anyone know what happen?

  (WLC1) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.6.130.0
  Bootloader Version............................... 1.0.20
  Field Recovery Image Version..................... 7.6.95.16
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  Build Type....................................... DATA + WPS
  System Name...................................... WLC1
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  Redundancy Mode.................................. Disabled
  IP Address....................................... 10.10.10.10
  Last Reset....................................... Software reset
  System Up Time................................... 25 days 2 hrs 53 mins 5 secs
  System Timezone Location.........................
  System Stats Realtime Interval................... 5
  System Stats Normal Interval..................... 180
  Configured Country............................... US - United States
  Operating Environment............................ Commercial (0 to 40 C)
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +44 C
  External Temperature............................. +22 C
  Fan Status....................................... OK
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Disabled
  Number of WLANs.................................. 6
  Number of Active Clients......................... 25
  Burned-in MAC Address............................ XX:XX:XX:XX:XX:XX
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Present, OK
  Maximum number of APs supported.................. 25
  (WLC1) >show time
  Time............................................. Thu Apr 9 13:51:00 2015
  Timezone delta................................... 0:0
  Timezone location................................
  NTP Servers
  NTP Polling Interval......................... 3600
  Index NTP Key Index NTP Server NTP Msg Auth Status
  1 0 10.10.10.11 AUTH DISABLED
  It's look like AP doesn't allow for console login or commands it just only show activity. After rebooting the WLC I get information:
  Cisco IOS Software, C2700 Software (AP3G2-RCVK9W8-M), Version 15.2(4)JB5, RELEASE SOFTWARE (fc1)