Requirement:
This article discusses how to enable port-access security for MAC authentication.
Solution:The following are the port security debugging commands.
Rack2sw1# debug security port-access mac-based
Rack2sw1# debug destination session
Rack2sw1# show debug
Debug Logging
Source IP Selection: Outgoing Interface
Origin identifier: Outgoing Interface IP
Destination:
Session
Time-stamp: System-Uptime
Enabled debug types:
security port-access authenticator <no include filter enabled>
security port-access mac-based <no include filter enabled>
security port-access supplicant <no include filter enabled>
security port-access web-based <no include filter enabled>
security port-access local-mac <no include filter enabled>
Configuration:In the following example, interface eight on switch Rack2sw1 is configured for MAC authentication and debugging is enable for mac-based security. MAC based authentication is started by enabling the interface.
The debugging output show that there are two mac-address on the port and both are authenticated.
********** MAC-Based port configuration **********
Rack2sw1# show run interface 8
Running configuration:
interface 8
untagged vlan 100
aaa port-access mac-based
aaa port-access mac-based addr-limit 4
aaa port-access mac-based logoff-period 3000
aaa port-access mac-based max-requests 5
aaa port-access mac-based auth-vid 100
aaa port-access mac-based unauth-vid 2000
spanning-tree admin-edge-port
spanning-tree bpdu-filter
********** Enable debugging **********
Rack2sw1# debug security port-access mac-based
Rack2sw1# debug destination session
Rack2sw1# show debug
Debug Logging
Source IP Selection: Outgoing Interface
Origin identifier: Outgoing Interface IP
Destination:
Session
Time-stamp: System-Uptime
Enabled debug types:
security port-access authenticator <no include filter enabled>
security port-access mac-based <no include filter enabled>
security port-access supplicant <no include filter enabled>
security port-access web-based <no include filter enabled>
security port-access local-mac <no include filter enabled>
VerificationRack2sw1(config)# interface 8 enable
********** Debugging output ***********
0007:19:43:06.32 MAC mWebAuth:Port: 8 now being monitored for mac-based authentication.
0007:19:43:06.73 MAC mWebAuth:Port: 8 MAC: 40a8f0-9b78fe new client detected on vid: 100.
0007:19:43:06.83 MAC mWebAuth:Port: 8 MAC: 40a8f0-9b78fe RADIUS CHAP authentication started, session: 68.
0007:19:43:06.95 MAC mWebAuth:Port: 8 MAC: 40a8f0-9b78fe [68] client accepted.
0007:19:43:07.04 MAC mWebAuth:Port: 8 MAC: 40a8f0-9b78fe client successfully placed into vid: 100.
0007:19:43:09.35 MAC mWebAuth:Port: 8 MAC: 005056-95569d new client detected on vid: 100.
0007:19:43:09.45 MAC mWebAuth:Port: 8 MAC: 005056-95569d RADIUS CHAP authentication started, session: 69.
0007:19:43:09.56 MAC mWebAuth:Port: 8 MAC: 005056-95569d [69] client accepted.
0007:19:43:09.65 MAC mWebAuth:Port: 8 MAC: 005056-95569d client successfully placed into vid: 100.
********** Verify authentication ********
Rack2sw1# show port-access clients 8
Port Access Client Status
Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- ------------- --------------- ----------------- ----- -------------------------------------------------------
8 00505695569d 005056-95569d n/a MAC 100
8 40a8f09b78fe 40a8f0-9b78fe n/a MAC 100