Wired Intelligent Edge (Campus Switching and Routing)

Requirement:

This article discusses how to enable port-access security for MAC authentication.

The following are the port security debugging commands.

Rack2sw1# debug security port-access mac-based
Rack2sw1# debug destination session
Rack2sw1# show debug

 Debug Logging

  Source IP Selection: Outgoing Interface
  Origin identifier: Outgoing Interface IP
  Destination:
   Session

  Time-stamp: System-Uptime

  Enabled debug types:
   security port-access authenticator <no include filter enabled>
   security port-access mac-based <no include filter enabled>
   security port-access supplicant <no include filter enabled>
   security port-access web-based <no include filter enabled>
   security port-access local-mac <no include filter enabled>
 

In the following example, interface eight on switch Rack2sw1 is configured for MAC authentication and debugging is enable for mac-based security. MAC based authentication is started by enabling the interface. 

The debugging output show that there are two mac-address on the port and both are authenticated.

********** MAC-Based port configuration **********

Rack2sw1# show run interface 8

Running configuration:

interface 8
   untagged vlan 100
   aaa port-access mac-based
   aaa port-access mac-based addr-limit 4
   aaa port-access mac-based logoff-period 3000
   aaa port-access mac-based max-requests 5
   aaa port-access mac-based auth-vid 100
   aaa port-access mac-based unauth-vid 2000
   spanning-tree admin-edge-port
   spanning-tree bpdu-filter

********** Enable debugging **********

Rack2sw1# debug security port-access mac-based
Rack2sw1# debug destination session
Rack2sw1# show debug

 Debug Logging

  Source IP Selection: Outgoing Interface
  Origin identifier: Outgoing Interface IP
  Destination:
   Session

  Time-stamp: System-Uptime

  Enabled debug types:
   security port-access authenticator <no include filter enabled>
   security port-access mac-based <no include filter enabled>
   security port-access supplicant <no include filter enabled>
   security port-access web-based <no include filter enabled>
   security port-access local-mac <no include filter enabled>

Rack2sw1(config)# interface 8 enable

********** Debugging output ***********

0007:19:43:06.32 MAC  mWebAuth:Port: 8 now being monitored for mac-based authentication.

0007:19:43:06.73 MAC  mWebAuth:Port: 8 MAC: 40a8f0-9b78fe new client detected on vid: 100.
0007:19:43:06.83 MAC  mWebAuth:Port: 8 MAC: 40a8f0-9b78fe RADIUS CHAP authentication started, session: 68.
0007:19:43:06.95 MAC  mWebAuth:Port: 8 MAC: 40a8f0-9b78fe [68] client accepted.
0007:19:43:07.04 MAC  mWebAuth:Port: 8 MAC: 40a8f0-9b78fe client successfully placed into vid: 100.

0007:19:43:09.35 MAC  mWebAuth:Port: 8 MAC: 005056-95569d new client detected on  vid: 100.
0007:19:43:09.45 MAC  mWebAuth:Port: 8 MAC: 005056-95569d RADIUS CHAP  authentication started, session: 69.
0007:19:43:09.56 MAC  mWebAuth:Port: 8 MAC: 005056-95569d [69] client accepted.
0007:19:43:09.65 MAC  mWebAuth:Port: 8 MAC: 005056-95569d client successfully  placed into vid: 100.

********** Verify authentication ********

Rack2sw1# show port-access clients 8

 Port Access Client Status

  Port  Client Name   MAC Address   IP Address      User Role         Type  VLAN
  ----- ------------- ------------- --------------- ----------------- ----- -------------------------------------------------------
  8     00505695569d  005056-95569d n/a                               MAC   100
  8     40a8f09b78fe  40a8f0-9b78fe n/a                               MAC   100