07-29-2014 01:36 AM
I am seeing a strange behaviour with a AP in bridge mode connected to a switch in trunk mode.
I have a SSID with dot1x authentication and when a clients connects to this SSID with the wrong cert (it fails authentication) i see his mac appearing on the switch Mac table on the native vlan of the switch-AP trunk.
I am going to capture the traffic to see what it is sent but would like to know if this is a expected (in my view, strange) behaviour.
07-29-2014 07:05 AM
Sorry for not the late info but the AP is not in IAP but in "Campus mode" so i think the 802.1x is made from the controller (i guess is sent inside the GRE from the AP to the controller).
The beahviour is strange because i am seing the mac in my campus switch even if the client fails the auth.
And i can see a scenario in that a rogue client (with a invalid cert) with a simple script doing mac spoofing and then trying to connect n times to the SSID could teoreticaly fill the mac table of the switch...
07-29-2014 08:14 AM
A mac from a client that fails autentication will be bridged in the native vlan of the trunk ? I find it hard to see why this should be happening, i "think" that if it fails authentication then no frame should be bridged between the wireless and the wired world.
Going to have to do the capture and see what is inside the frame.
07-30-2014 09:32 AM
After doing a capture , what i see is a gratuitos ARP in the native vlan with the mac of the client, so i guess the AP is bridging this type of packets even for a client that fails authentication.