I am having the same issue at one of my client sites:
- I have end devices plugged into 2930F-48G switch
- It is running version WC.16.10.0022
- DOT1X is enabled on the switch port as is MAC authentication.
- DOT1X happens first and the client get authenticated and on the network.
- The problem is after some time the client does MAC authentication and loses access to the network.
- The switch port config is as follows:
untagged vlan 1
aaa port-access authenticator
aaa port-access authenticator tx-period 10
aaa port-access authenticator supplicant-timeout 10
aaa port-access authenticator client-limit 2
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
loop-protect
exit
- Why is the client doing MAC auth after a success dot1x?
- I have disabled the following option on the client NIC and it has made no difference:"Fallback to unauthorised network access"
- I believe this is a switch or client problem rather than a CPPM problem.
Please let me know your thoughts on how to resolve this issue?
Original Message:
Sent: Jul 18, 2019 08:36 AM
From: Herman Robers
Subject: Why MAC authentication request from dot1x enabled macine
There are some possible explanations, where it is likely that the 802.1X supplicant on the client is not responding. That could be for example during boot. If during boot, the system is trying to use the network before the supplicant is active, you can get into that situation. For example, if your PC tries to do a PXE network boot. Systems in sleep may indeed also result in that situation. Most switches will return to 802.1X as soon as the client starts to initiate authentication. If you really want to know you will probably need to correlate the logs from your client and switch/ClearPass/RADIUS; good chances you will find that the system is booting or it has something to do with sleep mode.