Reset Search
 

 

Article

Why RADIUS tries to authenticate multiple MACs when wired dot1X is used?

« Go Back

Information

 
TitleWhy RADIUS tries to authenticate multiple MACs when wired dot1X is used?
Question
Why is AP reporting two MACs to be authenticated when external RADIUS server is used to provide wired dot1x port authentication?
Environment
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG 5 Software
Answer
When AP is set with dot1x supplicant configuration to perform port authentication, it presents its Base MAC address.
This MAC is visible in self-overrides for give AP or using show version on <AP>

User-added image

However, there is physical MAC assigned to GE1 port, which is serving Layer2, but is not contributing in other communication.

User-added image

User-added image

User-added image

This unfortunately adds a MAC to get authenticated which does not supply EAP details.

The GE1 MAC is to be ignored by RADIUS server as only a single base MAC is used to communicate across all VLANs.
 
Additional notes
It should be mitigated by disabling LLDP in general. Then AP won't broadcast LLDP messages and won't show GE1 MAC at all.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255