802.1x and port-security sticky mac

config t · July 25, 2019, 11:48:31 AM

I want to preface this by saying I think it's a stupid idea to run both dot1x and sticky mac on the same port.. but..

Some of my customers may be doing it.

My question is thus:

If an interface is configured for both dot1x and sticky mac and the connected host fails authentication, is the port still hot on the configured VLAN? (eg; switchport access vlan XXX)?

I found some documentation stating for dynamic port security entries the host table is cleared upon reaching an unauthenticated state however I could find nothing specifically addressing sticky mac.

Cheers

deanwebb · July 25, 2019, 03:52:32 PM

If you fail dot1x on wired, that port goes to err-disabled. You can fix it so the voice VLAN is still available, but that data VLAN is going to be out until the device disconnects.

config t · July 25, 2019, 10:57:39 PM

Quote from: deanwebb on July 25, 2019, 03:52:32 PM
If you fail dot1x on wired, that port goes to err-disabled. You can fix it so the voice VLAN is still available, but that data VLAN is going to be out until the device disconnects.

+1

Excellent. We don't want them on the network if they fail dot1x.

So, dot1x takes precedence. That was the major question keeping folks awake.

deanwebb · July 26, 2019, 09:22:23 AM

Of course, if you have a device get on through the dot1x MAB, then it will have to match the sticky MAC address on the port to get access after being waved through by dot1x.

Otanx · July 26, 2019, 11:55:56 AM

The way I understand it is port-security is "first". Your client will trip port security if the MAC address source in the EAPOL traffic isn't listed as an authorized MAC. If the MAC is authorized then you can pretend port-security doesn't exist, and the port can be treated as if it just has 802.1x.

I don't remember having any issues when we rolled out 802.1x. We left port-security on till we got 802.1x working everywhere the way we wanted. Then removed the port-security commands and only do 802.1x.

-Otanx

config t · October 16, 2019, 11:30:50 AM

Quote from: Otanx on July 26, 2019, 11:55:56 AM
The way I understand it is port-security is "first". Your client will trip port security if the MAC address source in the EAPOL traffic isn't listed as an authorized MAC. If the MAC is authorized then you can pretend port-security doesn't exist, and the port can be treated as if it just has 802.1x.

I don't remember having any issues when we rolled out 802.1x. We left port-security on till we got 802.1x working everywhere the way we wanted. Then removed the port-security commands and only do 802.1x.

-Otanx

Although it is no longer important to my current customer, I think it's worth saying I randomly stumbled across verbiage in a 3850 configuration guide a few weeks ago stating that port-security does indeed happen "first".

802.1x and port-security sticky mac

config t

deanwebb

config t

deanwebb

Otanx

config t