Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
2
Helpful
4
Replies

client excluded for "IP address theft" on Cisco 9800-80 flex wlan

majadobras
Level 1
Level 1

‎11-16-2023 02:21 AM

We have created flex profile and local switched wlan (there are several APs in the facility, all of them are tagged with one and only flexconnect wlan/ssid, they all go through locally switched vlan 100 (no other SSIDs on AP, meaning no other centrally switched / regular wlans). Several clients (3-4) are excluded for a reason "IP address theft". Initially we had IP overlap disabled and mac-binding enabled. We have tried to enable IP overlap and set no mac-binding on policy profile, but it didn't make any change. What is the reason for this issue and what is the proper way to provide the service to these clients? Thank you!

 

0 Helpful
4 Replies 4

pieterh
VIP
VIP

‎11-16-2023 03:21 AM

What device logs this ? (WLC, Radius, domain-controller)

I think this issue can occur when the client has "private mac address " (or whatever it's called it it's OS) enabled
this means not the hardware MAC, but a self generated MAC is used

you can recognize private mac addresses
This is the 02 bit of the first octet in the MAC. If it is set, this is a locally-administered address.
Essentially, if the second hex digit is 26A, or E, it is a private MAC.

-> turn off private MAC address at the client

majadobras
Level 1
Level 1
In response to pieterh

‎11-16-2023 03:27 AM

Hi,

Thanks for your reply. 

It is WLC 9800-80.

From the WLC point of view we can see Client MAC address as: 6c1c.7137.7a74. We have 3 problematic clients and the mac part is the same except the last digit, a74, a77, a70 for example. 

0 Helpful

JPavonM
VIP
VIP

‎11-16-2023 03:37 AM - edited ‎11-16-2023 04:04 AM

I have been dealing with this some months ago, and I was working closely with BU Wireless engineers to find a solution for the issue.

As a result, Cisco introduced new database clean up tasks in code 17.12 and BU engineer requested to backport this into 17.9 and 17.6, which I'm confirming now.
In my case, I managed to reduce a lot these events after tuning some EAP timeouts, idle timeouts on C9800 (but keeping enabled "ip-mac binding"), please see this post I made on this thread about this topic (https://community.cisco.com/t5/wireless/c9800-session-timeout-timer/m-p/4846872/highlight/true#M256551).

Check your current values with this command "show run all | i wireless security dot1x".

[UPDATE]: BU wireless engineer confirms 17.12.1 and 17.12.2 includes an improvement to check periodically for stale entries, and clean up databases, this is backported into 17.9.5. Another improvement that would be on 17.12.2 would be that the clear command could deal with stale entries that nowadays it is unable to remove.

Beazle
Level 1
Level 1

‎04-17-2024 07:53 AM

I had a similar issue last year with 9800-80s on both 17.3 and 17.9.3. Disabling IP MAC binding in the Policy Profile fixed the issue for us.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card