Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Rob_Goldman
Staff
Staff

Mac aging interval not being honored

I am trying to configure a FortiSwitch Port Policy  (802.1x with Mab bypass) to secure  a FortiLinked  switch port..  FSW is S108EP-v7.4.1-build787,230921 (GA).  FG is  WF60ETK18004623 running v7.0.13 build0566 (Mature).

 

The goal is to control multiple hosts behind a hub on single linkmode FortiSwitch port using FortiNAC as the radius server

 

If I connect to a port directly with a host it works as expected. I disconnect and receive an accounting stop and mac is cleared of of mac-cache

If I connect a hub to the port and then the host to the hub, I get authenticated and receive an accounting Start message

I check the switch mac-cache and see my mab authed hosts on port 5
running-clients:
VLANID   PORTID        MAC                     LAST SEEN(secs ago)    INTF-NAME
721              5         84:7b:eb:25:23:48            6                                    port5
4094            0         70:4c:a5:f2:95:c4              6                                 internal

 

When I disconnect the host from the hub, the mac never leaves the mac-cache.  I would expect it to become in active and Age after 30 seconds of inactivity.   The last seen time gets to 60 seconds and get reset to 1 and counts up to 60 and resets to 1 again.  The mac never ages out.

 

How do I get it to honor the aging mac aging timer?

 

 

My configuration is as follows

FortiGate # show switch-controller global
config switch-controller global
set mac-aging-interval 30
set mac-retention-period 0
set mac-event-logging enable
end

 

show switch-controller security-policy 802-1X FSW-Radius\ Local\ \ 201
config switch-controller security-policy 802-1X
edit "FSW-Radius Local 201"
set security-mode 802.1X-mac-based
set user-group "FSW-Radius-Group-Local"
set mac-auth-bypass enable
set open-auth disable
set eap-passthru enable
set eap-auto-untagged-vlans enable
set guest-vlan disable
set auth-fail-vlan disable
set framevid-apply enable
set radius-timeout-overwrite disable
set authserver-timeout-vlan disable
next
end

3 REPLIES 3
ebilcari
Staff
Staff

Based on your description it looks like the MAC address is cleared on port down event only, in case when the host is connected through the hub the port stays always up. The configuration looks correct, the switch is not acting accordingly, maybe try with a different FSW firmware version.

 

mac-aging-interval - Time after which an inactive MAC is aged out

mac-retention-period - Time in hours after which an inactive MAC is removed from client DB (0 = aged out based on mac-aging-interval).

 

There is also an investigation going on for this issue: 779403 - Dynamically learned mac address won't be timeout if 802.1x is configured. 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Rgoldman
New Contributor

how do I look up 779403  - Dynamically learned mac address won't be timeout if 802.1x is configured.  779403 brings up different subject

 

ebilcari

The investigation is ongoing, you can find this issue referenced as number 779403 in the future release notes.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors