https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529840#M519869 <HTML><HEAD></HEAD><BODY><P>This is not a capability of ISE</P><P></P><P>What are you trying to prevent?</P></BODY></HTML> Wed, 15 Nov 2017 12:29:28 GMT Jason Kunst 2017-11-15T12:29:28Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529839#M519867 <HTML><HEAD></HEAD><BODY><P>Hi!</P><P></P><P>I have an ISE server and switch environment with dot1x enabled and configured</P><P>Is it possible to receive email every time when user authenticates on one port then unplugs cable, plug it in another port (on the same or on the different switch) and authenticates again?</P><P></P><P>If so, then how could i complete this?</P><P>Switches could send snmp traps on ISE and ISE could notify me on some alerts via email, but i can't find mac move alerts in ISE configuration</P></BODY></HTML> Wed, 15 Nov 2017 10:20:16 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529839#M519867 Sergey Sakharov 2017-11-15T10:20:16Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529840#M519869 <HTML><HEAD></HEAD><BODY><P>This is not a capability of ISE</P><P></P><P>What are you trying to prevent?</P></BODY></HTML> Wed, 15 Nov 2017 12:29:28 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529840#M519869 Jason Kunst 2017-11-15T12:29:28Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529841#M519871 <HTML><HEAD></HEAD><BODY><P>Trying to prevent users from moving on their own from one switch port to another one</P></BODY></HTML> Wed, 15 Nov 2017 12:59:20 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529841#M519871 Sergey Sakharov 2017-11-15T12:59:20Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529842#M519872 <HTML><HEAD></HEAD><BODY><P>I think this is not possible ,but the main question is why users have access to the switch and unplug cables or something else . And 1 more thing i mention if they plug or unplug from one port to another you can create authorization policy in ISE always to be assosiated on Vlan you want to use ( if ports are in different VLANS).</P></BODY></HTML> Wed, 15 Nov 2017 13:06:12 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529842#M519872 ognyan.totev 2017-11-15T13:06:12Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529843#M519874 <HTML><HEAD></HEAD><BODY><P>This is a network management function and not an ISE function</P><P></P><P>On the switch you can restrict Mac addresses allowed I believe by first learning and only allowing that MAC address</P></BODY></HTML> Wed, 15 Nov 2017 13:08:29 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529843#M519874 Jason Kunst 2017-11-15T13:08:29Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529844#M519876 <HTML><HEAD></HEAD><BODY><P>It's not a useful solution... we have a plenty of users and they move from one office to another (with it support help - officially and without support - that's what we want to eliminate). Every user has PC and ip-phone. And also there is port-security on switch ports with maximum of 2 mac-adresses (any). I don't want to bind mac-adresses to switch ports because it will be a nightmare to administer such environment with officially migrating users. And that's why i'm looking for another solution. </P><P>If it's not an ISE then what should it be?</P></BODY></HTML> Wed, 15 Nov 2017 14:08:25 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529844#M519876 Sergey Sakharov 2017-11-15T14:08:25Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529845#M519879 <HTML><HEAD></HEAD><BODY><P>Like the others said, this is not a feature in ISE. Please investigate it on Cisco IOS platform support. It might be possible to use EEM (<A href="https://supportforums.cisco.com/t5/network-infrastructure-documents/cisco-eem-basic-overview-and-sample-configurations/ta-p/3148479">Cisco EEM Basic Overview and Sample Con... - Cisco Support Community</A>) and Cisco Prime Infrastructure or Cisco DNA Center might help in deploying the scripts.</P></BODY></HTML> Wed, 15 Nov 2017 16:21:40 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529845#M519879 hslai 2017-11-15T16:21:40Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529846#M519880 <HTML><HEAD></HEAD><BODY><P>The requirement doesn’t make a lot of sense, but I think you can do it with something like Splunk by correlating logs and alerting based on specific rules. Why does it matter if they move as long as they get the same access to the network anywhere they connect?</P></BODY></HTML> Wed, 15 Nov 2017 17:43:54 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529846#M519880 gbekmezi-DD 2017-11-15T17:43:54Z https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529847#M519882 <HTML><HEAD></HEAD><BODY><P>Thanks</P></BODY></HTML> Thu, 16 Nov 2017 07:39:48 GMT https://community.cisco.com/t5/network-access-control/user-movement-notification/m-p/3529847#M519882 Sergey Sakharov 2017-11-16T07:39:48Z