https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571720#M538436 <HTML><HEAD></HEAD><BODY><P>Thank you for the followup on this, Utkarsh!</P><P>Glad to hear they do have the capability so it will work for you!</P></BODY></HTML> Thu, 30 Jun 2016 15:06:07 GMT thomas 2016-06-30T15:06:07Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571716#M538432 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>How does the switch detect link status for endpoints when they are disconnected behind IP-Phones on a multi-auth port ?</P><P></P><P>We have an issue where an endpoint is moved from one multi-auth port to another multi-auth port (both behind Polycom phones) but the authentication session still remains on the old port. The MAC-Address table however is updated. </P><P>Issue is faced on CAT 6K and CAT 4K switches only for Polycom phones. No issue is seen for Cisco IP Phones.</P><P></P><P></P><P>After clearing authentication session on both the interfaces the authentication session is correctly applied.</P><P></P><P>Is this a known issue on Polycomm Phones ?</P></BODY></HTML> Wed, 29 Jun 2016 13:01:46 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571716#M538432 umahar 2016-06-29T13:01:46Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571717#M538433 <HTML><HEAD></HEAD><BODY><P>Utkarsh,</P><P></P><P>The switch detects new endpoints on a switchport by MAC address. I suspect the polycom phones are not telling the switch about the disconnection when the endpoint moves.&nbsp; This would explain why the session remains but the MAC address table is being updated.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Wed, 29 Jun 2016 15:21:55 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571717#M538433 Timothy Abbott 2016-06-29T15:21:55Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571718#M538434 <HTML><HEAD></HEAD><BODY><P><A _jive_internal="true" href="https://community.cisco.com/docs/DOC-63825"><STRONG>Cisco IP Phones</STRONG></A> have a special feature called <STRONG>CDP 2nd Port Disconnect</STRONG> which tells the switch when the endpoint behind it is Disconnected. Polycoms don't have this feature.</P></BODY></HTML> Thu, 30 Jun 2016 04:16:01 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571718#M538434 thomas 2016-06-30T04:16:01Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571719#M538435 <HTML><HEAD></HEAD><BODY><P>Thomas/Tim,</P><P></P><P>Thanks for the response</P><P>On going through Polycom documentation it is mentioned that Polyom phones too send CDP packets</P><P>Polycom phones can also send proxy EAPoL on behalf of the machine.</P><P>However it seems both these are not enabled by default and we need to make changes to the XML configuration file.</P><P></P><P>Please check the link below </P><P><A href="http://plcmtechnet.com/documents/voice/unified-communications-software-ucs/5-0-1/administrator-guide/configuration-parameters#_-lt-dot1x-gt--lt-eapollogoff--gt-" title="http://plcmtechnet.com/documents/voice/unified-communications-software-ucs/5-0-1/administrator-guide/configuration-parameters#_-lt-dot1x-gt--lt-eapollogoff--gt-">Configuration Parameters | documents.polycom.com</A></P></BODY></HTML> Thu, 30 Jun 2016 06:52:32 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571719#M538435 umahar 2016-06-30T06:52:32Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571720#M538436 <HTML><HEAD></HEAD><BODY><P>Thank you for the followup on this, Utkarsh!</P><P>Glad to hear they do have the capability so it will work for you!</P></BODY></HTML> Thu, 30 Jun 2016 15:06:07 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571720#M538436 thomas 2016-06-30T15:06:07Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571721#M538437 <HTML><HEAD></HEAD><BODY><P>Another common option is to enable the inactivity timer on the port: <A href="http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386911" title="http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386911">Wired 802.1X Deployment Guide - Cisco</A>.</P><P>That will remove authenticated MAC addresses that don't transmit any data over a certain period of minutes.</P><P></P><P>Additionally, you can allow MAC addresses to move between ports using this command: authentication mac-move permit. This command will remove a MAC address session if the same MAC address pops up on another port.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 30 Jun 2016 15:57:08 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571721#M538437 vibobrov 2016-06-30T15:57:08Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571722#M538438 <HTML><HEAD></HEAD><BODY><P>Thanks Viktor</P><P></P><P>I tried to capture this <SPAN data-dobid="hdw">behaviour for Cisco IP phone 9971 (running 1.9.4) but could not find any CDP disconnect packet. </SPAN></P><P><SPAN data-dobid="hdw">However I did find proxy EAPoL as below although with an frame check sequence incorrect error. </SPAN></P><P></P><P>I am sure this is the expected behaviour. I think the error is due to checksum offloading explained as <A href="https://communities.vmware.com/thread/426699?start=0&amp;tstart=0" title="https://communities.vmware.com/thread/426699?start=0&amp;tstart=0">Ethernet Frame Check Sequence set to 0x00000000 | VMware Communities</A></P><P><SPAN data-dobid="hdw"><BR /></SPAN></P><P><SPAN data-dobid="hdw"><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/97393_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></SPAN></P></BODY></HTML> Thu, 07 Jul 2016 09:59:41 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571722#M538438 umahar 2016-07-07T09:59:41Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571723#M538439 <HTML><HEAD></HEAD><BODY><P>Maybe these phones don't support CDP second port notification. This is what I see on my 9971. EAPOL Logoff would accomplish the same thing though.</P><P>Device ID: SEPD0C282D00906</P><P>Entry address(es): </P><P>&nbsp; IP address: 10.118.97.3</P><P>Platform: Cisco IP Phone 9971,&nbsp; Capabilities: Host Phone Two-port Mac Relay </P><P>Interface: GigabitEthernet0,&nbsp; Port ID (outgoing port): Port 1</P><P>Holdtime : 153 sec</P><P><STRONG>Second Port Status: Unknown</STRONG></P><P></P><P></P><P>Version :</P><P>sip9971.9-4-2SR2-2</P><P></P><P></P><P>advertisement version: 2</P><P>Duplex: full</P><P>Power drawn: 12.804 Watts</P><P>Power request id: 1547, Power management id: 2</P><P>Power request levels are:12804 0 0 0 0 </P></BODY></HTML> Sat, 09 Jul 2016 00:42:56 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571723#M538439 vibobrov 2016-07-09T00:42:56Z https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571724#M538440 <HTML><HEAD></HEAD><BODY><P>I was able to get the Polycom Phone working with EAPoL proxy logoff.</P><P>Adding the line <STRONG><SPAN lang="EN-IN" style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">&lt;sec.dot1x.eapollogoff sec.dot1x.eapollogoff.enabled="1"&gt; </SPAN></STRONG><SPAN lang="EN-IN" style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">in the configuration file made it work.</SPAN></P></BODY></HTML> Tue, 12 Jul 2016 04:05:08 GMT https://community.cisco.com/t5/network-access-control/authentication-session-does-not-change-on-multi-auth-port-behind/m-p/3571724#M538440 umahar 2016-07-12T04:05:08Z