https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300448#M565844 <P>Hi Guys,</P><P>&nbsp;</P><P>We are having some issues at our office When users move from one port of the switch to a port of another switch, their MAC address stays on the previous port as STATIC, creating connectivity problems when the new connection is below the previous switch.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Diagrama MAC STATIC PROBLEM.jpg" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/105469i724176CE2965A008/image-size/medium?v=v2&amp;px=400" role="button" title="Diagrama MAC STATIC PROBLEM.jpg" alt="Diagrama MAC STATIC PROBLEM.jpg" /></span></P><P> </P><P>The switch learns the MAC address as static because we use authentication on the switch ports with Cisco ISE 2.7. As computers are connected through an IP phone when they move, the port does not turn off and the MAC address remains stuck in the previous port.</P><P>Do you guys have any idea how this problem can be solved?</P><P>Meanwhile we are using Radius idle timeout of 5 seconds in the authorization profile in ISE. In this way, after 5 seconds after the computer was disconnected, the session ends and the switch clears the MAC, but sometimes this configuration brings me problems of instability in the connectivity of the users and that is why I need to know if there is any other solution .</P><P>&nbsp;</P><P>Below I share the configuration that we use in the switches ports.</P><P>&nbsp;</P><P>authentication event fail action next-method<BR />authentication event server dead action authorize<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-domain<BR />authentication order mab dot1x<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication violation replace<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 3<BR />spanning-tree portfast<BR />spanning-tree bpduguard enable</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Mar 2021 03:49:35 GMT MambaRod16 2021-03-03T03:49:35Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300448#M565844 <P>Hi Guys,</P><P>&nbsp;</P><P>We are having some issues at our office When users move from one port of the switch to a port of another switch, their MAC address stays on the previous port as STATIC, creating connectivity problems when the new connection is below the previous switch.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Diagrama MAC STATIC PROBLEM.jpg" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/105469i724176CE2965A008/image-size/medium?v=v2&amp;px=400" role="button" title="Diagrama MAC STATIC PROBLEM.jpg" alt="Diagrama MAC STATIC PROBLEM.jpg" /></span></P><P> </P><P>The switch learns the MAC address as static because we use authentication on the switch ports with Cisco ISE 2.7. As computers are connected through an IP phone when they move, the port does not turn off and the MAC address remains stuck in the previous port.</P><P>Do you guys have any idea how this problem can be solved?</P><P>Meanwhile we are using Radius idle timeout of 5 seconds in the authorization profile in ISE. In this way, after 5 seconds after the computer was disconnected, the session ends and the switch clears the MAC, but sometimes this configuration brings me problems of instability in the connectivity of the users and that is why I need to know if there is any other solution .</P><P>&nbsp;</P><P>Below I share the configuration that we use in the switches ports.</P><P>&nbsp;</P><P>authentication event fail action next-method<BR />authentication event server dead action authorize<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-domain<BR />authentication order mab dot1x<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication violation replace<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 3<BR />spanning-tree portfast<BR />spanning-tree bpduguard enable</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 03 Mar 2021 03:49:35 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300448#M565844 MambaRod16 2021-03-03T03:49:35Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300461#M565845 <P>Hi<BR /><BR /></P> <P>What IP phone devices are you using?<BR />You need to make sure the logoff message is sent out to the radius when a pc disconnects from the IP phone.<BR /><BR /></P> Wed, 03 Mar 2021 04:34:03 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300461#M565845 Francesco Molino 2021-03-03T04:34:03Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300694#M565849 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/498034">@MambaRod16</a>&nbsp;,</P><P>&nbsp;beyond <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/321306">@Francesco Molino</a>&nbsp;said, try the following command:</P><PRE><SPAN>authentication control-direction in</SPAN></PRE><P>&nbsp;</P><P><SPAN>Hope this helps !!!</SPAN></P> Wed, 03 Mar 2021 13:19:21 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4300694#M565849 Marcelo Morais 2021-03-03T13:19:21Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4301620#M565886 <P>Our IP Phones are AVAYA.&nbsp;</P><P>&nbsp;</P><P>How can I achieve that&nbsp;<SPAN>the logoff message is sent out to the radius when a pc disconnects from the IP phone?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Thu, 04 Mar 2021 17:58:04 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4301620#M565886 MambaRod16 2021-03-04T17:58:04Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4302626#M565924 <P>Do you have device Tracking enabled?</P> <P>eg some sample commands below. You apply the policy to the interfaces</P> <P>&nbsp;</P> <PRE>authentication mac-move permit ! device-tracking policy IPDT_POLICY no protocol udp tracking enable</PRE> <P>&nbsp;</P> Sat, 06 Mar 2021 21:50:39 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4302626#M565924 Arne Bier 2021-03-06T21:50:39Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4302929#M565931 <P>Hi Arne,&nbsp;</P><P>&nbsp;</P><P>Could you please tell me how I can use IP Device Tracking to solve this problem?</P><P>Below the configuration I'm using on the switches, please tell me if something is missing</P><P>&nbsp;</P><P><STRONG>GLOBALLY</STRONG></P><P>authentication mac-move permit</P><P>aaa new-model<BR />aaa group server radius dot1x_auth<BR />server name EXAMPLE-ISE-1<BR />server name EXAMPLE-ISE-2<BR />aaa authentication dot1x default group dot1x_auth<BR />aaa authorization network default group dot1x_auth<BR />aaa accounting update newinfo<BR />aaa accounting dot1x default start-stop group dot1x_auth<BR />aaa server radius dynamic-author<BR />client 192.168.4.58 server-key ExampleKey<BR />client 192.168.4.59 server-key ExampleKey<BR />aaa session-id common</P><P>dot1x system-auth-control<BR />dot1x critical eapol</P><P>ip access-list extended ACL_Redirect<BR />deny udp any eq bootpc any eq bootps<BR />deny udp any any eq domain<BR />deny ip any host 192.168.4.58<BR />deny ip any host 192.168.4.59<BR />permit tcp any any eq www<BR />permit tcp any any eq 443<BR />permit ip any any<BR />deny ip any any<BR /><BR />ip device tracking probe delay 10<BR />ip device tracking</P><P>radius-server attribute 6 on-for-login-auth<BR />radius-server attribute 6 support-multiple<BR />radius-server attribute 8 include-in-access-req<BR />radius-server attribute 25 access-request include<BR />radius-server attribute 31 mac format ietf upper-case<BR />radius-server attribute 31 send nas-port-detail<BR />radius-server dead-criteria tries 2<BR />radius-server key ExampleKey<BR />radius-server vsa send authentication<BR />radius-server vsa send accounting<BR />radius server EXAMPLE-ISE-1<BR />address ipv4 192.168.4.58 auth-port 1812 acct-port 1813<BR />key ExampleKey<BR />radius server EXAMPLE-ISE-2<BR />address ipv4 192.168.4.59 auth-port 1812 acct-port 1813<BR />key ExampleKey</P><P>&nbsp;</P><P><STRONG>ON THE INTERFACE</STRONG></P><P>switchport access vlan 60<BR />switchport mode access<BR />switchport voice vlan 70<BR />authentication event fail action next-method<BR />authentication event server dead action authorize<BR />authentication event server alive action reinitialize<BR />authentication host-mode multi-domain<BR />authentication order mab dot1x<BR />authentication priority dot1x mab<BR />authentication port-control auto<BR />authentication periodic<BR />authentication timer reauthenticate server<BR />authentication violation replace<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 3<BR />spanning-tree portfast</P> Mon, 08 Mar 2021 04:40:43 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4302929#M565931 MambaRod16 2021-03-08T04:40:43Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4302933#M565932 <P>Do you have device tracking assigned on the interface?</P> <P>&nbsp;</P> <P>Below is the global device-tracking definition (courtesy of DNAC <span class="lia-unicode-emoji" title=":winking_face:">😉</span> and how you would apply it to an interface:</P> <P>&nbsp;</P> <PRE>device-tracking policy IPDT_MAX_10 limit address-count 10 no protocol udp tracking enable interface gig x/x/x device-tracking attach-policy IPDT_MAX_10</PRE> <P>&nbsp;</P> Mon, 08 Mar 2021 05:26:52 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4302933#M565932 Arne Bier 2021-03-08T05:26:52Z https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4306931#M566115 <P>You want your phones to have the CDP 2nd Port disconnect option enabled. They will tell the switch when to release the MAC from the data VLAN when you use this. See <A href="https://community.cisco.com/t5/security-documents/phone-amp-collaboration-authentication-capabilities/ta-p/3622266" target="_self">Phone &amp; Collaboration Authentication Capabilities</A> for more details with different phone vendors.</P> Sun, 14 Mar 2021 02:43:02 GMT https://community.cisco.com/t5/network-access-control/connectivity-problem-using-802-1x-authentication-when-moving/m-p/4306931#M566115 thomas 2021-03-14T02:43:02Z