topic NAC OOB problem - moving users between ports in Network Security

NAC OOB problem - moving users between ports

boris.senker — Fri, 21 Feb 2020 12:01:11 GMT

Hi,

I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.

This is what I did to replicate the issue, in detail:

1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.

2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.

3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.

4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!

The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.

I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...

Thanks,

Boris

Re: NAC OOB problem - moving users between ports

Faisal Sehbai — Tue, 13 Jul 2010 13:31:39 GMT

Boris,

What switches are you working with? Codes on them?

Can you provide a rough diagram of how things are layed out?

Faisal

Re: NAC OOB problem - moving users between ports

boris.senker — Tue, 13 Jul 2010 14:16:55 GMT

Faisal,

The switches I'm working with are:

Switch A: WS-C2960-48TC-L
SW Image: C2960-LANBASEK9-M, Version 12.2(52)SE

Switch B: WS-C3560-48TS
SW Image: C3560-IPSERVICESK9-M, Version 12.2(53)SE

There is also switch C (another 3560, not sure about the image) where NAC appliances are connected.
Furthermore, there is a redundant NAS server on a different location, connected to switch B through another path (however, the active server atm of this test was the one connected to switch C).

All the switches are connected with GE trunks (just a single link, no EtherChannels), in the following order:

A <-> B <-> C

Both Access and Auth VLANs, and a third VLAN (for NAM-NAS-switches communication) are all terminated on switch B.

I understand there is some information missing - if you think it would be useful, I can provide a more detailed diagram...

Thanks,
Boris

Re: NAC OOB problem - moving users between ports

Faisal Sehbai — Wed, 14 Jul 2010 02:11:49 GMT

Boris,

Before I ask for more information, a prelim question. Have you tried enabling MAC-Move notifications and whether the behaviour worked for you with that or not?

Faisal

Re: NAC OOB problem - moving users between ports

boris.senker — Wed, 14 Jul 2010 08:26:30 GMT

Faisal,

The configuration includes the following lines (on both switches I used for access):

snmp-server community *** RW

snmp-server community *** RO

snmp-server trap-source Vlan2 (management subnet)

snmp-server location 10.0.0.101 (NAM IP address)

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification change move threshold

snmp-server host 10.0.0.101 version 2c cisco mac-notification snmp

Also, NAC added the following line on monitored interfaces:

snmp trap mac-notification change added

Is this all that is required to send MAC-change and MAC-move traps?

I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...

Regards,

Boris

Re: NAC OOB problem - moving users between ports

Faisal Sehbai — Thu, 15 Jul 2010 13:15:49 GMT

Boris,

These two commands would enable mac-move:

mac-address-table notification mac-move

snmp-server enable traps mac-notification change move

HTH,

Faisal

Re: NAC OOB problem - moving users between ports

boris.senker — Thu, 15 Jul 2010 14:26:09 GMT

Thank you, Faisal! Indeed, this helped and resolved the issue.

Interestingly, there is no mention of the "mac-address-table notification mac-move" command in the Clean Access Manager Configuration Guide, Release 4.7(2), not even a note...

Once again, thank you.

Boris

Re: NAC OOB problem - moving users between ports

Faisal Sehbai — Thu, 15 Jul 2010 19:32:14 GMT

Boris,

Quoting Dick Brandon: "Documentation is like sex: When it is good, it's very very good; and when it is bad, it is better than nothing"

We're working on improving things, so hopefully it'll get better 🙂

Faisal

NAC OOB problem - moving users between ports

Eduardo Aliaga — Tue, 04 Sep 2012 20:14:48 GMT

Hello. I'm hitting the same problem.

The command "mac-address-table notification mac-move" works fine only when the user connect and disconnects from ports on the same switch. But it doesn't work if I disconnect from switch "A" and connects to switch "B".

Do you know any solution to this problem?

Best regards