topic C9800 access-session mac-move deny in Wireless

C9800 access-session mac-move deny

antmich — Mon, 05 Jul 2021 20:18:14 GMT

Hi everyone,

I was reviewing the configuration of a C9800 yesterday and I stumbled on this configuration line :

access-session mac-move deny

I went googling about it and I sort of understand the key concept behind it, being that if it is set to deny, a 802.1x authenticated user on a port can't change ports, otherwise they won't be able to reauthenticate.

Can this command be an issue on a C9800 in a wireless deployment with 802.1x authentication on a SSID, as users roam between access-points and therefore, network ports ?

Thank you all in advance for your replies,

Re: C9800 access-session mac-move deny

Scott Fella — Wed, 12 May 2021 15:03:06 GMT

There are some things where you just don't want to change. Now, the best way to see if that works in your environment or not is just to test. You have two options to choose from, I have it set to deny, which is default.

Re: C9800 access-session mac-move deny

Rich R — Tue, 18 May 2021 09:54:27 GMT

Also something to be aware of - 9800 contains many IOS-XE default CLI commands which currently have no effect either because they will be removed in a later release or because they are still to be implemented. They're often not well documented, if at all, so like Scott says only way to confirm is to test or open a TAC case for them to research the source code or ask the wireless BU.