01-21-2015 10:01 PM - edited 03-10-2019 10:22 PM
Hi Guys,
We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
My configuration we have on the switch ports look as follows:
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
dot1x pae authenticator
Your help is greatly appreciated.
Grant
01-22-2015 07:38 AM
Grant-
authentication mac-move permit only
Only affects ports/sessions on that switch:
Can you:
- Post your Radius and entire switchport config
- Tell us the model of the switch and the version of code that is running
- The type of Radius server that you are using
- Provide output from
debug radius authentication
Thank you for rating helpful posts!
01-23-2015 01:57 AM
Hi Neno,
Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
Here is the config:
aaa group server radius customer-nps
server name radius1
server name radius2
aaa authentication dot1x default group radius
dot1x system-auth-control
radius server radius1
address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
key 7 05392415365959251C283630083D2F0B3B2E22253A
!
radius server radius2
address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
key 7 107C2B031202052709290B092719181432190D000C
interface GigabitEthernet1/0/1
switchport access vlan 300
switchport mode access
switchport voice vlan 2
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication timer reauthenticate 28800
authentication timer inactivity 1800
mab
no snmp trap link-status
mls qos trust cos
dot1x pae authenticator
auto qos trust cos
storm-control broadcast level 1.00
storm-control multicast level 1.00
spanning-tree portfast
spanning-tree bpdufilter enable
!
01-23-2015 03:48 AM
I have configured the "authentication violation replace" command on all the switches and now I no longer get an authentication issue. It seems the switch put the port into an err-disabled state for some reason. I assume it's because it already has an authentication session for another MAC on that port or because it sees your MAC is authenticated on another port.
%PM-4-ERR_DISABLE_VP: security-violation error detected on Gi1/0/46, vlan 300. Putting in err-disable state.
01-24-2015 07:41 PM
Good job on finding out a solution to your problem and thank you for taking the time to come back here and post the solution (+5 from me).
Real quick, I suspect that if you changed your port to authentication host-mode multi-host then the issue would probably go away. Then you can change the security to authentication violation restrict.
Nonetheless, your solution is also valid! So if your issue is resolved, please mark the thread as "answered" :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide