Hi Kasper! First of all, good

Kasper Mortensen · ‎04-26-2016

I'm having an issue on Cisco 2960 with not being able to move a device from one port to another within the MAC address timeout on a port. When using a laptop in something like a meeting room and afterwards moving to another place (within 5min), the port will not authenticate. It works fine, if I clear the port on the first connection or wait 5 minutes. I've been looking for configuration to terminate the port 802.1x session when disconnecting the cable/device, which I thought it'd do anyway, but I've come up short.

There isn't any other device connected to the port like an IP phone.

Configuration:

interface range
authentication host-mode multi-auth
authentication order dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 5
dot1x max-req 3
dot1x max-reauth-req 10

And then the radius server. Other than that its the most standard access configuration.

Kasper Mortensen · ‎04-26-2016

Configured mac move on the ports which solved the issue.

nspasov · ‎04-26-2016

Hi Kasper! First of all, good job on solving your own problem. Also, thank you for taking the time to come here and post the solution (+5 from me).

A couple of other things to mention here:

1. You can enable the authentication mac-move permit globally

2. You are missing some port-related commands that I would suggest enabling. For more info pls check this link (it is old but pretty relevant):

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_10_universal_switch_config.pdf

Thank you for rating helpful posts!

802.1x session termination when disconnecting device