Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2391
Views
10
Helpful
4
Replies

access-session and Mac-move

awinslade
Level 1
Level 1

‎01-07-2021 04:36 AM

Hi All

 

Just implementing an ISE solution to a new network that has a legacy wifi network and clients are not able  to roam from an authenticated port on a switch to an Authenticated port on a down-stream switch; as the upstream switch still thinks the client is on the authenticate port.

 

what is the recommended solution - bearing in mind that the plan was not to authenticate switch-to-switch ports.

 

Thoughts?

 

Andy

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎01-07-2021 05:08 AM

If the MAC Move only allowed that switch only, i do not believe MAC Move allowed different switch (that is the Limitation), user need to re-authenticate here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

awinslade
Level 1
Level 1
In response to balaji.bandi

‎01-08-2021 02:45 AM

Thanks for your comments and this is clearly the situation - but im surprised that there is not a fix for the issue.

 

I'm sure I'm not the first to have had it.

 

Andy

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎01-08-2021 03:09 AM

Lets take a Look at the scenario, why do the Physical Port move from Switch to different switch ? that is not industry standard.

We agree wireless point of view, not wired point of view.

 

Once the device patched to 1 point we expect that physical device stay in that Location, if that is moved Admin should know. this not an issue, this is more of design and it is how that works as per my understanding.

 

i am sure if the user move to different switch, he get new IP address  ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Damien Miller
VIP Alumni
VIP Alumni

‎01-09-2021 06:15 AM

I've seen this issue when endpoints are plugged in to dumb switches, KVMs , and non Cisco IP phones (mab endpoints connected through an third party IP phone, and dot1x endpoints when the IP phone doesn't support eap proxy logoff). Normally, when a wired endpoint moves from switch to switch, the port status would go down/down, and the authentication session would be cleared. When there is not a direct connection from the switch to the endpoint moving, the port state does not change, the switch will think the endpoint is still connected. 

The mac move permit only applies if the endpoint is plugging in to a different port on the same switch/logical switch stack, and not if the endpoint moves to a different switch. 

Some ways to address this way include ensuring that endpoints are not passing through unmanaged switches/KVMs and have a direct connection to the Cisco switch performing the 802.1x/mab authentication. The second method addressing this for sessions behind third party IP phones is to enable the radius idle-timeout as part of the authorization result. 

0 Helpful
Customers Also Viewed These Support Documents