12-16-2016 03:29 PM - edited 03-11-2019 12:18 AM
Hello All,
Cisco Switch: WS-C4510R+E
IOS: Version 03.06.03.E
ROM: 15.0(1r)SG5
I had been testing with a Dell Laptop today that was refusing to connect to the wired network and get an IP Address (*Now, the same issue occurs on 2 separate Dell laptops which are about 5 years apart in manufacturing age). The Laptops use Cisco AnyConnect with the NAM module and ISE Posture module.
When I plug the laptop into my wall-port (*Gi7/24), the NAM Module shows "Authenticating", and then "Acquiring IP Address"... It then sits on acquiring IP Address for about 30 seconds or so and then it displays Limited or No Connectivity. Ipconfig on the laptop shows its not getting an ip address from the switch. We use 802.1x Machine Authentication and the "show auth sess int Gi7/24" does not show that laptop as attempting to authenticate. I tried just about everything I could think of to get this working, but nothing I did seemed to make a difference.
So I ran "show auth sessions | inc <PC_Mac_Address>" and I found the mac address was still showing on a co-workers switchport. But, the laptop hadn't been turned on in a few months, which I thought was strange... So I ran "clear auth sess int Gix/xx" on that port and then replugged the laptop into my switchport and viola, it authenticated successfully and it was able to get an ip address and access the network.
Is there anyway to prevent the switch from caching these authentication sessions, like having the switch automatically remove the auth session whenever the device is disconnected from a switchport? This seems like it could be a big problem down the road. Especially considering how long that auth session was sitting on my co-workers port since that PC hadn't been turned on in months.
I was also having this problem with another laptop, same model as the one in my tests above. This laptop was one we were using for testing when we were setting up our ISE server. And we were working with a consultant at the time so we were in a conference room. That was back in July/August of this year and I was still able to find that auth session on that port on our 4510 for the conference room... This doesn't seem right to me, how can we prevent this from happening? I would just run "clear auth sessions" for everybody, but when you do that, computers currently connected when you run that command would get disconnected from the network and it would require them to reconnect/re-initiate the connection by unplugging and plugging back in. That scenario could be a nightmare when you get 50 people calling you at the same time telling you they don't have a network connection.
Any ideas how a I can fix this problem...? Any thoughts or suggestions would be greatly appreciated!
*UPDATE: I just came across this command on the switch... Does this have anything to do with this?
4510R-HQ(config)#authentication mac-move permit ? <cr>
Thanks in Advance,
Matt
Solved! Go to Solution.
12-16-2016 08:23 PM
Hi Matt-
You are absolutely right! The authentication mac-move permit command is a must for ISE deployments. Here is a link that describes the usage of the command and the actual snip-it:
Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the noform of this command to return to the default setting.
authentication mac-move permit
no authentication mac-move permit
This command has no arguments or keywords.
MAC move is enabled.
Global configuration
|
|
---|---|
12.2(52)SE |
This command was introduced. |
The command enables authenticated hosts to move between 802.1x-enabled ports on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
This example shows how to enable MAC move on a switch:
Switch(config)# authentication mac-move permit
I hope this helps!
Thank you for rating helpful posts!
12-16-2016 08:23 PM
Hi Matt-
You are absolutely right! The authentication mac-move permit command is a must for ISE deployments. Here is a link that describes the usage of the command and the actual snip-it:
Use the authentication mac-move permit global configuration command to enable MAC move on a switch. Use the noform of this command to return to the default setting.
authentication mac-move permit
no authentication mac-move permit
This command has no arguments or keywords.
MAC move is enabled.
Global configuration
|
|
---|---|
12.2(52)SE |
This command was introduced. |
The command enables authenticated hosts to move between 802.1x-enabled ports on a switch. For example, if there is a device between an authenticated host and port, and that host moves to another port, the authentication session is deleted from the first port, and the host is reauthenticated on the new port.
If MAC move is disabled, and an authenticated host moves to another port, it is not reauthenticated, and a violation error occurs.
MAC move is not supported on port-security enabled 802.1x ports. If MAC move is globally configured on the switch and a port security-enabled host moves to an 802.1x-enabled port, a violation error occurs.
This example shows how to enable MAC move on a switch:
Switch(config)# authentication mac-move permit
I hope this helps!
Thank you for rating helpful posts!
12-20-2016 09:29 AM
Hey Neno, thanks for the reply and confirmation, and for the detailed response.!
What's the difference between "port-security enabled 802.1x ports" and "802.1x-enabled ports"?
From the info in your reply it sounds like mac-move is NOT permitted on ports with "port-security enabled 802.1x ports"..?
BTW, I added this command a few days ago, and a TON of the AnyConnect issues we had been having seemed to have disappeared!!
Thanks,
Matt
07-19-2019 05:44 AM
Got the same question.
What's the difference between "port-security enabled 802.1x ports" and "802.1x-enabled ports"?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide